2110545aa0f71406e9be010c186cbe4291f3949559b3c661f016ed8b3c03547d

General

Target

b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
Size

478KB
MD5

b0e886584af2af25d240e3684f740140
SHA1

7d11d6f17f787a5b5f9434b697c739b69e7192de
SHA256

2110545aa0f71406e9be010c186cbe4291f3949559b3c661f016ed8b3c03547d
SHA512

242f374375c5b2a70453c2b3b6c95c570e685ab784aef92ab4a444311950a5fcd779aac227d0a161e214e077eeeef692cd5932a3b355c1dd5fdf37a353944633
SSDEEP

12288:VYWHNXcQtpFcZuMrmq5k45Esco+zzSXmvUBAmaJ8II:rtXJtgnrmq5k45Es+saJrI

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Executes dropped EXE 4 IoCs

pid	Process
3036	SearchHelper.exe
2592	com3.exe
2972	com3.exe
2240	SearchHelper.exe

Loads dropped DLL 7 IoCs

pid	Process
2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe"	com3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1508	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
3036	SearchHelper.exe
2592	com3.exe
3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
2972	com3.exe
2240	SearchHelper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	SearchHelper.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 3036	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	28
PID 2396 wrote to memory of 3036	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	28
PID 2396 wrote to memory of 3036	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	28
PID 2396 wrote to memory of 3036	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	28
PID 2396 wrote to memory of 2592	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	29
PID 2396 wrote to memory of 2592	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	29
PID 2396 wrote to memory of 2592	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	29
PID 2396 wrote to memory of 2592	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	29
PID 2396 wrote to memory of 3000	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	30
PID 2396 wrote to memory of 3000	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	30
PID 2396 wrote to memory of 3000	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	30
PID 2396 wrote to memory of 3000	2396	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	30
PID 3000 wrote to memory of 2240	3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2240	3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2240	3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2240	3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2972	3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	32
PID 3000 wrote to memory of 2972	3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	32
PID 3000 wrote to memory of 2972	3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	32
PID 3000 wrote to memory of 2972	3000	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	32
PID 2592 wrote to memory of 1508	2592	com3.exe	35
PID 2592 wrote to memory of 1508	2592	com3.exe	35
PID 2592 wrote to memory of 1508	2592	com3.exe	35
PID 2592 wrote to memory of 1508	2592	com3.exe	35

C:\Users\Admin\AppData\Local\Temp\b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1508
- C:\Users\Admin\AppData\Local\Temp\b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe" silent pause
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
ee9c1f2f1a31baed2167c98ab0fc813a

SHA1
ef270d94af6e4e468989077c441bb7643b4e6c83

SHA256
53efc98beb04a5b1926481b65e94af0a684954e36cc8204e70589a59a45c51c1

SHA512
b639d699f7b0c9ea83596e59111cc3656631dedbfe9c9aff141215cb106b08f8ac9500a729cc4fd21e9fd0caec311f588deddcb1efac4d9dbab0284292c87db4

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
480KB

MD5
e80d5df11474755cb47f476ec77ac1f5

SHA1
3703230cc60e12134cfe741d4c3b5a5f38b3d5a1

SHA256
520141dd6ec8dc93b65181bb1362fb809d1fba0cfc2893b8bbe143582d0abf28

SHA512
859bb7925cc65fa72c6e3b7fa4482745fd241473dcd50cb5cdac3e3cfbfbf22e7ece47c048215d47c82c94fb4fb01d7709f4641fc8c90ac70bbe31763d925aaa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
480KB

MD5
be94e918ec19a7b6c4e3979327000043

SHA1
1c9711a5ef7e9f12399af7c3ecd24f2602a3dbe8

SHA256
8fa9560afbd132404c3cf38cc7685667b37787f4c0784e89e367b0df34648b7a

SHA512
43b620979e52887bc69066f2770e5040ce43d975873e08970527842191c7b29f68d00200d67fdbdf6263255b1d8d97795602858804f5d7642d9efee5a3ac92e6

Download Submit
memory/2240-89-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2396-0-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/2396-52-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2396-51-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/2972-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads