2110545aa0f71406e9be010c186cbe4291f3949559b3c661f016ed8b3c03547d

General

Target

b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
Size

478KB
MD5

b0e886584af2af25d240e3684f740140
SHA1

7d11d6f17f787a5b5f9434b697c739b69e7192de
SHA256

2110545aa0f71406e9be010c186cbe4291f3949559b3c661f016ed8b3c03547d
SHA512

242f374375c5b2a70453c2b3b6c95c570e685ab784aef92ab4a444311950a5fcd779aac227d0a161e214e077eeeef692cd5932a3b355c1dd5fdf37a353944633
SSDEEP

12288:VYWHNXcQtpFcZuMrmq5k45Esco+zzSXmvUBAmaJ8II:rtXJtgnrmq5k45Es+saJrI

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	com3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Executes dropped EXE 4 IoCs

pid	Process
3288	SearchHelper.exe
1532	com3.exe
2988	SearchHelper.exe
4300	com3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe"	com3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4084	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
3288	SearchHelper.exe
3288	SearchHelper.exe
1532	com3.exe
1532	com3.exe
4052	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
4052	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
4300	com3.exe
4300	com3.exe
2988	SearchHelper.exe
2988	SearchHelper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3288	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3288	SearchHelper.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 3288	3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	90
PID 3224 wrote to memory of 3288	3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	90
PID 3224 wrote to memory of 3288	3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	90
PID 3224 wrote to memory of 1532	3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	95
PID 3224 wrote to memory of 1532	3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	95
PID 3224 wrote to memory of 1532	3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	95
PID 3224 wrote to memory of 4052	3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	96
PID 3224 wrote to memory of 4052	3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	96
PID 3224 wrote to memory of 4052	3224	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	96
PID 4052 wrote to memory of 2988	4052	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	100
PID 4052 wrote to memory of 2988	4052	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	100
PID 4052 wrote to memory of 2988	4052	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	100
PID 4052 wrote to memory of 4300	4052	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	101
PID 4052 wrote to memory of 4300	4052	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	101
PID 4052 wrote to memory of 4300	4052	b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe	101
PID 1532 wrote to memory of 4084	1532	com3.exe	111
PID 1532 wrote to memory of 4084	1532	com3.exe	111
PID 1532 wrote to memory of 4084	1532	com3.exe	111

C:\Users\Admin\AppData\Local\Temp\b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3288
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4084
- C:\Users\Admin\AppData\Local\Temp\b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\b0e886584af2af25d240e3684f740140_NeikiAnalytics.exe" silent pause
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
480KB

MD5
ab4dac36234e9cc82c81fc92d4486a3a

SHA1
0df46a599ab7d4829cbaab3789aac70c4602f8fc

SHA256
6e3792ec4964be97c68f63608fc5eddb93ae3a48b267a61c3bb6dc9c7058dfa1

SHA512
94efd2f95c3c7ebeaba66299586730430c6e12a9133fa6990ccf250ad38fb172577a1eb1ef54cd9d0159a268985bece625b3faa7d27de0e932e6268460016993

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
480KB

MD5
ba6fcd0129639aa87fc9892af69910d6

SHA1
efe23fc79bb197773d5752ad9bf1f7baac2cf427

SHA256
24bef6f34bd5cd466ef01dd481c8e5525dde232cc8082079a80a66c876fb4898

SHA512
e1c4b521151ee99d68a9031ed3da62c00b7fe2e788179f72fee323621360d7150503cf97e59f44d6df54ec1afe7f59f1ab62d4e2626428bd6cfca68f11c7b128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
badd8d5502547b48de2a7cfa300c7615

SHA1
3463ae73b6784ab83aecb04bccb65e58b50ea83e

SHA256
c4689063c8711ea02d58524705ccf1da20525c32a466a43014bc67e9e6d916d8

SHA512
1184e31b4ce1cc1c9ea757ba5da5979f8b618ef0266155311f944ba653764cd35f992f5f7d88dc412fd67e2d723a6ac12b8fcf26a36c2f0c2241af5f53942403

Download Submit
memory/1532-32-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/2988-76-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3224-1-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3224-43-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3288-16-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3288-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4052-44-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4300-56-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4300-77-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads