5973e2c4faffe76fb7cf6757830ebec306f6618e2ce4e2b290e3b7fd9b1ebc3d

General

Target

1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe
Size

589KB
MD5

1514d99372affec1d10133a45b786ba0
SHA1

ab7b6c66b534a9c8100a8c03667ddf9822dd68df
SHA256

5973e2c4faffe76fb7cf6757830ebec306f6618e2ce4e2b290e3b7fd9b1ebc3d
SHA512

731baa92a33790212a7f1ce78da7594fdaf2f73dee6efae977c7b84de3bb120df34125d91a7cb9ca2fed9b48254b4b30d4e97526a4179b9aa5030dc6426b993b
SSDEEP

6144:/rTfUHeeSKOS9ccFKk3Y9t9YZjuiYz1MpA5n1oz3pRv2Hs+gkbJZT+c:/n8yN0Mr8ZjtI1z5n1GZlAs+pJv

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 3 IoCs

pid	Process
1340	Isass.exe
4844	Isass.exe
3460	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2692	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe
2692	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe
1340	Isass.exe
1340	Isass.exe
4844	Isass.exe
4844	Isass.exe
4844	Isass.exe
4844	Isass.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1340	2692	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe	81
PID 2692 wrote to memory of 1340	2692	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe	81
PID 2692 wrote to memory of 1340	2692	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe	81
PID 2692 wrote to memory of 4844	2692	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe	82
PID 2692 wrote to memory of 4844	2692	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe	82
PID 2692 wrote to memory of 4844	2692	1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe	82
PID 4844 wrote to memory of 3460	4844	Isass.exe	83
PID 4844 wrote to memory of 3460	4844	Isass.exe	83

C:\Users\Admin\AppData\Local\Temp\1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe"
    3⤵
    - Executes dropped EXE
    PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
866KB

MD5
f5349a683547c6ef7667f97e67a7237b

SHA1
67302aebdbe657f2381148d3362c969e04b4ab20

SHA256
b429725a6a2942ae77895d408daec490ebe1ba17aa47d6676d92b37986df937e

SHA512
b1c592c11c65f0c6eb98afc62cf0a53078be1b15421cbf58677301c54597a0ab8ab27966ecea9a59c1a7eaf8369b0f3fd1c1737d69064cfbaeb8efb1455b8d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\1514d99372affec1d10133a45b786ba0_NeikiAnalytics.exe

Filesize
143KB

MD5
b27ea830fb39bc056e65f9a2260ae216

SHA1
b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

SHA256
fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

SHA512
22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
384KB

MD5
d76870bf746f9495d670d26150685632

SHA1
2fc2949c003fbe486348cde522b47f3aa3ca1122

SHA256
91efd425350c3de1997a632bbbd3a401569885f6d15d5c2ff226796679c4bfe8

SHA512
f5d7f25cb18be15408ccc81caf4ef7a64cc057457ab8f7a956f1f9b4cdd4ffaaf5e4527aa890cb642043d4dda1f8c9b7b814dfd4d72ae4cc60ff4ef53543bfe8

Download Submit
memory/1340-50-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-51-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-83-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-74-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-73-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-62-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-58-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-26-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-29-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-30-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-5-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-34-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-35-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-43-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-44-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/1340-8-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/2692-4-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2692-9-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/2692-7-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3460-24-0x0000000000010000-0x0000000000038000-memory.dmp

Filesize
160KB

Download
memory/4844-22-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4844-11-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads