25bed3b6351935dd7cfa00de150c9cc2654af49cdc95f56b8c581c89a35619db

General

Target

cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
Size

684KB
MD5

cb3fab55dfa399a3b2b714a31c40f280
SHA1

6dada6bd4cc2e6ff6407650ce5e021d2464858ff
SHA256

25bed3b6351935dd7cfa00de150c9cc2654af49cdc95f56b8c581c89a35619db
SHA512

9f737506d95a79fd99b28c89e34ce6ba03e1dac95774e9fec1e6184995814da555912f44064ebcc7644e1112895a93ac1958d6915fdfcc8b124ed2aca7322a1f
SSDEEP

12288:9n8yN0Mr8Ij63hgD1ZiCslOGxBxrU9wizkLF0bSFjRx:FPu263isl/xBZU9jzIFOslx

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe

Executes dropped EXE 5 IoCs

pid	Process
540	Isass.exe
1840	Isass.exe
2724	Isass.exe
1644	Isass.exe
3864	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4412	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
4412	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
540	Isass.exe
540	Isass.exe
1840	Isass.exe
1840	Isass.exe
1840	Isass.exe
1840	Isass.exe
1840	Isass.exe
1840	Isass.exe
4840	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
4840	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
2724	Isass.exe
2724	Isass.exe
2724	Isass.exe
2724	Isass.exe
2724	Isass.exe
2724	Isass.exe
4868	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
4868	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
1644	Isass.exe
1644	Isass.exe
1644	Isass.exe
1644	Isass.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3864	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
3864	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
3864	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 540	4412	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	80
PID 4412 wrote to memory of 540	4412	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	80
PID 4412 wrote to memory of 540	4412	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	80
PID 4412 wrote to memory of 1840	4412	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	81
PID 4412 wrote to memory of 1840	4412	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	81
PID 4412 wrote to memory of 1840	4412	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	81
PID 1840 wrote to memory of 4840	1840	Isass.exe	82
PID 1840 wrote to memory of 4840	1840	Isass.exe	82
PID 1840 wrote to memory of 4840	1840	Isass.exe	82
PID 4840 wrote to memory of 2724	4840	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	83
PID 4840 wrote to memory of 2724	4840	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	83
PID 4840 wrote to memory of 2724	4840	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	83
PID 2724 wrote to memory of 4868	2724	Isass.exe	84
PID 2724 wrote to memory of 4868	2724	Isass.exe	84
PID 2724 wrote to memory of 4868	2724	Isass.exe	84
PID 4868 wrote to memory of 1644	4868	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	85
PID 4868 wrote to memory of 1644	4868	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	85
PID 4868 wrote to memory of 1644	4868	cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe	85
PID 1644 wrote to memory of 3864	1644	Isass.exe	86
PID 1644 wrote to memory of 3864	1644	Isass.exe	86
PID 1644 wrote to memory of 3864	1644	Isass.exe	86

C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
691KB

MD5
16b16b174f6b71497b06eade65ee433b

SHA1
3a61e8fc099dc0ce7e050d73d97ba4665d3b225c

SHA256
11e206283fb3177f490cce90c1ed18555045cc9e1493b8681763ce107ee7d6b2

SHA512
d49ee5ac31c810d41c1e5fc0546e661e1468259ff6e2cfb3450d8fb1f9230cb05f695f1958720d404abe4c002e8efc08185c2ab4a2353e0c503b9126f6a66b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb3fab55dfa399a3b2b714a31c40f280_NeikiAnalytics.exe

Filesize
453KB

MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
8d76f5161841eaf414292e2a141ef8f7

SHA1
74dabb8ee038b94074ffffbaa37225dcc329dbd3

SHA256
42faf3b180149c5baedffa95fb9d339bc95a83bbbfff2d76c02025887f3fe1eb

SHA512
5df02332be2c0e3d7eade379e3aecb10f44ac19fe5a370a29240fb34860be7b0ae9b688f983fe53e8248095ce6cdca724c71381e00f1bdba1f5edfab4d9735c9

Download Submit
memory/540-50-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-41-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-77-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-69-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-68-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-57-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-56-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-40-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-46-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-81-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-6-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/540-5-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-31-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-34-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-35-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-36-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/540-90-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1644-30-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1840-11-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1840-10-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2724-17-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2724-15-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4412-8-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4412-9-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4412-4-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4840-14-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4840-12-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4868-19-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads