fd057301b2388827ff6eff4f05505a8e244d965ef8f1a0fab7283cc859f43e6a

General

Target

5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe
Size

1.7MB
MD5

5d2085c7b9c4e0c2613b884e1cbe8c70
SHA1

f35ea620135f662ff7eb13898c6fa901d2924140
SHA256

fd057301b2388827ff6eff4f05505a8e244d965ef8f1a0fab7283cc859f43e6a
SHA512

1ebcd5638bc5b4f9d7ee5c7da00cc6b756dc2c98cfbe59338d8b56f51f00981b0c970958ceb85b828ee3903b74c853ec34bbecdd75b7b9af8c3ea8ab48767d0a
SSDEEP

12288:Zv1nWdQP1EDhZPx1yayPBqIMUAaBGfFa136YIz21eRj5E/Z0itmz+mzP2:Z9ndEVfepqSAasdW3Yzgv/Oitmz+ma

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2852	Isass.exe
2628	LU_5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe

Loads dropped DLL 3 IoCs

pid	Process
1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe
1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe
1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe
2852	Isass.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2852	1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe	28
PID 1700 wrote to memory of 2852	1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe	28
PID 1700 wrote to memory of 2852	1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe	28
PID 1700 wrote to memory of 2852	1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe	28
PID 1700 wrote to memory of 2628	1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe	29
PID 1700 wrote to memory of 2628	1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe	29
PID 1700 wrote to memory of 2628	1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe	29
PID 1700 wrote to memory of 2628	1700	5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\LU_5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\LU_5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
03b5f15a8e58334984073a9448abad7a

SHA1
9b1065d339f0aee3ab80d8ec29738b99d6cd3974

SHA256
738cc42fa63b6bcdf9985cff625eea967051ac8528520928e1e6f0de8a9ba2fb

SHA512
7b8201cebeeca6cc779efb2adbbbee09bcd4810adc375a10f372ef77dc600da719c9a5fdc35fd500d34f78370f83e34322ef8f05fb30f504fd1a9e62f5dcfe7d

Download Submit
\Users\Admin\AppData\Local\Temp\LU_5d2085c7b9c4e0c2613b884e1cbe8c70_NeikiAnalytics.exe

Filesize
1.4MB

MD5
cf1a1b2a6f227d5b06ab0b3c8b88618b

SHA1
d307e14b74c0f583291b44823c37d7787e562cec

SHA256
1fd250a499b2912b1acec31a03caa32f1b328f2861e1383e94f23386f724fb36

SHA512
bbfa835dbf598fb31ee0ee19bf0d3164794a9accccd79854487611341783e366b69322e3e533824076380dd6dc72e4cc5d69455fe49305da6fb4fcff79fa469c

Download Submit
memory/1700-10-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/1700-11-0x0000000004430000-0x00000000056D7000-memory.dmp

Filesize
18.7MB

Download
memory/1700-12-0x0000000004430000-0x00000000056D7000-memory.dmp

Filesize
18.7MB

Download
memory/1700-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1700-22-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-26-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-32-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-23-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-24-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-25-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2852-27-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-28-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-31-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-13-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-36-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-39-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-40-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-41-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-42-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-43-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2852-44-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads