e76b11ccaf546f2c7ac99afa909bf8231530587804762bc1aabc2d2893f84941

Analysis

max time kernel
132s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
Size

713KB
MD5

8052cedd205a553f3a02bd6a36a85d00
SHA1

ada283686217c783f0b6d388396cad26fb8b87e3
SHA256

e76b11ccaf546f2c7ac99afa909bf8231530587804762bc1aabc2d2893f84941
SHA512

363f593160c1a25a9250507542babadda77ef5d39e00abffba17ce5055ac9fff0019d3698748221f3fb471208e462c60cd39c4ef3eeda661527eb7a1ced3c91b
SSDEEP

12288:9n8yN0Mr8MP41v6ro4nBzr0p5PUGd2r/QnF7d87n:FPuMcCro4Bzr0p5PUGd2jBT

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2504	Isass.exe
2628	Isass.exe
3064	Isass.exe
2868	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
2412	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe

Loads dropped DLL 11 IoCs

pid	Process
3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
2544	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
2544	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
3064	Isass.exe
2868	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
2412	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
2504	Isass.exe
2504	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
2504	Isass.exe
2628	Isass.exe
2628	Isass.exe
2628	Isass.exe
2544	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
3064	Isass.exe
3064	Isass.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2504	3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	28
PID 3036 wrote to memory of 2504	3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	28
PID 3036 wrote to memory of 2504	3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	28
PID 3036 wrote to memory of 2504	3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	28
PID 3036 wrote to memory of 2628	3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	29
PID 3036 wrote to memory of 2628	3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	29
PID 3036 wrote to memory of 2628	3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	29
PID 3036 wrote to memory of 2628	3036	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	29
PID 2628 wrote to memory of 2544	2628	Isass.exe	30
PID 2628 wrote to memory of 2544	2628	Isass.exe	30
PID 2628 wrote to memory of 2544	2628	Isass.exe	30
PID 2628 wrote to memory of 2544	2628	Isass.exe	30
PID 2544 wrote to memory of 3064	2544	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	31
PID 2544 wrote to memory of 3064	2544	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	31
PID 2544 wrote to memory of 3064	2544	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	31
PID 2544 wrote to memory of 3064	2544	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	31
PID 3064 wrote to memory of 2868	3064	Isass.exe	32
PID 3064 wrote to memory of 2868	3064	Isass.exe	32
PID 3064 wrote to memory of 2868	3064	Isass.exe	32
PID 3064 wrote to memory of 2868	3064	Isass.exe	32
PID 3064 wrote to memory of 2868	3064	Isass.exe	32
PID 3064 wrote to memory of 2868	3064	Isass.exe	32
PID 3064 wrote to memory of 2868	3064	Isass.exe	32
PID 2868 wrote to memory of 2412	2868	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2412	2868	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2412	2868	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2412	2868	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2412	2868	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2412	2868	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2412	2868	8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe	33

C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe" -burn.unelevated BurnPipe.{02547CF3-F95F-4328-B8D6-A00E7A140580} {311C6823-8793-4871-9EF3-3F22FD20E7DD} 2868
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\Users\Admin\AppData\Local\Temp\8052cedd205a553f3a02bd6a36a85d00_NeikiAnalytics.exe

Filesize
455KB

MD5
3284088a2d414d65e865004fdb641936

SHA1
7f3e9180d9025fc14c8a7868b763b0c3e7a900b4

SHA256
102f69b5a98352a6a1a6b26bc2c86ee7611c1f45f5a9ca04f5a8841961f191c6

SHA512
6786fb431addf05df256d0e1383501f96356aa78f66482db9772c58334aead59838abb7db0ea793d4a17627a357598266681c28328485489a21bc2985e751b62

Download Submit
\Users\Admin\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\wixstdba.dll

Filesize
117KB

MD5
a52e5220efb60813b31a82d101a97dcb

SHA1
56e16e4df0944cb07e73a01301886644f062d79b

SHA256
e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf

SHA512
d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

Download Submit
\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
d9e6a255071908d5fca6eced94d5e7c7

SHA1
6507c3fcb45949bdbcd396e4032d42766bb23ab2

SHA256
ff6b2923c9af7222dedbbed783aa3ed3f357048d6c4885838ec26050948fd86d

SHA512
8c924426bf2a515ec3bcfef734826500c387c5cf784d8cd34b8f62fc4bea03358b73813341f6438ce4f8f1a68deb5741f450febba7f4e198276996529617f948

Download Submit
memory/2504-66-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-56-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-19-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2504-103-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-102-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-90-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-89-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-16-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-81-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-80-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-74-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-52-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-53-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-65-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-57-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2504-64-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2544-23-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/2628-20-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3036-17-0x0000000004890000-0x0000000005B38000-memory.dmp

Filesize
18.7MB

Download
memory/3036-0-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3036-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3036-5-0x0000000004290000-0x0000000005538000-memory.dmp

Filesize
18.7MB

Download
memory/3036-14-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3036-18-0x0000000004290000-0x0000000005538000-memory.dmp

Filesize
18.7MB

Download
memory/3064-31-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download