65d7ba9309250bb9afc0708123a57ff483749e4599d30b5e3456cfae37628e46

General

Target

9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
Size

400KB
MD5

9012a5b6cfafc1989a62b3828b02fcc0
SHA1

45e1abb59ee705b3a4813218920614f042804e0b
SHA256

65d7ba9309250bb9afc0708123a57ff483749e4599d30b5e3456cfae37628e46
SHA512

9558869b4de636057b63b7ce0643ba5e37b80734c84b2ff47844f9de7b2e0ba7161fb9f5644bd0ccc7de5eccb5fd150c4217a8dc591ad975307da6b4e8590372
SSDEEP

6144:9rTfUHeeSKOS9ccFKk3Y9t9YOACaA8COmjFp9nO:9n8yN0Mr8OAZA8COm/o

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 5 IoCs

pid	Process
5028	Isass.exe
4724	Isass.exe
1368	Isass.exe
1456	Isass.exe
4772	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3504	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
3504	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
5028	Isass.exe
5028	Isass.exe
4724	Isass.exe
4724	Isass.exe
4724	Isass.exe
4724	Isass.exe
4724	Isass.exe
4724	Isass.exe
3056	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
3056	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
1368	Isass.exe
1368	Isass.exe
1368	Isass.exe
1368	Isass.exe
1368	Isass.exe
1368	Isass.exe
5080	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
5080	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
1456	Isass.exe
1456	Isass.exe
1456	Isass.exe
1456	Isass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 5028	3504	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	81
PID 3504 wrote to memory of 5028	3504	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	81
PID 3504 wrote to memory of 5028	3504	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	81
PID 3504 wrote to memory of 4724	3504	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	82
PID 3504 wrote to memory of 4724	3504	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	82
PID 3504 wrote to memory of 4724	3504	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	82
PID 4724 wrote to memory of 3056	4724	Isass.exe	83
PID 4724 wrote to memory of 3056	4724	Isass.exe	83
PID 4724 wrote to memory of 3056	4724	Isass.exe	83
PID 3056 wrote to memory of 1368	3056	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	84
PID 3056 wrote to memory of 1368	3056	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	84
PID 3056 wrote to memory of 1368	3056	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	84
PID 1368 wrote to memory of 5080	1368	Isass.exe	85
PID 1368 wrote to memory of 5080	1368	Isass.exe	85
PID 1368 wrote to memory of 5080	1368	Isass.exe	85
PID 5080 wrote to memory of 1456	5080	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	86
PID 5080 wrote to memory of 1456	5080	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	86
PID 5080 wrote to memory of 1456	5080	9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe	86
PID 1456 wrote to memory of 4772	1456	Isass.exe	87
PID 1456 wrote to memory of 4772	1456	Isass.exe	87

C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe"
        7⤵
        Executes dropped EXE
        
        PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
699KB

MD5
8b22011e787e65d5511874e4857e660f

SHA1
705f4da62dba701736e461e4d5f8196b677baa2c

SHA256
2c4161be88ac9459f32e9e1c0a8ea20383be1485e26e6abfb748f0b01b4e681e

SHA512
f687944a78f90e29764cdb93fdb2e5806d3861804ba6790c48686507b3f6d319b05ac44f9a6510807cb184fff0543881e3b278cfe73364ec84274121c33dd313

Download Submit
C:\Users\Admin\AppData\Local\Temp\9012a5b6cfafc1989a62b3828b02fcc0_NeikiAnalytics.exe

Filesize
140KB

MD5
1793928d1c8daf03a8b67a60a0ffbd93

SHA1
c777c5be2321bf493877efef590eec8c822e2072

SHA256
84a2bb3191f370ba456dd8637e08cd47ef1c80a54d081881cd1e16a8c67f0238

SHA512
64ef94fb34b637c5d40878f4d3b0db7f2d74e89be35fca959ee9354cdf8f5bd61d90e8aa1ff795ddafe60ba5d1a0d4b57c41b1bf8750d24d685aa98f4142c11a

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
211KB

MD5
e8971d0c95ab03d0f5399c608edd147a

SHA1
5af0641e615b80e999ed3987139ebfe70250afbd

SHA256
74cf215112e855d7ed9472f2c79272cd88586a5a58db3741b5f965aa352f525f

SHA512
b47c9f564708822d37a6867a82f1a8fc29ec074f880695e777c3445f6c38d9ea19cc15fa046cf625768a083ec5867b565025ae62745b40d7bde56d05e8f5ed3a

Download Submit
memory/1368-14-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/1456-28-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3056-37-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3056-13-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3504-4-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/3504-6-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4724-10-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/4772-30-0x00000000002E0000-0x0000000000308000-memory.dmp

Filesize
160KB

Download
memory/5028-36-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-51-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-33-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-91-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-8-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5028-38-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-7-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-42-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-43-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-32-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-52-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-58-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-59-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-69-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-70-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-81-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5028-82-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download
memory/5080-17-0x0000000000400000-0x00000000016A8000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads