63933822b6d5d29bfabd430e42de907cc8e129018a1e0f962c4f68ea756fa7f7

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
Size

419KB
MD5

2358e7a30b8b2ff9f538528d266f6170
SHA1

2196f5b850e6948aa82dc2399c8eb13c652abd46
SHA256

63933822b6d5d29bfabd430e42de907cc8e129018a1e0f962c4f68ea756fa7f7
SHA512

bfa7104298c5a612d14580603149e7d609814a3c55dfcca14b1560d5a073216d983bc7f0e7b116c2980eff44ec9ac560d385ea8bb44912329dfb69a51d1ae77a
SSDEEP

6144:/rTfUHeeSKOS9ccFKk3Y9t9YZHpLJTABX6YPJLSUjV3Vn:/n8yN0Mr8ZHBJTeq2Wi3Vn

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2128	Isass.exe
1044	Isass.exe
2724	Isass.exe
2708	Isass.exe
2564	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe

Loads dropped DLL 11 IoCs

pid	Process
2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2000	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2000	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2652	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2708	Isass.exe
2128	Isass.exe
2128	Isass.exe
2128	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2128	Isass.exe
1044	Isass.exe
1044	Isass.exe
1044	Isass.exe
2000	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2724	Isass.exe
2724	Isass.exe
2724	Isass.exe
2652	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
2708	Isass.exe
2708	Isass.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2128	2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2128	2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2128	2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2128	2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 1044	2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	29
PID 2012 wrote to memory of 1044	2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	29
PID 2012 wrote to memory of 1044	2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	29
PID 2012 wrote to memory of 1044	2012	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	29
PID 1044 wrote to memory of 2000	1044	Isass.exe	30
PID 1044 wrote to memory of 2000	1044	Isass.exe	30
PID 1044 wrote to memory of 2000	1044	Isass.exe	30
PID 1044 wrote to memory of 2000	1044	Isass.exe	30
PID 2000 wrote to memory of 2724	2000	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	31
PID 2000 wrote to memory of 2724	2000	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	31
PID 2000 wrote to memory of 2724	2000	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	31
PID 2000 wrote to memory of 2724	2000	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	31
PID 2724 wrote to memory of 2652	2724	Isass.exe	32
PID 2724 wrote to memory of 2652	2724	Isass.exe	32
PID 2724 wrote to memory of 2652	2724	Isass.exe	32
PID 2724 wrote to memory of 2652	2724	Isass.exe	32
PID 2652 wrote to memory of 2708	2652	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	33
PID 2652 wrote to memory of 2708	2652	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	33
PID 2652 wrote to memory of 2708	2652	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	33
PID 2652 wrote to memory of 2708	2652	2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe	33
PID 2708 wrote to memory of 2564	2708	Isass.exe	34
PID 2708 wrote to memory of 2564	2708	Isass.exe	34
PID 2708 wrote to memory of 2564	2708	Isass.exe	34
PID 2708 wrote to memory of 2564	2708	Isass.exe	34

C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2128
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe"
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe"
        7⤵
        Executes dropped EXE
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Microsoft Build\Isass.exe

Filesize
216KB

MD5
505343504ee4aedbfa55f2158e5085c1

SHA1
4e3e38d96f3baf251cdebf73557b76518f28206b

SHA256
0e9e507a6b61122fa856e15ca03acfcd1492574e356e0fb53f2770c6ad895085

SHA512
418f50f667f37e8301a8c4ace22166813316c8c1cff88a1972918e9f5c28c592e7347b17c06767b0927b53faf93427d9676535e61f0a6052a0497b557b3acfd6

Download Submit
\Users\Admin\AppData\Local\Temp\2358e7a30b8b2ff9f538528d266f6170_NeikiAnalytics.exe

Filesize
140KB

MD5
24f79f24b079ff5d837e1040f1c09d2a

SHA1
c56cfe2bc3817be2482cea1faea8925eb47ff424

SHA256
e7ba69ae8bd3206d73514b21e0d2f5d7e0101cb1a449442855068ff00ab88361

SHA512
574060ae61aa95200f1fa6423977040c5fd1ad46f1f1539329a2fc55eb871bf561d3d50191f3e16bdc32144295cd2939937f87bbd6c9f1b53b3288ddbb71a8cf

Download Submit
memory/1044-20-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2000-24-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2012-8-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2012-9-0x00000000045D0000-0x0000000005879000-memory.dmp

Filesize
18.7MB

Download
memory/2012-38-0x0000000004BD0000-0x0000000005E79000-memory.dmp

Filesize
18.7MB

Download
memory/2012-13-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2012-11-0x00000000045D0000-0x0000000005879000-memory.dmp

Filesize
18.7MB

Download
memory/2012-17-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2012-19-0x0000000004BD0000-0x0000000005E79000-memory.dmp

Filesize
18.7MB

Download
memory/2128-37-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-51-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-102-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-89-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-88-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-12-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-14-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2128-39-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-42-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-43-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-50-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-76-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-59-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-60-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-66-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-67-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2128-75-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2564-36-0x0000000000180000-0x00000000001A8000-memory.dmp

Filesize
160KB

Download
memory/2652-27-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2708-34-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2724-25-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download