Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 03:49
Static task
static1
Behavioral task
behavioral1
Sample
5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe
-
Size
467KB
-
MD5
5c0c2fc69656e74ab8edbe36b8e9ef20
-
SHA1
7fce94f7f5babda85ad0aed3ddf179484f30f287
-
SHA256
849f94425211387b7ee32ce2959c35102b76834cdc4a31f207f8b35b53fee6d0
-
SHA512
999cd699dc13913c651a393446442db12287b1d8c6c40179aa77a694a482d0c3e87d0ade6776fbdec17c43a263a26f190071fb0fc6f7ee39c0aa89fca4188db1
-
SSDEEP
6144:/rTfUHeeSKOS9ccFKk3Y9t9YZaCGUeKJCCrwqzOD:/n8yN0Mr8ZxvBMqzy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Isass.exe5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exeIsass.exe5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exeIsass.exe5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation Isass.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe -
Executes dropped EXE 5 IoCs
Processes:
Isass.exeIsass.exeIsass.exeIsass.exe5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exepid process 5044 Isass.exe 3008 Isass.exe 3500 Isass.exe 1416 Isass.exe 4452 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exeIsass.exeIsass.exe5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exeIsass.exe5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exeIsass.exepid process 2448 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe 2448 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe 5044 Isass.exe 5044 Isass.exe 3008 Isass.exe 3008 Isass.exe 3008 Isass.exe 3008 Isass.exe 3008 Isass.exe 3008 Isass.exe 4084 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe 4084 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe 3500 Isass.exe 3500 Isass.exe 3500 Isass.exe 3500 Isass.exe 3500 Isass.exe 3500 Isass.exe 1920 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe 1920 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe 1416 Isass.exe 1416 Isass.exe 1416 Isass.exe 1416 Isass.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exeIsass.exe5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exeIsass.exe5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exeIsass.exedescription pid process target process PID 2448 wrote to memory of 5044 2448 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 2448 wrote to memory of 5044 2448 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 2448 wrote to memory of 5044 2448 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 2448 wrote to memory of 3008 2448 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 2448 wrote to memory of 3008 2448 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 2448 wrote to memory of 3008 2448 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 3008 wrote to memory of 4084 3008 Isass.exe 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe PID 3008 wrote to memory of 4084 3008 Isass.exe 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe PID 3008 wrote to memory of 4084 3008 Isass.exe 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe PID 4084 wrote to memory of 3500 4084 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 4084 wrote to memory of 3500 4084 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 4084 wrote to memory of 3500 4084 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 3500 wrote to memory of 1920 3500 Isass.exe 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe PID 3500 wrote to memory of 1920 3500 Isass.exe 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe PID 3500 wrote to memory of 1920 3500 Isass.exe 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe PID 1920 wrote to memory of 1416 1920 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 1920 wrote to memory of 1416 1920 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 1920 wrote to memory of 1416 1920 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe Isass.exe PID 1416 wrote to memory of 4452 1416 Isass.exe 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe PID 1416 wrote to memory of 4452 1416 Isass.exe 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe PID 1416 wrote to memory of 4452 1416 Isass.exe 5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe"5⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c0c2fc69656e74ab8edbe36b8e9ef20_NeikiAnalytics.exe"7⤵
- Executes dropped EXE
PID:4452
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733KB
MD55efbd8bdc81de33d0a4e9596ba654bda
SHA1475cee8443a7318c39fc8eb098a9bc2bcd174c33
SHA2563dcc4585798885c22ecdad3fd2a82edae32ebee8adb496040f6553957fc17ea8
SHA51208a23728f0e48d250bda2b8081b281b82f2bf86798888071276efa0d76977a189ce3d3c17bd5a7ecfdbff02298c3252ea41bf22e171ca00ab3ebedcfa5239568
-
Filesize
231KB
MD56f581a41167d2d484fcba20e6fc3c39a
SHA1d48de48d24101b9baaa24f674066577e38e6b75c
SHA2563eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6
-
Filesize
216KB
MD5dd458aa6724576cbcdd78ff29139f11e
SHA194a239a6956865c6a60109b96970f3401e789377
SHA256d4e7f06a9237ed9176b30869177426049bf265de65c7dc0f238cf4e6981af0a3
SHA512f618878d58d29b9d23d05370a3ed1d3a9a2d96ed721589ab4a0f82665fcab0bec45e379b447c482c8394278d11a96800d47619d9981a8168e6a86ee1e4521ba4