2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943

General

Target

2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
Size

497KB
MD5

78ec630f3ed072441ce509aa4060e2e0
SHA1

25b02caab0c2baf14683bbfa0a1fc006a53bc479
SHA256

2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943
SHA512

29c1b542ebd06cd14500e1b91e59d589e753be592eb52a5041c5b6514dba3418e1d678301793344b3f7e07d9311f778a34ad8a0966e49d0e2164079fbe90f7d8
SSDEEP

12288:/n8yN0Mr8Zm8DEO7z4Kv7yGvZPeC4qgrl5XJPv:vPuZm9Kv7VZPeBrF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2096	Isass.exe
2796	Isass.exe
2720	Isass.exe
2664	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe

Loads dropped DLL 10 IoCs

pid	Process
2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
2660	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
2660	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
2720	Isass.exe
2720	Isass.exe
2096	Isass.exe
2096	Isass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
2096	Isass.exe
2796	Isass.exe
2796	Isass.exe
2796	Isass.exe
2660	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
2720	Isass.exe
2720	Isass.exe
2664	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2096	2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	28
PID 2980 wrote to memory of 2096	2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	28
PID 2980 wrote to memory of 2096	2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	28
PID 2980 wrote to memory of 2096	2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	28
PID 2980 wrote to memory of 2796	2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	29
PID 2980 wrote to memory of 2796	2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	29
PID 2980 wrote to memory of 2796	2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	29
PID 2980 wrote to memory of 2796	2980	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	29
PID 2796 wrote to memory of 2660	2796	Isass.exe	30
PID 2796 wrote to memory of 2660	2796	Isass.exe	30
PID 2796 wrote to memory of 2660	2796	Isass.exe	30
PID 2796 wrote to memory of 2660	2796	Isass.exe	30
PID 2660 wrote to memory of 2720	2660	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	31
PID 2660 wrote to memory of 2720	2660	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	31
PID 2660 wrote to memory of 2720	2660	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	31
PID 2660 wrote to memory of 2720	2660	2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe	31
PID 2720 wrote to memory of 2664	2720	Isass.exe	32
PID 2720 wrote to memory of 2664	2720	Isass.exe	32
PID 2720 wrote to memory of 2664	2720	Isass.exe	32
PID 2720 wrote to memory of 2664	2720	Isass.exe	32

C:\Users\Admin\AppData\Local\Temp\2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2ca927a9e9c7dec6056273908c9d91fd68b9b620672052daee9917ef376bd943_NeikiAnalytics.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Public\Microsoft Build\Isass.exe

Filesize
231KB

MD5
20a01dcd1a68ed02b8367b1acf045777

SHA1
bc6faad1dd5b52c238a1e16083df1ec36856d28e

SHA256
0dc9d189d3f162fbeef97345f98afe3749272c9da7e04057c50bbb80c674546f

SHA512
a43717b7d0b06d967176cb2f222af27d045baad32a4c363947debdd416f6814084ce49490e9c50d8af1d2be77c4d4bde36e22e44940ca60b8cf4344f5a3f42a8

Download Submit
memory/2096-63-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-57-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-36-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2096-82-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-39-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-73-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-72-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-35-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-94-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-81-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-48-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-47-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-40-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-56-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-64-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2660-21-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2664-34-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2720-32-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2796-18-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2980-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2980-14-0x00000000047C0000-0x0000000005A69000-memory.dmp

Filesize
18.7MB

Download
memory/2980-15-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads