03375e340a0952503e01983f8f907c7df6c823bcf252226d548f81c415b59b98

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 23:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe
Size

119KB
MD5

30206f83cdf73b5ed6f82744498f6690
SHA1

3110d2be8e4db93f66d3e6a8c6d6ad5118fbf9af
SHA256

03375e340a0952503e01983f8f907c7df6c823bcf252226d548f81c415b59b98
SHA512

3b861a02808782ac59ff6f93e521aa10a628c3c834274b431dae55e0c0f4e8f692a05f3d71c025983ed996006184b4eb72f631768ced5649d5e62f7aee3b8f64
SSDEEP

3072:OE9j8b3ZXgKC1hX//iASOXRJzDOD26j/3Dcl:OEebiKuX//iZOXRJ3OD26jc

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2928	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe
2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2420	sc.exe
2436	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe
2928	smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2420	2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 2420	2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 2420	2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 2420	2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 2928	2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe	30
PID 2444 wrote to memory of 2928	2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe	30
PID 2444 wrote to memory of 2928	2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe	30
PID 2444 wrote to memory of 2928	2444	30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe	30
PID 2928 wrote to memory of 2436	2928	smss.exe	31
PID 2928 wrote to memory of 2436	2928	smss.exe	31
PID 2928 wrote to memory of 2436	2928	smss.exe	31
PID 2928 wrote to memory of 2436	2928	smss.exe	31

C:\Users\Admin\AppData\Local\Temp\30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30206f83cdf73b5ed6f82744498f6690_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  PID:2420
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1230\smss.exe

Filesize
119KB

MD5
7ca3565ea82bc29880f38ecc752046fc

SHA1
f4486804650ee00bbdf3fb9da44782a71750b8b8

SHA256
d8a1117cfe55873a25396047d9c1e723add4d144e6e18178509228adcd406ca2

SHA512
efe4438bbcdc3f4f9fe4838f7e346cba5b2cfc9e6ff91970b7a0155aac5712b83ef940f70dddd5c2d4d90fe1f0e9dd8f7b67df0f8d414fe0d4b6bf8a9eee0ae8

Download Submit
memory/2444-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download