Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 13:01
Static task
static1
Behavioral task
behavioral1
Sample
50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb_NeikiAnalytics.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb_NeikiAnalytics.dll
Resource
win10v2004-20240508-en
General
-
Target
50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb_NeikiAnalytics.dll
-
Size
5.0MB
-
MD5
5dc67f894b80e515c349d40f47bccb34
-
SHA1
13c8d42e174455eb0635cd31e29365c1e81f3f8b
-
SHA256
50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb
-
SHA512
fd78dcbc8f0245a4b5ba49758c38dec83bc3258093ead7a9f444197f60c870b2060836a6a021875c44f54871c502ffe6bb127d1c4882388fa7bac9485c93f585
-
SSDEEP
49152:SnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+8qPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3226) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2724 mssecsvc.exe 2064 mssecsvc.exe 2704 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1728 wrote to memory of 2596 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 2596 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 2596 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 2596 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 2596 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 2596 1728 rundll32.exe rundll32.exe PID 1728 wrote to memory of 2596 1728 rundll32.exe rundll32.exe PID 2596 wrote to memory of 2724 2596 rundll32.exe mssecsvc.exe PID 2596 wrote to memory of 2724 2596 rundll32.exe mssecsvc.exe PID 2596 wrote to memory of 2724 2596 rundll32.exe mssecsvc.exe PID 2596 wrote to memory of 2724 2596 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb_NeikiAnalytics.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f6fa001fefb1871496a48e9e867151ae
SHA1d56486a0bf4ba8e7c44aecae6a9a79d81412b428
SHA25621dc73fdf73fc5a3b9d578ae328411517dc3ab0974be32b0310feb112c63d751
SHA512b9f9ff8134b6e53f7aceffa89c9a295f146b911c9f3f46216022ad044bcd10dd7796a88e9d966bfed02fbde2250200d3255599baf85f709293de69828292e1bd
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53a4580061b9ebc4436c0087538d18b17
SHA11736863b07f6314c821bf77d8c7f61792d1339b7
SHA2567303c2b9de9432439804eb397e48d2ef80549781b43c9e7666a8a6c2a42f8ed2
SHA512baed786b93022b1dc4c36c79bc813758744e5f031cc2f0ab266553456e42b94f05ad1de67009129407abfd32c82a437c89938b6487f736df011d462b985b260d