Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 00:48
Static task
static1
Behavioral task
behavioral1
Sample
6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe
-
Size
138KB
-
MD5
6586c221f9b3accf6ae830cb91613b80
-
SHA1
84a082af45b9f3792454a798b84c1b6bc53079e7
-
SHA256
25ce4ec60efeed3c0741fac7630bb73019807e6e1cb1536152a70bcf3d21467f
-
SHA512
840e247cd0413e361a67855d4fec8cd2177ddd6a351fc6054859712d330fae4207bed8965369cbeeb339b09d64e6edc267ed38f14ebf7da30e98e861b8a74e77
-
SSDEEP
1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPH:r7YubEwYXRWhpAJUHhzm4hUukS6Kmec9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
smss.exepid process 2656 smss.exe -
Loads dropped DLL 2 IoCs
Processes:
6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exepid process 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe -
Drops file in System32 directory 3 IoCs
Processes:
6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exesmss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1948 sc.exe 2584 sc.exe 2096 sc.exe 2748 sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exesmss.exepid process 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe 2656 smss.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exesmss.exedescription pid process target process PID 3032 wrote to memory of 1948 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe sc.exe PID 3032 wrote to memory of 1948 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe sc.exe PID 3032 wrote to memory of 1948 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe sc.exe PID 3032 wrote to memory of 1948 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe sc.exe PID 3032 wrote to memory of 2584 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe sc.exe PID 3032 wrote to memory of 2584 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe sc.exe PID 3032 wrote to memory of 2584 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe sc.exe PID 3032 wrote to memory of 2584 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe sc.exe PID 3032 wrote to memory of 2656 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe smss.exe PID 3032 wrote to memory of 2656 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe smss.exe PID 3032 wrote to memory of 2656 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe smss.exe PID 3032 wrote to memory of 2656 3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe smss.exe PID 2656 wrote to memory of 2096 2656 smss.exe sc.exe PID 2656 wrote to memory of 2096 2656 smss.exe sc.exe PID 2656 wrote to memory of 2096 2656 smss.exe sc.exe PID 2656 wrote to memory of 2096 2656 smss.exe sc.exe PID 2656 wrote to memory of 2748 2656 smss.exe sc.exe PID 2656 wrote to memory of 2748 2656 smss.exe sc.exe PID 2656 wrote to memory of 2748 2656 smss.exe sc.exe PID 2656 wrote to memory of 2748 2656 smss.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\1230\smss.exeFilesize
138KB
MD57b5623cb095e34395a0fb818d38009a1
SHA1dece78c2235cc567e9a741413cd94fa1e587bc2d
SHA256a81c306cfca08860e343e8cc153dc179db45bfa712ec9543583916858e5bd942
SHA512d72f803541a61c09d7ccea4195657a05e41b0b05ed9182812acf6b04e8aa7d2c576a437a052976dfa355f700f54f341ec0a03d56dde9e0389a90a6868c69bd63