25ce4ec60efeed3c0741fac7630bb73019807e6e1cb1536152a70bcf3d21467f

General

Target

6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe
Size

138KB
MD5

6586c221f9b3accf6ae830cb91613b80
SHA1

84a082af45b9f3792454a798b84c1b6bc53079e7
SHA256

25ce4ec60efeed3c0741fac7630bb73019807e6e1cb1536152a70bcf3d21467f
SHA512

840e247cd0413e361a67855d4fec8cd2177ddd6a351fc6054859712d330fae4207bed8965369cbeeb339b09d64e6edc267ed38f14ebf7da30e98e861b8a74e77
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPH:r7YubEwYXRWhpAJUHhzm4hUukS6Kmec9

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

2656 smss.exe
Loads dropped DLL 2 IoCs

Processes:

6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe

pid process

3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe
3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe

pid	process
2656	smss.exe

pid	process
3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe
3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe

Drops file in System32 directory 3 IoCs

Processes:

6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exesmss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1948 sc.exe
2584 sc.exe
2096 sc.exe
2748 sc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exesmss.exe

pid process

3032 6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe
2656 smss.exe

pid	process
1948	sc.exe
2584	sc.exe
2096	sc.exe
2748	sc.exe

pid	process
3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe
2656	smss.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exesmss.exe

description	pid	process	target process
PID 3032 wrote to memory of 1948	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	sc.exe
PID 3032 wrote to memory of 1948	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	sc.exe
PID 3032 wrote to memory of 1948	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	sc.exe
PID 3032 wrote to memory of 1948	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	sc.exe
PID 3032 wrote to memory of 2584	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	sc.exe
PID 3032 wrote to memory of 2584	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	sc.exe
PID 3032 wrote to memory of 2584	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	sc.exe
PID 3032 wrote to memory of 2584	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	sc.exe
PID 3032 wrote to memory of 2656	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	smss.exe
PID 3032 wrote to memory of 2656	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	smss.exe
PID 3032 wrote to memory of 2656	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	smss.exe
PID 3032 wrote to memory of 2656	3032	6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe	smss.exe
PID 2656 wrote to memory of 2096	2656	smss.exe	sc.exe
PID 2656 wrote to memory of 2096	2656	smss.exe	sc.exe
PID 2656 wrote to memory of 2096	2656	smss.exe	sc.exe
PID 2656 wrote to memory of 2096	2656	smss.exe	sc.exe
PID 2656 wrote to memory of 2748	2656	smss.exe	sc.exe
PID 2656 wrote to memory of 2748	2656	smss.exe	sc.exe
PID 2656 wrote to memory of 2748	2656	smss.exe	sc.exe
PID 2656 wrote to memory of 2748	2656	smss.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6586c221f9b3accf6ae830cb91613b80_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
2⤵
- Launches sc.exe
PID:1948

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
2⤵
- Launches sc.exe
PID:2584

C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
3⤵
- Launches sc.exe
PID:2096

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
3⤵
- Launches sc.exe
PID:2748

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1230\smss.exe
Filesize
138KB

MD5
7b5623cb095e34395a0fb818d38009a1

SHA1
dece78c2235cc567e9a741413cd94fa1e587bc2d

SHA256
a81c306cfca08860e343e8cc153dc179db45bfa712ec9543583916858e5bd942

SHA512
d72f803541a61c09d7ccea4195657a05e41b0b05ed9182812acf6b04e8aa7d2c576a437a052976dfa355f700f54f341ec0a03d56dde9e0389a90a6868c69bd63

Download Submit

Analysis

Sharing