94ba66a0690ba7722a1d6d8c4fb14aea2a6c9e60fda2def4ce1cc18901b1d1a9

General

Target

73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
Size

138KB
MD5

73059a9993669e0526f4afdbb3797740
SHA1

73d155af151519d93bcd4f66ca6a383ce8a7834f
SHA256

94ba66a0690ba7722a1d6d8c4fb14aea2a6c9e60fda2def4ce1cc18901b1d1a9
SHA512

a00a58693bcfad8ec552fce61e1abe6750963776a907bce9044f5699a0f34df270df2ca7fbf556dd0a5bb574cbdb1b24e0d84403ec03f8a165e9bcbc69962d04
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xP+:r7YubEwYXRWhpAJUHhzm4hUukS6Kmeco

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

2556 smss.exe
Loads dropped DLL 2 IoCs

Processes:

73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe

pid process

1008 73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
1008 73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe

pid	process
2556	smss.exe

pid	process
1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe

Drops file in System32 directory 3 IoCs

Processes:

73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exesmss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2680 sc.exe
2760 sc.exe
1856 sc.exe
2644 sc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exesmss.exe

pid process

1008 73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
2556 smss.exe

pid	process
2680	sc.exe
2760	sc.exe
1856	sc.exe
2644	sc.exe

pid	process
1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
2556	smss.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exesmss.exe

description	pid	process	target process
PID 1008 wrote to memory of 1856	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1008 wrote to memory of 1856	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1008 wrote to memory of 1856	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1008 wrote to memory of 1856	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1008 wrote to memory of 2644	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1008 wrote to memory of 2644	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1008 wrote to memory of 2644	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1008 wrote to memory of 2644	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1008 wrote to memory of 2556	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	smss.exe
PID 1008 wrote to memory of 2556	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	smss.exe
PID 1008 wrote to memory of 2556	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	smss.exe
PID 1008 wrote to memory of 2556	1008	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	smss.exe
PID 2556 wrote to memory of 2680	2556	smss.exe	sc.exe
PID 2556 wrote to memory of 2680	2556	smss.exe	sc.exe
PID 2556 wrote to memory of 2680	2556	smss.exe	sc.exe
PID 2556 wrote to memory of 2680	2556	smss.exe	sc.exe
PID 2556 wrote to memory of 2760	2556	smss.exe	sc.exe
PID 2556 wrote to memory of 2760	2556	smss.exe	sc.exe
PID 2556 wrote to memory of 2760	2556	smss.exe	sc.exe
PID 2556 wrote to memory of 2760	2556	smss.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
2⤵
- Launches sc.exe
PID:1856

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
2⤵
- Launches sc.exe
PID:2644

C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
3⤵
- Launches sc.exe
PID:2680

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
3⤵
- Launches sc.exe
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1230\smss.exe

Filesize
138KB

MD5
aa3527c14d0f7a449266ccad4588257e

SHA1
8c18b8b513982cc52978792c6aaf34cd5ccbd8ce

SHA256
b34e40983b0ba3683087fbea2c05e326cf296792b1dafcfa68a814605883b7b5

SHA512
e3e76115c26eb0131f2bf25e4cfd47cafadf93e3fa094bcc7811a7c242fc6344800ee724950bf37650fa614d5abc7c078a779049d9c17998ad4ee788141d38d6

Download Submit

Analysis

Sharing