94ba66a0690ba7722a1d6d8c4fb14aea2a6c9e60fda2def4ce1cc18901b1d1a9

Analysis

max time kernel
133s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
Size

138KB
MD5

73059a9993669e0526f4afdbb3797740
SHA1

73d155af151519d93bcd4f66ca6a383ce8a7834f
SHA256

94ba66a0690ba7722a1d6d8c4fb14aea2a6c9e60fda2def4ce1cc18901b1d1a9
SHA512

a00a58693bcfad8ec552fce61e1abe6750963776a907bce9044f5699a0f34df270df2ca7fbf556dd0a5bb574cbdb1b24e0d84403ec03f8a165e9bcbc69962d04
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xP+:r7YubEwYXRWhpAJUHhzm4hUukS6Kmeco

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

392 smss.exe

pid	process
392	smss.exe

Drops file in System32 directory 3 IoCs

Processes:

73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exesmss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3680 sc.exe
4984 sc.exe
4244 sc.exe
3416 sc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exesmss.exe

pid process

1020 73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
392 smss.exe

pid	process
3680	sc.exe
4984	sc.exe
4244	sc.exe
3416	sc.exe

pid	process
1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
392	smss.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exesmss.exe

description	pid	process	target process
PID 1020 wrote to memory of 3680	1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1020 wrote to memory of 3680	1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1020 wrote to memory of 3680	1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1020 wrote to memory of 4984	1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1020 wrote to memory of 4984	1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1020 wrote to memory of 4984	1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	sc.exe
PID 1020 wrote to memory of 392	1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	smss.exe
PID 1020 wrote to memory of 392	1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	smss.exe
PID 1020 wrote to memory of 392	1020	73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe	smss.exe
PID 392 wrote to memory of 4244	392	smss.exe	sc.exe
PID 392 wrote to memory of 4244	392	smss.exe	sc.exe
PID 392 wrote to memory of 4244	392	smss.exe	sc.exe
PID 392 wrote to memory of 3416	392	smss.exe	sc.exe
PID 392 wrote to memory of 3416	392	smss.exe	sc.exe
PID 392 wrote to memory of 3416	392	smss.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\73059a9993669e0526f4afdbb3797740_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
2⤵
- Launches sc.exe
PID:3680

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
2⤵
- Launches sc.exe
PID:4984

C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
3⤵
- Launches sc.exe
PID:4244

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
3⤵
- Launches sc.exe
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe

Filesize
138KB

MD5
f4fcafc2b80dd266be2fc6215976ffd1

SHA1
c93d39ac505dda184f595897a76d5c4ed8fdf6d5

SHA256
66d4195879af220db634eea06ce67bf5fc72a47105a9f0e94e06412c88d6d58e

SHA512
77eebf1d398aff6cabd00b3cb74656e4d6fad29012429b0dc7b43a2c5b5345c7621230211959575831bb4d68816d594ef54d4dc55f0ae5c2b84e5ae6df704bfe

Download Submit