cc1aadf31af786043ae9cf6d658c654f77c839be9edd1add9f8c8451bd91dc35

Analysis

max time kernel
133s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe
Size

119KB
MD5

3ecfc011ffe3ff186d52ce210791cb30
SHA1

f82960d311c0bafe63c98cff92d1c3097ad81cc8
SHA256

cc1aadf31af786043ae9cf6d658c654f77c839be9edd1add9f8c8451bd91dc35
SHA512

1b35e7a56424c56f94f5a45e813fcd42adcc94d5d479eae7f6213c3188b22b4f934e048b57d235449d549cf7c4a4b05fe4ef4618ce61a086aace38716d151ba2
SSDEEP

3072:OE9j8b3ZXgKC1hX//iASOXRJzDOD26j/3Dc69+:OEebiKuX//iZOXRJ3OD26jxU

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
4920	smss.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5100	sc.exe
4632	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4036	3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe
4920	smss.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4632	4036	3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe	83
PID 4036 wrote to memory of 4632	4036	3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe	83
PID 4036 wrote to memory of 4632	4036	3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe	83
PID 4036 wrote to memory of 4920	4036	3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe	85
PID 4036 wrote to memory of 4920	4036	3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe	85
PID 4036 wrote to memory of 4920	4036	3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe	85
PID 4920 wrote to memory of 5100	4920	smss.exe	86
PID 4920 wrote to memory of 5100	4920	smss.exe	86
PID 4920 wrote to memory of 5100	4920	smss.exe	86

C:\Users\Admin\AppData\Local\Temp\3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ecfc011ffe3ff186d52ce210791cb30_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  PID:4632
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe

Filesize
119KB

MD5
fc18b8d256c2bf3f4bb6d54844aec025

SHA1
0ed957ea393f757a6a3a55ecc14b05bdf9514d73

SHA256
a2fc306e59a01bd718672f5f992d1fc8110275ec34e7b8940c6c3dc360d5e33e

SHA512
359b9b553e9d5907f57593d0b9fa2064fe87207b07adb8edae9a97a233a1fb4551ed303dc7c45380e1ac2c6158d8983c602f162ec04065304d84431516ec7dc9

Download Submit
memory/4036-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download