b395776e62bdcbc17fd54af87262408bbfa0bf27d1d11edede8fef6a43d6d827

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe
Size

119KB
MD5

25f54bc23226a4bdd85ea0c696914340
SHA1

1497b139c877c360c7683f8159edb375ce87d219
SHA256

b395776e62bdcbc17fd54af87262408bbfa0bf27d1d11edede8fef6a43d6d827
SHA512

86c1a4b537ea9aa641ced1c92a1405630cce2bc4780683b4f8f9b1ab1432d2680161a9cdea7a951c948fc2e3a4d37348543c95298ff82d38cc78864d58204392
SSDEEP

3072:OE9j8b3ZXgKC1hX//iASOXRJzDOD26j/3DcD:OEebiKuX//iZOXRJ3OD26jy

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2884	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe
3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2724	sc.exe
2608	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe
2884	smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2724	3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2724	3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2724	3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2724	3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2884	3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe	30
PID 3012 wrote to memory of 2884	3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe	30
PID 3012 wrote to memory of 2884	3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe	30
PID 3012 wrote to memory of 2884	3012	25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe	30
PID 2884 wrote to memory of 2608	2884	smss.exe	31
PID 2884 wrote to memory of 2608	2884	smss.exe	31
PID 2884 wrote to memory of 2608	2884	smss.exe	31
PID 2884 wrote to memory of 2608	2884	smss.exe	31

C:\Users\Admin\AppData\Local\Temp\25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\25f54bc23226a4bdd85ea0c696914340_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  PID:2724
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe

Filesize
119KB

MD5
a8be8d25d896b6abf216be8e896e0226

SHA1
fb0110b2dd9bdd33bc3d984546ad93ebf1ed0ccc

SHA256
3f57754cc5aef2a9f454f834d73694a23df9cac041fd2ecd70959724f9cccf6c

SHA512
e88e62ec0aa9346e4ca48e5e6bb0dc46fb6510eddd3a34b18bdec95c6a8f84b334cd6985b55e765defb7563762d630ef08c9d04937c71cbb4046604e1a2b10fb

Download Submit
memory/3012-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download