Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 05:10
Static task
static1
Behavioral task
behavioral1
Sample
60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe
-
Size
138KB
-
MD5
60fd696186fe29b550b78bb4272c0bf0
-
SHA1
67a0153b37aaa661423d4fafc0cf26b49f1af827
-
SHA256
4711e8af41d87bbdbcd43a9e9d738e9a63e3201dab05abfbac854ae6502818e0
-
SHA512
9b5b93edf523e9368f4fffabdcfdac74ae1409f229ecee003290be374eae161e7600332bf3b72748a456116c52aea88343f8556e95205cd1f9f75195d84fd8db
-
SSDEEP
1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPk:r7YubEwYXRWhpAJUHhzm4hUukS6Kmecy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2964 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2724 sc.exe 2184 sc.exe 2144 sc.exe 2704 sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 2964 smss.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2184 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 28 PID 2784 wrote to memory of 2184 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 28 PID 2784 wrote to memory of 2184 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 28 PID 2784 wrote to memory of 2184 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 28 PID 2784 wrote to memory of 2144 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 30 PID 2784 wrote to memory of 2144 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 30 PID 2784 wrote to memory of 2144 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 30 PID 2784 wrote to memory of 2144 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 30 PID 2784 wrote to memory of 2964 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 32 PID 2784 wrote to memory of 2964 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 32 PID 2784 wrote to memory of 2964 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 32 PID 2784 wrote to memory of 2964 2784 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 32 PID 2964 wrote to memory of 2704 2964 smss.exe 33 PID 2964 wrote to memory of 2704 2964 smss.exe 33 PID 2964 wrote to memory of 2704 2964 smss.exe 33 PID 2964 wrote to memory of 2704 2964 smss.exe 33 PID 2964 wrote to memory of 2724 2964 smss.exe 35 PID 2964 wrote to memory of 2724 2964 smss.exe 35 PID 2964 wrote to memory of 2724 2964 smss.exe 35 PID 2964 wrote to memory of 2724 2964 smss.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess2⤵
- Launches sc.exe
PID:2184
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
PID:2144
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess3⤵
- Launches sc.exe
PID:2704
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
PID:2724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD5d26c79b75cf9bafb28ca9dec38d7f878
SHA1a484e0fe571fc377eb6de28d9d812aad11cc5dbe
SHA256ea7f7aaccca2091ba325233ccc4d91993ac0ffb297f6367a4ee181093c3c81db
SHA51211557bb6bfe6c89c1c47b66fe44b2dd1a5a2b216b28c96d163731e3d3d5f33655449e0e3afc3ddbc4fec13159ef5670429a4b3a2546c79ab694d3c9a752f9f9f