Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 05:10

General

  • Target

    60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe

  • Size

    138KB

  • MD5

    60fd696186fe29b550b78bb4272c0bf0

  • SHA1

    67a0153b37aaa661423d4fafc0cf26b49f1af827

  • SHA256

    4711e8af41d87bbdbcd43a9e9d738e9a63e3201dab05abfbac854ae6502818e0

  • SHA512

    9b5b93edf523e9368f4fffabdcfdac74ae1409f229ecee003290be374eae161e7600332bf3b72748a456116c52aea88343f8556e95205cd1f9f75195d84fd8db

  • SSDEEP

    1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPk:r7YubEwYXRWhpAJUHhzm4hUukS6Kmecy

Score
8/10

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\SysWOW64\sc.exe
      C:\Windows\system32\sc.exe stop SharedAccess
      2⤵
      • Launches sc.exe
      PID:1328
    • C:\Windows\SysWOW64\sc.exe
      C:\Windows\system32\sc.exe stop wscsvc
      2⤵
      • Launches sc.exe
      PID:5064
    • C:\Windows\SysWOW64\1230\smss.exe
      C:\Windows\system32\1230\smss.exe -d
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\system32\sc.exe stop SharedAccess
        3⤵
        • Launches sc.exe
        PID:1132
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\system32\sc.exe stop wscsvc
        3⤵
        • Launches sc.exe
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\1230\smss.exe

    Filesize

    138KB

    MD5

    749fd78015c43c4df2ed3a07e4304531

    SHA1

    38e039258d1ff8a8a7217d63675aec34d2d69102

    SHA256

    81cf7e2670c1376063d1be82c74553451e8591fd8118381ed930ce2d1f486dd4

    SHA512

    11f0ce3fd6d2e5ebc18a4382c06582373d7d13e094d7b0e86a85a9685f85808e37851da05b9c6b270d82a933e1eee3aca1c443e8238d3e40eb8650188089d72a