Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 05:10
Static task
static1
Behavioral task
behavioral1
Sample
60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe
-
Size
138KB
-
MD5
60fd696186fe29b550b78bb4272c0bf0
-
SHA1
67a0153b37aaa661423d4fafc0cf26b49f1af827
-
SHA256
4711e8af41d87bbdbcd43a9e9d738e9a63e3201dab05abfbac854ae6502818e0
-
SHA512
9b5b93edf523e9368f4fffabdcfdac74ae1409f229ecee003290be374eae161e7600332bf3b72748a456116c52aea88343f8556e95205cd1f9f75195d84fd8db
-
SSDEEP
1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPk:r7YubEwYXRWhpAJUHhzm4hUukS6Kmecy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3384 smss.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1328 sc.exe 5064 sc.exe 1132 sc.exe 2488 sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 3384 smss.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1328 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 81 PID 1368 wrote to memory of 1328 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 81 PID 1368 wrote to memory of 1328 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 81 PID 1368 wrote to memory of 5064 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 83 PID 1368 wrote to memory of 5064 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 83 PID 1368 wrote to memory of 5064 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 83 PID 1368 wrote to memory of 3384 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 85 PID 1368 wrote to memory of 3384 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 85 PID 1368 wrote to memory of 3384 1368 60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe 85 PID 3384 wrote to memory of 1132 3384 smss.exe 86 PID 3384 wrote to memory of 1132 3384 smss.exe 86 PID 3384 wrote to memory of 1132 3384 smss.exe 86 PID 3384 wrote to memory of 2488 3384 smss.exe 87 PID 3384 wrote to memory of 2488 3384 smss.exe 87 PID 3384 wrote to memory of 2488 3384 smss.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\60fd696186fe29b550b78bb4272c0bf0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess2⤵
- Launches sc.exe
PID:1328
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
PID:5064
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess3⤵
- Launches sc.exe
PID:1132
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
PID:2488
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD5749fd78015c43c4df2ed3a07e4304531
SHA138e039258d1ff8a8a7217d63675aec34d2d69102
SHA25681cf7e2670c1376063d1be82c74553451e8591fd8118381ed930ce2d1f486dd4
SHA51211f0ce3fd6d2e5ebc18a4382c06582373d7d13e094d7b0e86a85a9685f85808e37851da05b9c6b270d82a933e1eee3aca1c443e8238d3e40eb8650188089d72a