0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe
Size

5.5MB
MD5

c4c696e6ea81e3e94050d4bfca2d4350
SHA1

fbe76e557521504be389722ce25b4ad229ae2858
SHA256

0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e
SHA512

1f2a0403bbcfdc1e7c501c87c8d0d1b352f21ac52001e0798e9aee5eabe4df734cfbd11201903fc8fb03918a6851aed695520da869b1559e4541a248eb7dacf4
SSDEEP

98304:+iNCFT1fzFo347hHCbg1VD1e9HJlJCX4gqXv8wHtundQ+QCA86WLoz:+i4HLhHCIMHUcXEwgnmRj9Coz

Score

8^/10

evasion execution vmprotect

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2492-37-0x0000000000400000-0x0000000000DA0000-memory.dmp	vmprotect
behavioral1/memory/2492-39-0x0000000000400000-0x0000000000DA0000-memory.dmp	vmprotect
behavioral1/memory/2492-40-0x0000000000400000-0x0000000000DA0000-memory.dmp	vmprotect
behavioral1/memory/2492-43-0x0000000000400000-0x0000000000DA0000-memory.dmp	vmprotect

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2680 sc.exe
2604 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

pid process

2492 0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe
2492 0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

pid process

2492 0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

pid process

2492 0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

pid process

2492 0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe
2492 0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

pid	process
2680	sc.exe
2604	sc.exe

pid	process
2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe
2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

pid	process
2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

pid	process
2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

pid	process
2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe
2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe

description	pid	process	target process
PID 2492 wrote to memory of 2680	2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe	sc.exe
PID 2492 wrote to memory of 2680	2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe	sc.exe
PID 2492 wrote to memory of 2680	2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe	sc.exe
PID 2492 wrote to memory of 2680	2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe	sc.exe
PID 2492 wrote to memory of 2604	2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe	sc.exe
PID 2492 wrote to memory of 2604	2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe	sc.exe
PID 2492 wrote to memory of 2604	2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe	sc.exe
PID 2492 wrote to memory of 2604	2492	0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ccd8ebf242998355d78e564b12ff183377a89c84cbd3478535e5e6155cb645e_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\sc.exe
sc stop UxSms
2⤵
- Launches sc.exe
PID:2680

C:\Windows\SysWOW64\sc.exe
sc start UxSms
2⤵
- Launches sc.exe
PID:2604

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2464

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-24-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2492-29-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2492-36-0x00000000004CE000-0x0000000000813000-memory.dmp

Filesize
3.3MB

Download
memory/2492-34-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2492-32-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2492-30-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2492-27-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2492-22-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2492-19-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2492-17-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2492-14-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2492-12-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2492-9-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2492-7-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2492-5-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2492-4-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2492-2-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2492-0-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2492-37-0x0000000000400000-0x0000000000DA0000-memory.dmp

Filesize
9.6MB

Download
memory/2492-39-0x0000000000400000-0x0000000000DA0000-memory.dmp

Filesize
9.6MB

Download
memory/2492-40-0x0000000000400000-0x0000000000DA0000-memory.dmp

Filesize
9.6MB

Download
memory/2492-42-0x00000000004CE000-0x0000000000813000-memory.dmp

Filesize
3.3MB

Download
memory/2492-43-0x0000000000400000-0x0000000000DA0000-memory.dmp

Filesize
9.6MB

Download