45585ed83a9cb3fd3c76d75de1b58925e02314951c26d6fd3ae80e13002dd813

Analysis

max time kernel
131s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
Size

147KB
MD5

cb23b945e5a6e1d94b6ada65b5dd3c80
SHA1

e1f277ab6dc23a63836467c9183b2bb93ffbd020
SHA256

45585ed83a9cb3fd3c76d75de1b58925e02314951c26d6fd3ae80e13002dd813
SHA512

74605501cdb9fff729fde83de57a98200a06c7bae5525a4f24254e6e61faf6a498752e0bd5fb78bb1aa6cc857a2ff06c1b03b9fe45d694a75b8c13024024cd0d
SSDEEP

3072:1OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPP1:1Is9OKofHfHTXQLzgvnzHPowYbvrjD/C

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b88-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2684	ctfmen.exe
1912	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
652	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
1912	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
File created	C:\Windows\SysWOW64\satornas.dll	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
File created	C:\Windows\SysWOW64\shervans.dll	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
File created	C:\Windows\SysWOW64\grcopy.dll	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
456	1912	WerFault.exe	96

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 2684	652	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe	95
PID 652 wrote to memory of 2684	652	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe	95
PID 652 wrote to memory of 2684	652	cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe	95
PID 2684 wrote to memory of 1912	2684	ctfmen.exe	96
PID 2684 wrote to memory of 1912	2684	ctfmen.exe	96
PID 2684 wrote to memory of 1912	2684	ctfmen.exe	96

C:\Users\Admin\AppData\Local\Temp\cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\cb23b945e5a6e1d94b6ada65b5dd3c80_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1344
      4⤵
      Program crash
      PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1912 -ip 1912
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
f2e335abd574fd9127b5d06f148db5e6

SHA1
812a390fd135fe2afaf051be72b8f0aa915cb851

SHA256
f0b724749242d5fa06e33e96ae4a5018b9db3dd71e895c2f1fec0e165652dabe

SHA512
2562973c6d7c58830f40aec35a6cf540880b694e9f1023ce6889951e09608c50bec910d3def69dcbe768b2ab21f8c6ae803386ba2b12954712aba23158d1e3ab

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
147KB

MD5
ad8ad57a9085918a7f7c05e8e22cfc53

SHA1
030daf0ba53b0efbc687f89332857d6b58993d16

SHA256
b1b07eacccd7f0236bb905cf7b1d6d0372eb18ff02ff6c1fadf9e145b8bcef57

SHA512
36859efc6f25fd03d2dd026a75d06a926c5cbdb747b6ba7c77a3f17ae522b8a86ba44396c43d5aaa198f26a63e2e36b0f78a8f778c3e5e580aaae88a9745dbac

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
d3c7092bc5b0578d190eb052f89054f2

SHA1
998d295f5f4da28deb6b6b7e39b358a15da608d5

SHA256
e745ef4446e35d2276fa51ead23f06a7a3147445eff29d28d8b8564732876fa6

SHA512
976282710de6c39f1a515f251316ffb22c78191f8263ee04d23f447f10e356651c79630530f3dd58aec1fc38120fd1d401e24cf3876c6ea025a5a5b6c7952285

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
6702c5bb5eb61b007c77d39925c1e066

SHA1
48c4f2d77de0f0c0ff5fc428fe6fc985ad4c8f87

SHA256
26156770d8a7b93d731321a864849e8ea026cb28413485014b65550b0d7bcb91

SHA512
3c56b46edddf9551efc1f176e8f78c8a76a41ef95008f2a263669696ad391f3854e8ad0288b34415cbcff3579aab4cacf0bdcf819fd1b0a5398d7dec58777e14

Download Submit
memory/652-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/652-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/652-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/652-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1912-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1912-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1912-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2684-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads