5d31ec657a387fa2d340896430618b016d867fb80068bba4ea2c13b0c885fc77

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
Size

127KB
MD5

01adbc0c459f956cc47c1f7c8de6a720
SHA1

4f6435f3419974f4f69cb18fe1d407e27b319763
SHA256

5d31ec657a387fa2d340896430618b016d867fb80068bba4ea2c13b0c885fc77
SHA512

c47cbcf97e913086c1ee32300f6e5c1f9b82f3045219f19ef186503df6ff822cf142585a4e87eaf906a5a79af0b66934d6cdb324a37594376c5bb374f6712ce1
SSDEEP

3072:6OjWuyt0ZHqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPL:6IH9OKofHfHTXQLzgvnzHPowYbvrjD/O

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023409-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4400	ctfmen.exe
4340	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
4340	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1704	4340	WerFault.exe	95

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 4400	2448	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe	94
PID 2448 wrote to memory of 4400	2448	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe	94
PID 2448 wrote to memory of 4400	2448	01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe	94
PID 4400 wrote to memory of 4340	4400	ctfmen.exe	95
PID 4400 wrote to memory of 4340	4400	ctfmen.exe	95
PID 4400 wrote to memory of 4340	4400	ctfmen.exe	95

C:\Users\Admin\AppData\Local\Temp\01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01adbc0c459f956cc47c1f7c8de6a720_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1400
      4⤵
      Program crash
      PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4340 -ip 4340
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
f1e87dd27e8fde45a07038b376df90e0

SHA1
4d78b23211fb6dea845e682f8e70160d3f7def1d

SHA256
1842bd0b80b44a41b699a48eb34feed8a2e8707de9ac8f78265abec2196f1e98

SHA512
4bb5f013610ce24baa89f5ab2b9ae1d147bf08a3d860d0be6d5ac565702b240dc816136362cf9da6e4374089cbdfbd263d855eb4a22abd3c67957cad125b28be

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
127KB

MD5
ab6a680a41b25ef9c5988d41db3118f9

SHA1
392761341218a6199e751d2c86dc5169d6aa2cb0

SHA256
0f95f169d433f9887d4495086a2518593bcfb5c16823ca914cb5023413e35a40

SHA512
67232eee8a829f774dc74d7d3d822ddfcc535f5d75a72031aa51dc0dbb3ce7cdd7c5d19efe146ddd4e59246c911e39fad8d2524293d914ee7e1f5128569cb5b9

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
b4b0fa1cbda851673c638181dd75fe35

SHA1
0275a9afd2f7def66ffcf6f50aac002d8c1380ae

SHA256
9e688f7709854665e0ae19ebd9bbfa1d0ee3d915eff0b3defff76df11edbf5a7

SHA512
499bc8e9a8a29923d1d4ae326aa9d042778fd73297147374a39fbe39e0e588f69a4c03a259d6dc96d70919a3094b5b92092f52f8274490df311462137efb7c0b

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
61f06d8878d1912521361d24defdc1be

SHA1
56e3e8db5478c6f5bd9565ec65cbf56ac55a0b05

SHA256
4aa318f78c99b5f8c04c569c836ccc56a25d0f7a7fdff6c8c773d56b5b5d74ce

SHA512
04db6785df45b4dab197df16d2bdb9d226ea3e26c8144963a0fa04440790dd75199f1fe7ef8ac8372b9ee5fb94259f31820b99f2c61d7963190b8655a7103929

Download Submit
memory/2448-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2448-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2448-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2448-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4340-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4340-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4340-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4400-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4400-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads