44f48a4b415a5b4f287e3eb72524a8585aa425cb6fb644f6e2463f4821a3959c

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Size

75KB
MD5

0580e3a0d0b88d30e2e9a6c5e35a7ef0
SHA1

dfaf39964055ad2a918d8cc7bdd0db25a2bc8c1e
SHA256

44f48a4b415a5b4f287e3eb72524a8585aa425cb6fb644f6e2463f4821a3959c
SHA512

1440335f35bf2fa934b60f2009c514544e66a387f8473f6fbc452ec47a78dd36a86acf36bb1acd422812ec8ea208359544ff453b6235fc1c51295ae26ff0714b
SSDEEP

1536:8x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3v:0OjWuyt0ZsqsXOKofHfHTXQLzgvnzHP3

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00320000000139f1-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2564	ctfmen.exe
2676	smnss.exe

Loads dropped DLL 6 IoCs

pid	Process
2496	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
2496	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
2496	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
2564	ctfmen.exe
2564	ctfmen.exe
2676	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF0450T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF4BK3L.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_trap.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_objects.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_jobs.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_jobs.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WS-Management_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Language_Keywords.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_output.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc3100t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_type_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smx8x3u.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Arithmetic_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_hash_tables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Security.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO0410T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOF300T.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\RacRules.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_output.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\kyw7qur8.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_do.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF6980T.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_wildcards.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WMI_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Redirection.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Signing.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_join.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Security.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Automatic_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Command_Syntax.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa320t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_methods.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_objects.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_WMI_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_output.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_transactions.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4340t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Keywords.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_providers.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_While.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO6200T.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Assignment_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_History.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_providers.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Switch.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Assignment_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_FAQ.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Line_Editing.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smx620u.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Command_Syntax.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_regular_expressions.help.txt	smnss.exe
File created	C:\Windows\SysWOW64\grcopy.dll	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml405u.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Break.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_type_operators.help.txt	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.FR.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN108.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN082.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\NetFx45_IIS_schema_update.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_de-de_330b92f4e4356a4b\settings.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-4.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-19.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_jobs.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_remote_requirements.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_pssessions.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_6.1.7600.16385_none_7110452767e88835\xpsrchvw.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0212532a5cdf4b5f\picturePuzzle.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_aliases.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_script_internationalization.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0b45804490d366e\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Comment_Based_Help.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_properties.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_job_details.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_command_precedence.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_pssession_details.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dbc7c5d1d33a67b5\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigApp.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Foreach.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPW1RC3L.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Signing.help.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\it-IT\Rules.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpk5400t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\501.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-16.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Comment_Based_Help.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Parsing.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\default.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpc4300t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Rules.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPWK550T.XML	smnss.exe
File opened for modification	C:\Windows\servicing\Sessions\31089658_2030963232.back.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-5.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_job_details.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_remote_jobs.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_scripts.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_PSSnapins.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7601.17514_none_a54b31331066c8e2\tasks.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\GlobalInstallOrder.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\auxpad.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\servicing\Editions\StarterEdition.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11b07c1bb446e787\Report.System.Summary.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPP8100T.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_modules.help.txt	smnss.exe
File opened for modification	C:\Windows\ehome\ja-JP\playready_eula.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\en-US\Report.System.Diagnostics.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\Rules.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8486739b50ee62de\currency.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-15.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500-17.htm	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-devicediagnostic_31bf3856ad364e35_6.1.7600.16385_none_451a033a54709874\DeviceDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_preference_variables.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Comment_Based_Help.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-10.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-11.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_History.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\System.Management.Automation.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\hpmcpcp6.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a5f3b7a6a481da29\settings.html	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\ja-JP\Rules.System.Memory.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_it-it_227e33fb04382aa3\playready_eula.txt	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	smnss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2564	2496	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe	28
PID 2496 wrote to memory of 2564	2496	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe	28
PID 2496 wrote to memory of 2564	2496	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe	28
PID 2496 wrote to memory of 2564	2496	0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe	28
PID 2564 wrote to memory of 2676	2564	ctfmen.exe	29
PID 2564 wrote to memory of 2676	2564	ctfmen.exe	29
PID 2564 wrote to memory of 2676	2564	ctfmen.exe	29
PID 2564 wrote to memory of 2676	2564	ctfmen.exe	29

C:\Users\Admin\AppData\Local\Temp\0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
95127c34cbc596f3e4689d3423414415

SHA1
20519aadbc2c563bd8370eea8a206a56e8367079

SHA256
d621e2331f6bfbf682bc9a566f8bc2086801c6f6a7f6270d168b5b45292bfb7a

SHA512
a64a715ee4da8aec6789fd80f749baed0a99b808d9e4198e85940d00ad4d77106fe3e1074de51d86e6c6f0e9db036316aebf6a42c9b7dcd9176ebba869730bda

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
75KB

MD5
c469ceca6b597d7b6b96b5588f330616

SHA1
f2957cbd45ddb92e3e853470ebf20b1026d90c4d

SHA256
cf44c061603e3f1e022496a15149de29a83c1417eaa371e35a351805c7fde65d

SHA512
75f86f32c5758bdcaaf184a474039df7aeff07a47f557bb59805d83f9f461c04ea5cea8ee878d3995928289c12968f755e14bd9c77ce3d8c7144ad3350de60b3

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
115bbe0767ed511396ea792519ec0353

SHA1
08390097242cc2851497dcf5d93b9c2733083339

SHA256
224e17f54a7c0fa828d859dd80d8cba6d2e25c46e589cc2a7d3b8444f2e030f5

SHA512
676b22be341bf82752faab7766fc8ae5327894b1aa78ef13fe0486633424f6a44df888c0c9f9d512456f4d94a398f44ddd9b9760207b8d4591f2eeeb80cbd21c

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
ca65c68c5343ff7b9a234d34f8b5532e

SHA1
43d2be2b461db94bd90e0717b4b670d34eab2c5a

SHA256
684c4c1f6978ff4445f2a262e2a8cdbeb8c91bbb9b814a2cf5e3c231a6884df2

SHA512
b3d716d7900ab86d2454baaa2d7b78cb215252912f6b92196611e03a93397767d8cccce7af8796044f7c132638b68f7c6ab4a576a365d4de9387492c5f216f0f

Download Submit
memory/2496-15-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2496-18-0x00000000002D0000-0x00000000002D9000-memory.dmp

Filesize
36KB

Download
memory/2496-26-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2496-24-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2564-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2676-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-42-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2676-46-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-48-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-50-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads