Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 21:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
-
Size
75KB
-
MD5
0580e3a0d0b88d30e2e9a6c5e35a7ef0
-
SHA1
dfaf39964055ad2a918d8cc7bdd0db25a2bc8c1e
-
SHA256
44f48a4b415a5b4f287e3eb72524a8585aa425cb6fb644f6e2463f4821a3959c
-
SHA512
1440335f35bf2fa934b60f2009c514544e66a387f8473f6fbc452ec47a78dd36a86acf36bb1acd422812ec8ea208359544ff453b6235fc1c51295ae26ff0714b
-
SSDEEP
1536:8x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3v:0OjWuyt0ZsqsXOKofHfHTXQLzgvnzHP3
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00070000000233f8-9.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 1356 ctfmen.exe 876 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 3432 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe 876 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\shervans.dll 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\grcopy.dll 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\smnss.exe 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\satornas.dll 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml smnss.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4900 876 WerFault.exe 93 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 876 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3432 wrote to memory of 1356 3432 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe 92 PID 3432 wrote to memory of 1356 3432 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe 92 PID 3432 wrote to memory of 1356 3432 0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe 92 PID 1356 wrote to memory of 876 1356 ctfmen.exe 93 PID 1356 wrote to memory of 876 1356 ctfmen.exe 93 PID 1356 wrote to memory of 876 1356 ctfmen.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 14884⤵
- Program crash
PID:4900
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 876 -ip 8761⤵PID:956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD565e22c0d8fd9760821db7324b3d73210
SHA129b8afeaf83063720df566c3247564f2c42a7757
SHA256f1fa60a3d7ac1ff0ffb2561cc68e7b888bcde03875b2db97b88899ece9af1c85
SHA5129e069da63746cfbc5affd472a5186609ce6e3e7a4410e468f364a6496c10bd8dc558a87bd95d8df1d41fda256c6bdb2668c9b137558e845e23f26d9be896d1fd
-
Filesize
75KB
MD50bf52c1e641a27a85609f5d689a0716b
SHA153a43411046c967b00105d0d45c69dd0ba8db2cc
SHA256293352d5de10b5bd7ec51eee75173113f76617cd86c5a0310c361e8d49184571
SHA512a9955b0e00d1079ca26ecf1b9f2ecfedb4b90e6d1bdba007c68e3890e8107a411d9c83966a46b718792a1b4855dbbd6ab6c530caa70475921dc4dc0c65a671e8
-
Filesize
183B
MD58477dcd8766efb086886f1ac87a40ee6
SHA134a979ce520dba8f5f9f8cb5ad9430a79461f88f
SHA256521d8669c0f9794f56f0eba1dcaf1e7a24518ac06719117b00b8bbf0c17419e5
SHA5124024a4be55d54c9d9215f71a48696a2679979a4b0ff7f223e6d35069d8608a4f70811317e9b7ab3dd9160d4bbe29d8ee5077edafbeaadcc777ba3acc2492b80e
-
Filesize
8KB
MD53f01867e1e6641f093dd53b530cc4b42
SHA123bd7ad08a1c1b0c044e031c92128042f86d4e6d
SHA256f3a35289931d4e45483e48ef317908b72794c74270f21d53132407746115fda8
SHA512e62715bddd27a0a4b45af9df6b2e34dd9803822d1709e5e1ea34b5224b7976db6b6d10c6525c398ab2dcae3fee5e04fcbbdcbad1fccbc7abf358d5096daab67f