3659c82b50bdc329cee38060a50eeb74f74f302b14a788b3757607791fc43f63

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Size

120KB
MD5

0029a4d756eb4f0126fb7f1b7b1dbce0
SHA1

9ca6e91913e6b84dcf0f8c4e9aba01e0a3674b1a
SHA256

3659c82b50bdc329cee38060a50eeb74f74f302b14a788b3757607791fc43f63
SHA512

2e664ba816a113ad098be5e103f88439e6114f558c0adebd0fdb030d7952d0a8d51b26bd1412d2c3b3d9eae1d4187b2d789f19623824d0e59bcb387be284e439
SSDEEP

3072:tOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:tIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000015d24-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1440	ctfmen.exe
2144	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1304	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
1304	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
1304	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
1440	ctfmen.exe
1440	ctfmen.exe
2144	smnss.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\satornas.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\shervans.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\grcopy.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	2144	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1440	1304	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe	28
PID 1304 wrote to memory of 1440	1304	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe	28
PID 1304 wrote to memory of 1440	1304	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe	28
PID 1304 wrote to memory of 1440	1304	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe	28
PID 1440 wrote to memory of 2144	1440	ctfmen.exe	29
PID 1440 wrote to memory of 2144	1440	ctfmen.exe	29
PID 1440 wrote to memory of 2144	1440	ctfmen.exe	29
PID 1440 wrote to memory of 2144	1440	ctfmen.exe	29
PID 2144 wrote to memory of 2616	2144	smnss.exe	30
PID 2144 wrote to memory of 2616	2144	smnss.exe	30
PID 2144 wrote to memory of 2616	2144	smnss.exe	30
PID 2144 wrote to memory of 2616	2144	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 836
      4⤵
      Loads dropped DLL
      Program crash
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
908728ac6af3082844f78db3922c3414

SHA1
e462b3e6b31b7ae81144c8fc974ed8ec88b21d46

SHA256
373b3454c075e435fb3498d268afd8da27eece8c183736719ec844f65cf5b9ae

SHA512
6697d9879500660b7af4156b761fde1baf253b6e225bc7463ce815a7e780481a27dd20e2ad0962e19fc23f1ec0406f2ecd8905c419e30344283344dccec0c15a

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
120KB

MD5
3c7cb40cdb7c3d58099de4d1bcc99e5b

SHA1
895af80f380197ca8db009ce60afd60f47847520

SHA256
f064ddb60c139c59239a689684be1df6d2119dcf0f97f1a3ff458e915706e40a

SHA512
4d35a6c249b343316fb3acdb9279202a82da1c1035fc2096c30ec62221330a313be4de31d10a35698c79b7eafaddc1a627f34cbc9f95c7984384fed7fa2fd4f7

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
37eec508c1316a1df18a827fcf57c421

SHA1
9ccfe64b18c09fd8ee52c7585f3c5e9233422276

SHA256
68b5c6ea0fc554bce3dba36c7406070b3fe28619d95e8a47954c38e2e1c80f96

SHA512
3775d1e430dcff8b980eba64309c2e839a74c4e00b931c8b918d815d43f0154ea9483dc8a352c429409d719eb1b6d379cb9ef3cd142a64732f3ff7e71fea2adb

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
43cfac2e9b8cbb289bfd363dc9722993

SHA1
21f763df87a8848ea793b5dde74045080b6d097c

SHA256
44b18f01f122203a0e2a6589ca50006472d9bed2dd52a9041dabe88c34cf020b

SHA512
fd378eac330d3817372c6ef7db36719cda39fe2ee48b7cf204ed8e8dd42d729677d1cdbbfb9b4d927ffb8fc433b4e58ebfc249cb4b8afb8d39ff0245f78ecea8

Download Submit
memory/1304-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1304-18-0x0000000000320000-0x0000000000329000-memory.dmp

Filesize
36KB

Download
memory/1304-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1304-29-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1304-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1440-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2144-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2144-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2144-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads