3659c82b50bdc329cee38060a50eeb74f74f302b14a788b3757607791fc43f63

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Size

120KB
MD5

0029a4d756eb4f0126fb7f1b7b1dbce0
SHA1

9ca6e91913e6b84dcf0f8c4e9aba01e0a3674b1a
SHA256

3659c82b50bdc329cee38060a50eeb74f74f302b14a788b3757607791fc43f63
SHA512

2e664ba816a113ad098be5e103f88439e6114f558c0adebd0fdb030d7952d0a8d51b26bd1412d2c3b3d9eae1d4187b2d789f19623824d0e59bcb387be284e439
SSDEEP

3072:tOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:tIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000233f6-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
756	ctfmen.exe
904	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
3808	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
904	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\grcopy.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\shervans.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\satornas.dll	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4708	904	WerFault.exe	88

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 756	3808	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe	87
PID 3808 wrote to memory of 756	3808	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe	87
PID 3808 wrote to memory of 756	3808	0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe	87
PID 756 wrote to memory of 904	756	ctfmen.exe	88
PID 756 wrote to memory of 904	756	ctfmen.exe	88
PID 756 wrote to memory of 904	756	ctfmen.exe	88

C:\Users\Admin\AppData\Local\Temp\0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 1476
      4⤵
      Program crash
      PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 904 -ip 904
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
7418f17acbfa696fa5c30157b2780f85

SHA1
eb0f4d2ce67f1f8107f74ae4f59d5c0c60d7efa9

SHA256
20dfc6f4683706824beed771de6e4a579c4540133a0c72cdd633f4b7c4f70e73

SHA512
4e633b4ae2675a0d5acc5a473538defb680ea3e4bf2af6522f688d8aaf3b2298569a880ca73351fe60f8d227fab7e3af66a65b711c7c2a3ae11846bbc3339be2

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
120KB

MD5
20f80cc7d1d08691e131ea5ff07dfef6

SHA1
2f0925280eac214d575f719a2f9f40136bc2c559

SHA256
835765df1fe4dc9edca332433d5a34fb844398714efaef638c2d7ab0b0d0d5ec

SHA512
ba264f6fd2161d7e4502d7fac171310fbbe09e70f40f6c4072c4e632815fd8dc586fddd467e4863d86f6498401048e0bdd27117f39005dda57e62abcaa16a95d

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
6a8252a7d9336f33dd38ce7f63bb3d0f

SHA1
a636270e3f1b2acc9376451fa8340eed3ae8b0cf

SHA256
5d910ecf2a4360c1290bd39ed56e634e890a2caa59539b966fca6be96eb33ed2

SHA512
e4cd970565c1a019ea518cd00953d01dbeaa649d6824015f825b1068764faa81bf3ca043705dd9ea7bbbe06c9e362a7aa0a4df500b7242048986c3b6aaf97f2e

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
6edc23e4c0f848a873a957bc5c7ff2a6

SHA1
3fdb3fb1f646d81e8e647c1daf12be8e2b33d7d9

SHA256
91b6d12fae451702da637e9adb923d6d8e2be7282d2482ede73213a874fbc208

SHA512
9a3ad65437e7986b2fccd7b15a8f423db2257adc5afc52a3aa8f5d8835c069f01bda9a79320f60ef37cc622e8b451d92552da847409bc296d03f084b752b5b75

Download Submit
memory/756-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/756-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/904-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/904-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/904-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3808-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3808-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3808-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads