01db7e0e86366071cab37c9d07c0f360ebbc3a16181a422185574b7ec8484f21

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Size

119KB
MD5

03fc9498c3cdc6356f1aaa3f89d60060
SHA1

e23ee556f3da8777599a77489d3c02e76296789d
SHA256

01db7e0e86366071cab37c9d07c0f360ebbc3a16181a422185574b7ec8484f21
SHA512

bdb56e5fa12b2f96444675c8891d9b211bdc48bf05287469b8ad0db00ab569697da612b2949ae71895fb450814442252ffb5e4bb350e8fdaf412cb6ccda370a3
SSDEEP

3072:COjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:CIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002344a-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4136	ctfmen.exe
556	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
3456	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
556	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\satornas.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\shervans.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\grcopy.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1552	556	WerFault.exe	90

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 4136	3456	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe	89
PID 3456 wrote to memory of 4136	3456	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe	89
PID 3456 wrote to memory of 4136	3456	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe	89
PID 4136 wrote to memory of 556	4136	ctfmen.exe	90
PID 4136 wrote to memory of 556	4136	ctfmen.exe	90
PID 4136 wrote to memory of 556	4136	ctfmen.exe	90

C:\Users\Admin\AppData\Local\Temp\03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1480
      4⤵
      Program crash
      PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 556 -ip 556
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
931ca87e1b938ad7d8b362e0e7b19edf

SHA1
8059b515cee6a5c256877f968dd6ae62eb2d5c70

SHA256
3361c38acb9567df8d05f8cbbe85cb584e54de88533989a2ff4632d26aedb2b6

SHA512
013586ceb95f87313445dac4b91d5250efbe23465dbc3e7b9bacbb7711a915396344145bb5ba611a5704dfda2a6d7955f0a8940c9218167173dd9b8f71ca217c

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
119KB

MD5
fe1e914d7974a0d8f3ece6082ae8ab13

SHA1
d95c1aa07f23c729b48d60260ab01d2609b4d753

SHA256
7f82b48536c409437fa199fc30e93c8624362629dabfa8a3769a7747cc0f9dfb

SHA512
b765e03fea0d125cecabeae71e48a51f69de1ad7abfe8bcd547ee1bc678a148e552d391c326b52c3e6aabce4bb63269e9a36413c162d4ca59e7f25236bb27eb2

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
fb846f933b384120d25c8c9be2b1c231

SHA1
8ea935ead8283fbb7f0da0e0a0f2ec4c2f1a2386

SHA256
ba477461c7750e7d2da5a00335c141590abff8387ac6d3517fef81649a0063df

SHA512
82ba1dfca80f09e136a71a05396a55c53f9f4bae4aa2909782d5f396aa180452190107f5e8ed6a43db5925749b2301435cc73aa5c775e3fab7048475cd36930d

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
fba6849d209e581ffc1b1ada04c62927

SHA1
ebbad803eea808458b6c36dcabd9d79459c1a0ec

SHA256
02e17b43eed2332440edc5b4960bca2592b7439156717d673a6a8b7baf658c39

SHA512
580002f51ea6db3f3ea19f09e906680cff3fd5b13b13d5fc26630f9525664576f73045d82353a7513cfa7bf5a73f3f4c80039d3e2c3dff651b3b334258263138

Download Submit
memory/556-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/556-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/556-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3456-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3456-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3456-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3456-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4136-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads