01db7e0e86366071cab37c9d07c0f360ebbc3a16181a422185574b7ec8484f21

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Size

119KB
MD5

03fc9498c3cdc6356f1aaa3f89d60060
SHA1

e23ee556f3da8777599a77489d3c02e76296789d
SHA256

01db7e0e86366071cab37c9d07c0f360ebbc3a16181a422185574b7ec8484f21
SHA512

bdb56e5fa12b2f96444675c8891d9b211bdc48bf05287469b8ad0db00ab569697da612b2949ae71895fb450814442252ffb5e4bb350e8fdaf412cb6ccda370a3
SSDEEP

3072:COjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:CIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a0000000233e5-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3048	ctfmen.exe
5048	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
4124	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
5048	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\satornas.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\grcopy.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\shervans.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
File created	C:\Windows\SysWOW64\satornas.dll	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	5048	WerFault.exe	85

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3048	4124	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe	84
PID 4124 wrote to memory of 3048	4124	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe	84
PID 4124 wrote to memory of 3048	4124	03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe	84
PID 3048 wrote to memory of 5048	3048	ctfmen.exe	85
PID 3048 wrote to memory of 5048	3048	ctfmen.exe	85
PID 3048 wrote to memory of 5048	3048	ctfmen.exe	85

C:\Users\Admin\AppData\Local\Temp\03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\03fc9498c3cdc6356f1aaa3f89d60060_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1416
      4⤵
      Program crash
      PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5048 -ip 5048
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
b0a2f762cb71d29b364819e6a83ee86f

SHA1
fc9b4a83a0600a6840a8d4ec5f22a27ada199b58

SHA256
090809cd83fce4a5eb32e99e057ffe7953be3bbbbe0632181ced27d2ee14dd0c

SHA512
5c1988ed7cb6dceabefa0afbf6a98d6914057510348c41d018795e36a4f50be0c090bd8fb2f760dfa4441eaa2bacf448983f25fd8cf1d42e882464abdb36231b

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
119KB

MD5
3ea39aeb2510a746f9bc0392d252537c

SHA1
090526151e3f6dfdb75d5157752ce2ce33f663b3

SHA256
857aa1dc37b4f6301b32bfe2d92b1bf193608edc9b40a6f1b074f6ad133ed32f

SHA512
df9e05f3847474b12c277eb53012d202e8319ec6ca12be326719b6bf81af007d1b4943e8ae3dcdc1e21e344292004a18ccf107c613dc9edb3ca4f7ae6d2392fd

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
e140b354e6190b348120307690b878bb

SHA1
df6f9f50ffa3f2a432fcdabc8340e51284a720f7

SHA256
8a10e744e03d5ea513adbb20598484bb3230c105468ab056acb29918e63c8170

SHA512
186c71043fd7f0ebc741ef9d41bef32e3d3e017f2635ec51c8e80ffd637e8064bb952f25a4a71b5809099986a4e9d8b2d55fcea31461d5ed69ed123a99a78817

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
ed1f07ca11bc3e516a6c2b9e29192276

SHA1
969ec305c734ed10d93c11b3b6a04561b3c64598

SHA256
acfea998da8cb34483eb2e63b319e7c2da2736b6b2159d6f0f2140df09f542ec

SHA512
87fa90125a823f82fd076535cfc321e93c570356ed91690a887d726fb398c9f429d86d10675c31ca74324244922466f8eb138c96961369d1f8d57e76c9069fc6

Download Submit
memory/3048-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4124-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4124-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4124-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4124-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5048-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5048-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5048-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads