Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 08:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
042134ec70a227af1bab301e0b094cc0_NEIKI.exe
Resource
win7-20231129-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
042134ec70a227af1bab301e0b094cc0_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
042134ec70a227af1bab301e0b094cc0_NEIKI.exe
-
Size
120KB
-
MD5
042134ec70a227af1bab301e0b094cc0
-
SHA1
df7d96df7f8e82bd617ebbe66635e2a47359f2f2
-
SHA256
8e7db5c623e3a8415f28e4d1e6c327737ba20c023436b155dbfe81c9e1014550
-
SHA512
1d323b699d6b67ba6dd6af83d2854e019f25093385ed9efca2b8c7e3e5e1d0d179a8de09a7b9f7b273e05288f80e359eb6641592be7b0fc1c1620ae6db4496e0
-
SSDEEP
3072:0OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:0Is9OKofHfHTXQLzgvnzHPowYbvrjD/E
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000015c6b-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2580 ctfmen.exe 2724 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2240 042134ec70a227af1bab301e0b094cc0_NEIKI.exe 2240 042134ec70a227af1bab301e0b094cc0_NEIKI.exe 2240 042134ec70a227af1bab301e0b094cc0_NEIKI.exe 2580 ctfmen.exe 2580 ctfmen.exe 2724 smnss.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 042134ec70a227af1bab301e0b094cc0_NEIKI.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 042134ec70a227af1bab301e0b094cc0_NEIKI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 042134ec70a227af1bab301e0b094cc0_NEIKI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 042134ec70a227af1bab301e0b094cc0_NEIKI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\ctfmen.exe 042134ec70a227af1bab301e0b094cc0_NEIKI.exe File created C:\Windows\SysWOW64\shervans.dll 042134ec70a227af1bab301e0b094cc0_NEIKI.exe File created C:\Windows\SysWOW64\grcopy.dll 042134ec70a227af1bab301e0b094cc0_NEIKI.exe File created C:\Windows\SysWOW64\smnss.exe 042134ec70a227af1bab301e0b094cc0_NEIKI.exe File created C:\Windows\SysWOW64\satornas.dll 042134ec70a227af1bab301e0b094cc0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 042134ec70a227af1bab301e0b094cc0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 042134ec70a227af1bab301e0b094cc0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 042134ec70a227af1bab301e0b094cc0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 042134ec70a227af1bab301e0b094cc0_NEIKI.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm smnss.exe File opened for modification C:\Program Files\DisconnectMove.php smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml smnss.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\7-Zip\readme.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2976 2724 WerFault.exe 29 -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 042134ec70a227af1bab301e0b094cc0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 042134ec70a227af1bab301e0b094cc0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 042134ec70a227af1bab301e0b094cc0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 042134ec70a227af1bab301e0b094cc0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 042134ec70a227af1bab301e0b094cc0_NEIKI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2724 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2580 2240 042134ec70a227af1bab301e0b094cc0_NEIKI.exe 28 PID 2240 wrote to memory of 2580 2240 042134ec70a227af1bab301e0b094cc0_NEIKI.exe 28 PID 2240 wrote to memory of 2580 2240 042134ec70a227af1bab301e0b094cc0_NEIKI.exe 28 PID 2240 wrote to memory of 2580 2240 042134ec70a227af1bab301e0b094cc0_NEIKI.exe 28 PID 2580 wrote to memory of 2724 2580 ctfmen.exe 29 PID 2580 wrote to memory of 2724 2580 ctfmen.exe 29 PID 2580 wrote to memory of 2724 2580 ctfmen.exe 29 PID 2580 wrote to memory of 2724 2580 ctfmen.exe 29 PID 2724 wrote to memory of 2976 2724 smnss.exe 30 PID 2724 wrote to memory of 2976 2724 smnss.exe 30 PID 2724 wrote to memory of 2976 2724 smnss.exe 30 PID 2724 wrote to memory of 2976 2724 smnss.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\042134ec70a227af1bab301e0b094cc0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\042134ec70a227af1bab301e0b094cc0_NEIKI.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 8244⤵
- Loads dropped DLL
- Program crash
PID:2976
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD5d317180eb5533232b07a791862f6d08f
SHA1f8e8bca60a4294d5a5ab3d92b3685250e47d0fde
SHA2562445c8e748dd63b6be95d4f2982feb581e2d033d67781da36ab7e372f10811e2
SHA512e5eb4fc615cf9842f7bad1a7b18e77c82753fa130f146b59ed5437ad6c44d4d2a9e53cbd7ab51560ccdeb55c271526667c89a4f6bde76de5a6bc44679b229c9f
-
Filesize
4KB
MD5c77c726724aced79dcca11690a67647e
SHA10e7c001b69264aa0dc90d566dc19416ba4160b21
SHA2564db182cb79a4f893ce7cde6148ad83f7b2ea29d17279a1d122c23805e51f4433
SHA5123dcf59db12c30671662a3b6bb50d55959811174efdc0da4cb691000dd76d88553e1f010ecdabb13a61031725fec75e4fa18b0cbc8df6987f86f1f95d57b8fe07
-
Filesize
8KB
MD5c98cebbbab5e0967b9432d63de5da939
SHA19cf9da37cc196e3f66dc31158a67756c0c86fb30
SHA256e53410df35a78900e77e270b2f389f7739faf0dc72dbb14ad325615ee21a9d43
SHA512c10828e1c92140d4d4a842170b927129e9535ec9bd6ce1fb79a32aee37630fff3ae1a85d1bb7c537a03819806ce29e8370f7b8dbdc0b62fa2a37f3e67d9aadfd
-
Filesize
120KB
MD5a7ccf6851d8871ce20f6640f7d81dc36
SHA1417d01142d18204e30490e81a3dfa5bd74157c23
SHA256e882caf66b7f53a85f55cca89d11a0185b026685f79ae43405490d8789496af5
SHA512c9e5574e31e06f4c78c05b5a273ab0ccc547886d8d04f0103460f45577954c5591c42e9179335ccc6b712a5cb807d33b260f309a8ea051828dd9006bb1063ba4