3a6be418113938752a3e317b6ca44192402912742751b5c89ba9b1cc3161bd31

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Size

119KB
MD5

0ae12eb4d86de54faf576fe9d40d2e00
SHA1

e56c4e0f59929edc5cbc01bf5bc73b9981e671ec
SHA256

3a6be418113938752a3e317b6ca44192402912742751b5c89ba9b1cc3161bd31
SHA512

fcc290dc7ced6624abf14de3fd0d529d5663e52d59afdbdc66ab827dad9afe1a7d5bff226753a3f4a358ace709191caae002a11eeba930461f39d92e36125557
SSDEEP

3072:8OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:8Is9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000015018-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2764	ctfmen.exe
2360	smnss.exe

Loads dropped DLL 6 IoCs

pid	Process
2004	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
2004	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
2004	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
2764	ctfmen.exe
2764	ctfmen.exe
2360	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_environment_variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Language_Keywords.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_data_sections.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\Amd64\KYW7QUR6.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_arrays.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_hash_tables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_type_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_eventlogs.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_try_catch_finally.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WS-Management_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_preference_variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Automatic_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500nt.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_modules.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa610t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Arithmetic_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_locations.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4100t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk5400t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_requirements.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_output.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Comment_Based_Help.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1360t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_environment_variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5500t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7600t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_aliases.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\erofflps.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Return.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\System.Management.Automation.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO4PG3L.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_prompts.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Line_Editing.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_FAQ.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF4A63L.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Arithmetic_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2600T.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_logical_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_providers.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\MigApp.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comment_Based_Help.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\Microsoft.PowerShell.ConsoleHost.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_prompts.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_logical_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOF300T.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Command_Syntax.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc650X.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_escape_characters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Ref.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_execution_policies.help.txt	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\Office64WW.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN111.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMAIN.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e5b45457e71d50c\Rules.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_requires.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_debuggers.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\oskpred.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO3200T.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_debuggers.help.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\it-IT\Report.System.Diagnostics.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Automatic_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Quoting_Rules.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipscat.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4080c452718ce6e7\Rules.System.Summary.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_trap.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO0410T.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Return.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_locations.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-t..ied-chinese-quanpin_31bf3856ad364e35_6.1.7600.16385_none_f79af98021986eab\TableTextServiceSimplifiedQuanPin.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_While.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_script_blocks.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_escape_characters.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b7c1292c822004f6\flyout.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a9549b67c137efeb\cpu.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Comment_Based_Help.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpn5150t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_wildcards.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\GlobalInstallOrder.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\de-DE\Report.System.Diagnostics.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_History.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\System.Management.Automation.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\Microsoft.PowerShell.ConsoleHost.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\System.Management.Automation.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c3672adaf7f9b591\weather.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-18.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_modules.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sonic-sonicxml_31bf3856ad364e35_6.1.7600.16385_none_473b7f0d0af85d51\sonic.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..cationnotifications_31bf3856ad364e35_6.1.7600.16385_none_737951ab23cf8ea0\locationnotificationsview.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11b07c1bb446e787\Rules.System.Performance.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\WebDAV_schema.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_pssession_details.help.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\Report.System.NetTrace.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-19.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_655452efe0fb810b\GlobalInstallOrder.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO2600T.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_pipelines.help.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\en-US\Report.System.Memory.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_91dde3f80ea85a5a\Report.System.NetDiagFramework.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-4.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_es-es_43f7c2ea0646a637\Report.System.NetTrace.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fd3784c9b57cdcbf\picturePuzzle.html	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\Rules.System.NetDiagFramework.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-5.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-14.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_For.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_functions_advanced_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Ref.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7fa92a4e1adcf67f\settings.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-12.htm	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\it-IT\Report.System.Network.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Foreach.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_methods.help.txt	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	smnss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2764	2004	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe	28
PID 2004 wrote to memory of 2764	2004	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe	28
PID 2004 wrote to memory of 2764	2004	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe	28
PID 2004 wrote to memory of 2764	2004	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe	28
PID 2764 wrote to memory of 2360	2764	ctfmen.exe	29
PID 2764 wrote to memory of 2360	2764	ctfmen.exe	29
PID 2764 wrote to memory of 2360	2764	ctfmen.exe	29
PID 2764 wrote to memory of 2360	2764	ctfmen.exe	29

C:\Users\Admin\AppData\Local\Temp\0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
8c94a17569f2c20139a6f71bac89ca65

SHA1
774e05e622a8599021e9928a10d66566d228539f

SHA256
700f117c75ce3d6a0e0ffc8a6307c51d01e70e49a8ab55705929391e9ac5a8c6

SHA512
88f16d8c20e3a649cff9b2e64fede27bb2d499643187af1c7abe0740cd622a6cf4e03d362c338e7afdeefd4f2d1b4f68001e09d35042d8ec173b3c1f8e958e42

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
0d5c6fcc46db7a72f0cf8a427d85bb68

SHA1
ea8753f83cd0746c61bcef2a043e0ee9d28f0c0d

SHA256
a32cb4f8fb7191872cfaceda526ee88d084ecc95f03f7d414bd749e21c1f247b

SHA512
ec9acaa453eb2e00c019ba8b70c4f5d71bdc762248225d1bb219505ea392714acfd4b7873220f5023d119d605691df57949b3b432e1e473de020872328bf5cef

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
7d3bcfa8435c8bbba3122c6950884470

SHA1
bbe3c50ac99d8bd7e78e09fde55488c9e4135c28

SHA256
0267ab27dcab27ac16472cb7aed0f97115c39ce1c486628152ffb4c2543a9a8b

SHA512
119a127858a30ea6e34d6b1fdd473083992aecaf4e0bdea4fccea836447c823f5e2d2b5db5069aeb26473616ba69d2ead9fcbb041aa87ed6f0bd2e72fb067839

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
119KB

MD5
80abc4be9922f51af6f35fcd018394ff

SHA1
b0dafdfa7d56d6b3ac43a17cc96f9103624203e4

SHA256
25fae13ae0e68d9aaec8fa792f327bb0b3d29a24f9414539c9b26dc90123aa2a

SHA512
c10096c80298265f43b3f82907360c12a757852904d97df1c7cdaf1848ef197e024400c57b0827e9fec03170c39767bfa174bfb38a83b22f30dd9306ea88a671

Download Submit
memory/2004-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2004-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2004-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2360-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2360-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2360-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2764-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2764-30-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads