3a6be418113938752a3e317b6ca44192402912742751b5c89ba9b1cc3161bd31

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 09:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Size

119KB
MD5

0ae12eb4d86de54faf576fe9d40d2e00
SHA1

e56c4e0f59929edc5cbc01bf5bc73b9981e671ec
SHA256

3a6be418113938752a3e317b6ca44192402912742751b5c89ba9b1cc3161bd31
SHA512

fcc290dc7ced6624abf14de3fd0d529d5663e52d59afdbdc66ab827dad9afe1a7d5bff226753a3f4a358ace709191caae002a11eeba930461f39d92e36125557
SSDEEP

3072:8OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:8Is9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023407-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
920	ctfmen.exe
2488	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
4664	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
2488	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\satornas.dll	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File created	C:\Windows\SysWOW64\shervans.dll	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File created	C:\Windows\SysWOW64\grcopy.dll	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3312	2488	WerFault.exe	91

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 920	4664	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe	90
PID 4664 wrote to memory of 920	4664	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe	90
PID 4664 wrote to memory of 920	4664	0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe	90
PID 920 wrote to memory of 2488	920	ctfmen.exe	91
PID 920 wrote to memory of 2488	920	ctfmen.exe	91
PID 920 wrote to memory of 2488	920	ctfmen.exe	91

C:\Users\Admin\AppData\Local\Temp\0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\0ae12eb4d86de54faf576fe9d40d2e00_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1456
      4⤵
      Program crash
      PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2488 -ip 2488
1⤵
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
ffd6ace7071a8b0216a345aaef2bdd21

SHA1
f65b2bc219678dd681c1048a07d37538f1e4f0a9

SHA256
53a7634f4250123395416dfd56a92ed60a683c4ef68e9d7c1bbc7337fac39501

SHA512
864b8559b3a0787bec9c0ff40ac52e3e52e0819235e0fc2804cadcf7e618bfb4f413d058fb08bed447c4409e14892b99ac73fe9377fed58f9f819ac51545b1ab

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
119KB

MD5
d287b757a8d2bebe98f029ab0ffc3c8a

SHA1
b68f97f0af576bc2f70f2bd75664fa39f217c8a7

SHA256
294d340529ab75fe882bf3b3d3cf8b8dc7224555f0acf90990e0f81e12fc055c

SHA512
7cbbdd99f9ac45463e13c097e44592ecb375bc51c4cb883e4adb5eeb36516e4eddf172c575f3248fe0d57178b6a95b1e6206989e8ef4edefd149f852d0f0002c

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
8865a466927224f55a38fb618384614a

SHA1
446a1f892834c2b0c33e1e1d120023828fa6f3b8

SHA256
6fe4101d5f6260b50bf145a889cab591a86114bfea175d683af92f17bb7d0cc3

SHA512
4e7ee9b7839d3d43a779ee8bdd637a7c09821c847e8957cb29533366cfa81386af22a62a1a470d967ce5b0f9dc895be7065b433f07032f14525c72ba656b2e9b

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
3438ea7176d1c0b8a5c199067ee1cdf9

SHA1
10f253c2cbd26464128ee69acf0b06c4cdbf1f6b

SHA256
f4ea0bc8c00659b02d942cb51a6f58881f7b8c164be85da07a7404a710c00dc2

SHA512
9a398c4d0232ae8f2b1644ffd8ef915cb521ee9713c8973f9c2df20e903bbaac491bd56f00a78b672d2e75ee7898aa1a2e759dc4402574837af66bbc81f3b694

Download Submit
memory/920-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2488-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2488-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4664-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4664-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4664-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4664-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads