cb50a18f1b43ef640da4109a3f2fc896cec872ff6a7459b55264629bd69f37f6

Analysis

max time kernel
91s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
Size

119KB
MD5

1d06cc93cb0dde13c72500003b1435a0
SHA1

e3653d9b4f96a76a7839ff0e1acf4bad66485cab
SHA256

cb50a18f1b43ef640da4109a3f2fc896cec872ff6a7459b55264629bd69f37f6
SHA512

fd38280237a72755fbc0c79af3c0a69b2b76d893126e86afbe24aec48cca3b7dfed620d7d5d815d8e97757d22cc969d04feda4f6723239e1f3507da49ea39f36
SSDEEP

3072:vOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:vIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023419-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1056	ctfmen.exe
5016	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
5016	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shervans.dll	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\grcopy.dll	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\DisableRestart.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1536	5016	WerFault.exe	85

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1056	2160	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe	84
PID 2160 wrote to memory of 1056	2160	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe	84
PID 2160 wrote to memory of 1056	2160	1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe	84
PID 1056 wrote to memory of 5016	1056	ctfmen.exe	85
PID 1056 wrote to memory of 5016	1056	ctfmen.exe	85
PID 1056 wrote to memory of 5016	1056	ctfmen.exe	85

C:\Users\Admin\AppData\Local\Temp\1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d06cc93cb0dde13c72500003b1435a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1368
      4⤵
      Program crash
      PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
1⤵
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
82751a24e164e57ec83ae22ba51ebabf

SHA1
b2ac0c935f0d32fdc44dc644d662296768d7fa48

SHA256
21b9e9c0c00cf9cb897e7ca0e615addc8061b846595ac355b14919edd8c390be

SHA512
93e5b15853241d36fdde8c1db4e37b79c901a642f2fdd38bb34920baf5113c03f27ffd83e690ef9e977b8e788e4095a64116e976e1f1dc20942423b219dbf17a

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
119KB

MD5
66f64cdbc18aa3918defde821497017a

SHA1
05d88bc04ea0f2603efa3ec0562d049d1ad6812f

SHA256
78c52e6332595caafdd9f8cf0727c5c8fcc673f21d4953bc971e7d4a57e775a0

SHA512
72100ab52482bc8f182b7f91e2b6a17489a4343f3cf9ae7ec692d316ac8a817f3d91fa182325f7927e6b99b238f95dbc14e7671bb4f3cc04df7159a67fc3a657

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
d31beccd84ed186c04b7b028f3495a38

SHA1
975c83a32378dc44ab2252bf98e67b2e932f8fa6

SHA256
b7beff2682fc04252e5e78c37241ff9e75c30ace5164ddf9e8b89ba57ad60ce6

SHA512
a8899b71e0464780a079c2e8e1ddab4b271fe78cf88ce728a62a9358faa0b368ba4650925af9cb3e28ddf86141b66b441fdbdd378688f20de9057a5267494270

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
b07ace98131968d5f259c8e052f6ca4c

SHA1
bbe63a19b1477a2e478d054d06c752aba7b918f8

SHA256
99ecd96212100694a54f1b383de63b91e34858ced0bba6825a7092f9b4ab14d8

SHA512
7e4945ad2daefb65eb1f1ff071113f5070c80df347725d0f8badcdd09f8b422baa422886f3969db5de3e8bd1b7b066743b8cdbd67a57840364efcf3fd82f165b

Download Submit
memory/1056-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1056-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2160-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2160-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2160-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2160-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5016-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5016-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5016-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads