3c7346e1e562011176dcfde3456cc32cfcad4740bcf5035c3ada6720c8504bee

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
Size

352KB
MD5

2cb74394d8416eb30bd17c808e325020
SHA1

af1d21c8bbdefd6243771480c89804a7de75cb6b
SHA256

3c7346e1e562011176dcfde3456cc32cfcad4740bcf5035c3ada6720c8504bee
SHA512

09fc21d2d6d93f2d6f3aaf9cd53af520ab153e42e31da64c91f015866f62f0993c6ab7c1c5657f1138d6b9e3fca813f43294691b76222dbd0757ae8e9bd22898
SSDEEP

6144:LIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:eKofHfHTXQLzgvnzHPowYbvrjD/L7QPs

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000900000002340a-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3120	ctfmen.exe
1896	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
1752	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
1896	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smnss.exe	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3176	1896	WerFault.exe	89

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 3120	1752	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe	88
PID 1752 wrote to memory of 3120	1752	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe	88
PID 1752 wrote to memory of 3120	1752	2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe	88
PID 3120 wrote to memory of 1896	3120	ctfmen.exe	89
PID 3120 wrote to memory of 1896	3120	ctfmen.exe	89
PID 3120 wrote to memory of 1896	3120	ctfmen.exe	89

C:\Users\Admin\AppData\Local\Temp\2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2cb74394d8416eb30bd17c808e325020_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1484
      4⤵
      Program crash
      PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1896 -ip 1896
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
43e31fe6a87cfda1453e100fa723e3c2

SHA1
e6ce36da7a41814702f605eb8ac485f4a340889c

SHA256
80e4bb8fd11491a6b55b15b1adadda944b5b2925043d8c3956675510027132b6

SHA512
a2587ca6e221ad1d6fa2835d80ccc4d900471d174641f2ed7197cb88a3c5ccee944a74dda667b84e13518b4e6dacff0fe9e0f96b5c8058a7296b48c589559c8d

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
352KB

MD5
a24be5cdd0a61f004a74a063b9f94460

SHA1
ce530d50e41bba87efe8765b5fe8a59acc9ae14f

SHA256
864375750d0ca23a45e88d314be0771c4b7365b1f9716a5ca663e59467f46d24

SHA512
02184a2a45c9061b60533dc2eca681fe1b367d89d08d270c23e3102a5d236a61d3774c2ad01e31902b7fe72d842ef153b8f90d8c97463f26e32e2d21abc6cdd9

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
8fba51ed14c13322f84caabd54cc9027

SHA1
2953dd3a4c0a6f48400536d0a00316563f05d496

SHA256
9f017d64a5109d5860bef4fc59804961f041f79913c27a534a7e497413453dc2

SHA512
d7a67a934087682bca3c62dd6e5447535057143b66c83d67b9b68887a5ffe5350310b65ec5ff996b9d80998d95a188e386f125cd2b6b7bc8a8fb108ade15f920

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
156213f33d3dccfc06700814164c336c

SHA1
dd10559a609d8daef0e24b038361aff87ae2df8f

SHA256
924bf9c4a4b113406231d8f91a5e7f79eeb539a09ac97cb5181781f9b56029e7

SHA512
056159bcb95269d8afd2e9f06428e7d95e1ded3e08752da416dd7b3270c1c07016cade4b5ece134d23cb3fb234f17ec871650c204137ddd81bc74960fbf15620

Download Submit
memory/1752-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1752-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1752-23-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1752-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1896-30-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1896-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1896-39-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3120-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads