61abd16cfd794078a697944d1ce9fd7a4082e13e0312ef4085a9634838351cad

Analysis

max time kernel
136s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
Size

119KB
MD5

1a4701919d0aea3bc8a52e96fa2a3c87
SHA1

18f7f5295ea3cc5d8fe41ad604e1ebf27a50c2ed
SHA256

61abd16cfd794078a697944d1ce9fd7a4082e13e0312ef4085a9634838351cad
SHA512

ea525640411bf1d9e799887266756325a56407f5259bba71a1e5e001bc2aa4c7eb37c7651c536cd1ae4688be9751315dbc0ee2daa44ecb23cd860107ab0f4733
SSDEEP

3072:KOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:KIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023466-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1172	ctfmen.exe
2432	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
3500	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
2432	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
File created	C:\Windows\SysWOW64\grcopy.dll	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
File created	C:\Windows\SysWOW64\smnss.exe	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
File created	C:\Windows\SysWOW64\satornas.dll	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
File created	C:\Windows\SysWOW64\shervans.dll	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4496	2432	WerFault.exe	91

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 1172	3500	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe	90
PID 3500 wrote to memory of 1172	3500	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe	90
PID 3500 wrote to memory of 1172	3500	1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe	90
PID 1172 wrote to memory of 2432	1172	ctfmen.exe	91
PID 1172 wrote to memory of 2432	1172	ctfmen.exe	91
PID 1172 wrote to memory of 2432	1172	ctfmen.exe	91

C:\Users\Admin\AppData\Local\Temp\1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1a4701919d0aea3bc8a52e96fa2a3c87_NEIKI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1472
      4⤵
      Program crash
      PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2432 -ip 2432
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
cc516bfae4392c57c1aebf479a68d68b

SHA1
9a0fb0246860334d350f5a8814c1d9caeeaee464

SHA256
a5321609d728bf66dca6c55b7a5d56e8be9611fc9e3aed33880e621b3cc9e2b1

SHA512
ea3ab6f54c9fac9d79c377f148622274469d15c77482a08d0cc56392b56c7ce3851f6dcee94d3419593200fc1d5dde3e89a12a913391f0051a9379b76e183b2d

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
119KB

MD5
a3dfcd9cbec047efb8cdeb342739404e

SHA1
1dc33835da0eb4cd0d67a6510358e3960068e53e

SHA256
a9d5761f76885e6a132e0b686a4cb4f8a0fad89f457008e3854a5cf4d92595ed

SHA512
b888d93852da4055d97679705f4f44e0f32fab8836bfc9fcecc70b10632388d9b6e06d8c401e15704f1f3a1d67472ffcd668de1b6f131ac887241008fec59281

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
d470ffa62bcee189484ea97d437f193a

SHA1
686d95fedc08ce7ddcff9f9292647e06872f4db4

SHA256
93b696fcd643d29ecf72479227e794d54faae08371e9521bd7f63e6a3dd97d10

SHA512
e7203a22482e023ee502fceca5fdddf82650bd66c9c2ee2ece6d7891966c844d285b66f08eadef073d6e2c611fd4c46ae8a503da4974b8ad42f1c01b15061309

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
6420a849dc7fa55a42254d41b7dc8b52

SHA1
39d422905053d8f0fb8814ba4747243c5979334e

SHA256
1db43e1312ab177db2032779efd7f4c1a69850ec5d2ccd97cbc1d341470be603

SHA512
6da6c8a9982b91867c6a25d7a9da6d3202a8576068051875d15408467f813e9ba1401443822d5a9bda206b83f79829869c22fd27ee819a057763016c31e6a203

Download Submit
memory/1172-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1172-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2432-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2432-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2432-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3500-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3500-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3500-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3500-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads