8ee5d92d788815b08bc58f6ed3b2ff3eca992f33cd87971134c6bb026c0895c9

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Size

75KB
MD5

5f643ed40d4fd1ea692d743a94edea70
SHA1

b7739f4b32debf219a5d207006c92dab9b1bf2ae
SHA256

8ee5d92d788815b08bc58f6ed3b2ff3eca992f33cd87971134c6bb026c0895c9
SHA512

ef2a91f3629468259377a48a88d3ec76396b13a296d28ab8f00bf9720698856b16d15d8ac073d3f9f7c841a90362bd5180f1aa9edcb5370006dda4c5fc7ea724
SSDEEP

1536:gx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3v:IOjWuyt0ZsqsXOKofHfHTXQLzgvnzHP3

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00350000000144e9-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2512	ctfmen.exe
2564	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2012	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
2012	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
2012	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
2512	ctfmen.exe
2512	ctfmen.exe
2564	smnss.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	smnss.exe
File opened for modification	C:\Program Files\CloseGet.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2956	2564	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2512	2012	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2512	2012	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2512	2012	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2512	2012	5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe	28
PID 2512 wrote to memory of 2564	2512	ctfmen.exe	29
PID 2512 wrote to memory of 2564	2512	ctfmen.exe	29
PID 2512 wrote to memory of 2564	2512	ctfmen.exe	29
PID 2512 wrote to memory of 2564	2512	ctfmen.exe	29
PID 2564 wrote to memory of 2956	2564	smnss.exe	30
PID 2564 wrote to memory of 2956	2564	smnss.exe	30
PID 2564 wrote to memory of 2956	2564	smnss.exe	30
PID 2564 wrote to memory of 2956	2564	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f643ed40d4fd1ea692d743a94edea70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 844
      4⤵
      Loads dropped DLL
      Program crash
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
c993ebf9c88e96afc83329ad84d1287c

SHA1
157e45b82a9d1aeebaeeb1fb34eedc3083400c26

SHA256
21e8e0b20502a69b88ddd6b498aedb3edfa3882de58ddce4a9a1d161869a4a68

SHA512
5f51b4cd4c187137929478589f71cffe65eef6587985974907f31e5a4e3c558ef406b10fd883d9ae78637c7e33e081f625f80308c13ff41ff0ec851e92c26e1e

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
00de98fa048712850c3acb46f9e9e0b7

SHA1
07ac18695a3e3c8db7b4966c58be4c5a6ce6103f

SHA256
02071736030bc1ec5f9d96ddc135f362111b3b44aebe7b16b7d14b5b4ff80d38

SHA512
082d37bf3f779a7b6fa2df5e03dbb708729bd64f6dbf1aa5ca46c15d99df9f157805de8badad510f2298816102fd3a7b1b1a5d76607b5931ae9380d5e9e1fd69

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
a491fca162662a84e371966cfcd9a91f

SHA1
1c416519e9b8eb3af8366d84a9fc83b6bbbed149

SHA256
4cd22fd3c156d1efbc6c65277eaf53714634f66a528ad459e4deee312fc28af3

SHA512
ce1d4675a5dfa9ff72ce97bc5529fcbb87025011c7ebba9087de4877af59d5a8a07d093f2805557a5bda7759aad5c4af888d98ff0349916d4b732c780b1e3f99

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
75KB

MD5
6168ffa6a90efa5a5bb6e6ba6aa31002

SHA1
a46d51c76d1a646310601a3c640043ccbaca4aab

SHA256
24ca3a579670e9ee32bb9fda2c480fe95b39dc0217d353c1cde9d31b16aa72e5

SHA512
1a7ba93a6dbe127c68ddbf3e87b1a2f03e84c33397c1b1f58e1947c3c4c911cf65c0406531e020636aafd505deb26611db70dc60d019f8f66a9291d58fecbefb

Download Submit
memory/2012-15-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2012-17-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2012-26-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2012-24-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2512-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2564-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2564-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads