29637eb025a05b18f5a2c77830df95d61f3dac9a52056d013af6b3e05b0436d4

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Size

118KB
MD5

0304ffc8aa8410101029a1785051ef30
SHA1

1693db8621e8834e70729bc5fb8eef531ce7aca2
SHA256

29637eb025a05b18f5a2c77830df95d61f3dac9a52056d013af6b3e05b0436d4
SHA512

8a5ffe09037ffc68edc34dd3ec53a4752f38798279e5d6422a8ad5c28ff81b7adfa56b21476b75bbee8d33fedd3e2abdf2ff905119c8606dfa77b731feb157b7
SSDEEP

3072:GOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:GIs9OKofHfHTXQLzgvnzHPowYbvrjD/m

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0036000000015d42-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2604	ctfmen.exe
2664	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2208	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
2208	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
2208	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
2604	ctfmen.exe
2604	ctfmen.exe
2664	smnss.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\satornas.dll	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2584	2664	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2604	2208	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2604	2208	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2604	2208	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2604	2208	0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe	28
PID 2604 wrote to memory of 2664	2604	ctfmen.exe	29
PID 2604 wrote to memory of 2664	2604	ctfmen.exe	29
PID 2604 wrote to memory of 2664	2604	ctfmen.exe	29
PID 2604 wrote to memory of 2664	2604	ctfmen.exe	29
PID 2664 wrote to memory of 2584	2664	smnss.exe	30
PID 2664 wrote to memory of 2584	2664	smnss.exe	30
PID 2664 wrote to memory of 2584	2664	smnss.exe	30
PID 2664 wrote to memory of 2584	2664	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0304ffc8aa8410101029a1785051ef30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 836
      4⤵
      Loads dropped DLL
      Program crash
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
b7edd76be9102b4cec737ac76b957afd

SHA1
e0509abc180cd0ed63ffd86601b5304a80b8c396

SHA256
c05b4da4f5585a95603aff8f06ab24c5decb9385b8d5d75beb2966ae29c8a25a

SHA512
4692062a526111e81570514a15f7d5abbb0358b6cf2baf66af3c24b551a74cade4b4db790b45ad2fa99568cd7c15201f055583c9658447c4a6db1bf41b7ff03e

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
2e0608e049c4d26f68239e5dedbfa865

SHA1
8ffb4ca070e8686fb0b4139a85a9881e11dc1bad

SHA256
73951748ce7c83b4e2fb5d99d73e5511c4f8ff8fc8736616aae6f9dbd7196d35

SHA512
95447e12fc92f22628407750d1d191e038ce937dcffbaf122f80c77a691c71bb22b8ba25e94cdebc4082c0cdcce8a6adb14a229bacd1a8910fc76abc13f6f2d8

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
902dcd048f744872ae1c3b51f6e526c9

SHA1
dfe23af12bb6d4fd056bd98fb2e50eb4a5dcd022

SHA256
09b6a3fca752a6ade7382cfdfdc33e8e52118d784b016a50c93e486b536b5497

SHA512
9624e752db5d66ee74c8ce606284d8f79b7973e08811d4750caa7d30e59f1876079ab749ef95699660d72af4af91897161a311cc3531254cf170e33cc7190b31

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
118KB

MD5
5612095210fc30b5920bfb9626df1838

SHA1
0f42751de2c80b272a8a0ef106a6b082fa69687f

SHA256
8389bd31958b7d079678a679206bc5d5b3aa752d8acc1fcc634b9db18d24c8dc

SHA512
9cfe9960a8afcaadedab3e299aea3b6756357131b871f79cb26259586b3de5936ca7e497cab70a5bbd1d981c363b9d741995aa6523a5f7f7269f328c3b3e74e6

Download Submit
memory/2208-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2208-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2208-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2208-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2664-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2664-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads