83626e2b95e8bdb5fdbb59ac67c5d72c04efbbed5c8b774b3c9db4f7b42a6cdf

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
Size

224KB
MD5

22b376166619c3f46ff414669f11d320
SHA1

afcac46fd2e0fd93b42150e8b00423ab7f040557
SHA256

83626e2b95e8bdb5fdbb59ac67c5d72c04efbbed5c8b774b3c9db4f7b42a6cdf
SHA512

67ecdc9d82b98a87fc2ed509f6a6ce7d4365d90e0860d021f303da00075914ce1e2578fc71c2495de802a1d39ff09996a0cae36a60de1966b9e7f02531897782
SSDEEP

6144:1Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCtZy:EKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x002a000000015d02-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2624	ctfmen.exe
2812	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2992	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
2992	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
2992	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
2624	ctfmen.exe
2624	ctfmen.exe
2812	smnss.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2528	2812	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2624	2992	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe	28
PID 2992 wrote to memory of 2624	2992	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe	28
PID 2992 wrote to memory of 2624	2992	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe	28
PID 2992 wrote to memory of 2624	2992	22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe	28
PID 2624 wrote to memory of 2812	2624	ctfmen.exe	29
PID 2624 wrote to memory of 2812	2624	ctfmen.exe	29
PID 2624 wrote to memory of 2812	2624	ctfmen.exe	29
PID 2624 wrote to memory of 2812	2624	ctfmen.exe	29
PID 2812 wrote to memory of 2528	2812	smnss.exe	30
PID 2812 wrote to memory of 2528	2812	smnss.exe	30
PID 2812 wrote to memory of 2528	2812	smnss.exe	30
PID 2812 wrote to memory of 2528	2812	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22b376166619c3f46ff414669f11d320_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 828
      4⤵
      Loads dropped DLL
      Program crash
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
0225a7995382c57b5a6811506b1a201c

SHA1
b26752d9cb542b8ddd95c45b39b20414791c2bf2

SHA256
8bb4fcd85d88b868542f65bcc779fadca0ab475df707638af8258174dd33eeb5

SHA512
e7c8ce1e8d9fc7d9367a654df0424adf655ea7d65df425986ed13db56ec7028eb7086cc8de58c673d3a7c1ab2f79b93f466635ee6449be3a8d43eb5a2712245c

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
e1fc388dea6f7704e9f2873b64214641

SHA1
68d78dae26e59761ae437e140f06be6b58dead91

SHA256
60c56aedad51249f9b6cde3c1ef5f7bffc3b23aa0b16f94ac0db062b0dd6aaf4

SHA512
d8cc866ee38bbe5c6e674037f62736f2eba2c26f6c3b908af85488dd0f133411318b503522fd183accedaa42b3aa848cb942754726b64dbd277bf1eac07c7414

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
fd15609fc0feb0824ed32a08a93a1f96

SHA1
9f4595dd45779415866900e32ee9a035728118d3

SHA256
41d62f6fc2e863ea46b577fb492db4d9f20234f7ac75751e08cdae0d2f1af930

SHA512
132890c69a29ff15e787958d630f7392d11185298f973c5bd3016563b64000e8d93cc892355bd00ddc0ff56130b52c2a1bff406874f4029dc3675012d1478578

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
224KB

MD5
7b35e3134017dab5f2b1fe5546aae98f

SHA1
49fe2c24df86764afa43a04c2eb74e0e1d8aa81a

SHA256
5e9cc46102dec6d147fb572cda6109031a7d6c4a1203e6e67dee0c6db513f5b5

SHA512
c66daafe07e587d9a0aa768f4bdf1b8beea1698130be34a66b1ac167103ca9fb10efec744fa42dea82bf0820c5abf01cfe041710eb93b48be7edc819e2423fcb

Download Submit
memory/2624-28-0x00000000003C0000-0x00000000003F2000-memory.dmp

Filesize
200KB

Download
memory/2624-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2812-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2812-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2992-1-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2992-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2992-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2992-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads