feca35e6eb379f5f95b61ea40f614aff7f04f3c7ba254c4525374cd9a4788431

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Size

119KB
MD5

a65f484d74b8a95687959090b87f3140
SHA1

a2b9c70169d83854106ffa999e18ce74938e3aa1
SHA256

feca35e6eb379f5f95b61ea40f614aff7f04f3c7ba254c4525374cd9a4788431
SHA512

530156a9a9239b1b4b03e9ec0d2cf1f3e3603ffbd71b5dbf6c86c428b325d979390c64519eef3761084240aa62039313ddc413725f2f9bc7cd9b5c3bfba5cb39
SSDEEP

3072:vOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:vIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x003700000001448b-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2700	ctfmen.exe
2616	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2204	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
2204	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
2204	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
2700	ctfmen.exe
2700	ctfmen.exe
2616	smnss.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	2616	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2700	2204	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe	28
PID 2204 wrote to memory of 2700	2204	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe	28
PID 2204 wrote to memory of 2700	2204	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe	28
PID 2204 wrote to memory of 2700	2204	a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe	28
PID 2700 wrote to memory of 2616	2700	ctfmen.exe	29
PID 2700 wrote to memory of 2616	2700	ctfmen.exe	29
PID 2700 wrote to memory of 2616	2700	ctfmen.exe	29
PID 2700 wrote to memory of 2616	2700	ctfmen.exe	29
PID 2616 wrote to memory of 2656	2616	smnss.exe	30
PID 2616 wrote to memory of 2656	2616	smnss.exe	30
PID 2616 wrote to memory of 2656	2616	smnss.exe	30
PID 2616 wrote to memory of 2656	2616	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a65f484d74b8a95687959090b87f3140_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 824
      4⤵
      Loads dropped DLL
      Program crash
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
362d35b6b6ff24ead16b8d8d5b38e033

SHA1
fe11262fe4a51d485994c06dcb924e3272d6fc54

SHA256
54856dfae105a121e1b8bf51c3f786c5002b2c639991b9ce63dc8b36385c09e9

SHA512
7478d8577e98a4b8c61fc0436c3d1efd5be4f397235e284693a0ea0e453e95e429411ecb2131962106a80fc7714416ba87d900da53159832483d3c932bac7ebf

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
ba8e66d64832bff5929a1bfb1d015631

SHA1
c4ebf117352e14ad2de3a4b0176e9db0b3f28cf1

SHA256
775cc86a4128a86c55652c574e44e10dd0f2d79dd78d83256c88478bd8f74d22

SHA512
8d4f370924c85813711d53f8f45cb55ee05f12d7446daa72aa502bfa2015f57e88c8ba29870b351029c5fda56d419b322c4b751c63e1a776227ed417c62ad9d9

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
dfdb4df02388ef6f03a2416a490fb27f

SHA1
39f7e7ec9e825b0a6ddf56db333f913f229322df

SHA256
0c412103bea0943b97988a682b5e6c63e4a7950f014ef18dc8172bcd8c18ffa4

SHA512
c28af80cb84904a454fb158f1f9de7351bbc37189f0bcc724a3ff84b85c71dd1a8619257cfbf061bb33f7391750ee57f7ccd5dc33a0978b3fd48b71a4bf0ad08

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
119KB

MD5
a889e8bcb26c9d1db4d1971f62a1929a

SHA1
81760c653cf49d845fd54ae33050f310cca15dbd

SHA256
840ad710a58b5fa99cf73be5fedf4b7cf0ca31ca71a1d46bd8b56440158897b1

SHA512
53dee4239ad7aa6aaa02ec1f0a8c8aa591c31d80fe4ecff35a9a18e440b05b39e0295afe0dbaf85c7d125d34d27603d90bc1064d5bb8b34f84cfa6567eaef0cd

Download Submit
memory/2204-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2204-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2204-26-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/2204-18-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/2204-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2204-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2616-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2616-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2700-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads