1d0c64a5fc860798c6dc893c24c216b9f61bf17e4ec520f8fa345a9b918a27de

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Size

239KB
MD5

21a8c11bceca7f899dff4023783d4b50
SHA1

ad5c89eafe80bb8a3889329933cc08cb75a58b4a
SHA256

1d0c64a5fc860798c6dc893c24c216b9f61bf17e4ec520f8fa345a9b918a27de
SHA512

ca6e51893eabe4ab7ae33f35736f4ad40ba94085dbd2b2132f9bb1df984173cdf2624c139dd35160313b98ec04118358ff2a3f83765f6c1c5671c746ebf25987
SSDEEP

1536:Kq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9bc:Kq5ud9qHFO8Kf3rIIbc

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0035000000015609-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2992	ctfmen.exe
2664	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2140	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
2140	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
2140	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
2992	ctfmen.exe
2992	ctfmen.exe
2664	smnss.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2508	2664	WerFault.exe	30

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2992	2140	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 2992	2140	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 2992	2140	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 2992	2140	21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe	29
PID 2992 wrote to memory of 2664	2992	ctfmen.exe	30
PID 2992 wrote to memory of 2664	2992	ctfmen.exe	30
PID 2992 wrote to memory of 2664	2992	ctfmen.exe	30
PID 2992 wrote to memory of 2664	2992	ctfmen.exe	30
PID 2664 wrote to memory of 2508	2664	smnss.exe	31
PID 2664 wrote to memory of 2508	2664	smnss.exe	31
PID 2664 wrote to memory of 2508	2664	smnss.exe	31
PID 2664 wrote to memory of 2508	2664	smnss.exe	31

C:\Users\Admin\AppData\Local\Temp\21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\21a8c11bceca7f899dff4023783d4b50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 832
      4⤵
      Loads dropped DLL
      Program crash
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
4997272090d9364e7832443a8c7406d5

SHA1
f36a07fe53c1c4d1ff7faa2e450a05d6c5e85eb9

SHA256
440fef5f27f6217f8a36dd776310734d85aaa3de40876676842c2731af7863a7

SHA512
b75ab160ca023a09e1969aa520816be0b59223455112498281567a1e5b39a42b1001d79bc5bc1f2c0ee7732a9be6273e4d7ce7b436b6247d03e768f0a1148192

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
5b8a235f0a107642e475d74a382fa2fa

SHA1
d4877516f34dd0560a68a411a50d71481b71a900

SHA256
9f1bae6b4bbb62e05b0f408b3792b2b36393b7423fd035d72eb428858c0ad68d

SHA512
ad12110e50630a0d672afc5cbfdccc02b3f7c89358fd5833fcdcfcb151857c82df9b18c0f9d624f47ada30640950fbf2fdf952cab42831ddec7336b5b8bbab2b

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
df4613fe7896796b8b6496b43296cff4

SHA1
8e243a0304377ed39db4309db269af1101f15074

SHA256
7ee8f276cff3d422669ff200b3cf562fd011e0c85c7c73ef159b0eb527ef7cbf

SHA512
5d0f8e11fc39f2230d63a9b5ad8474e1088a4ea3132a5a0812f5d2424485e655a9d01cd90d1f78e42393890d6642ade1cf28b82fd6be6e35868a435e9cf862c0

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
239KB

MD5
35ad31f13ed1fea6992cf89bc9209e65

SHA1
6d1004df53abbacc55cf5a529ea05e5d59a30090

SHA256
54d1bfb40431d02f1acddfcb2576b1d62e5c1fc60851454762f6730eb2782366

SHA512
e3f2cb51a5769b7622014601a92b0345904f3e4272df14f8cd42ddfde609a5704ff45dac1ead7839371dcd24e22d331ac1724f0d46a480795eb632122372a139

Download Submit
memory/2140-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2140-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2140-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2140-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2140-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2664-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2664-43-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2664-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2992-30-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/2992-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads