f4b026d4a3d130dc765bfbc002f808eb1b6d11d2cc383bf26365425935b40566

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
Size

75KB
MD5

3137de807cb2fd299ef193650e21ecc0
SHA1

381beb442aea761d21d3aaff1f78c235b1b93aad
SHA256

f4b026d4a3d130dc765bfbc002f808eb1b6d11d2cc383bf26365425935b40566
SHA512

f89f93fada3a2e9a65d4d0030b171355b77b7b42554536a641b470a8298ac26237e274b3e1dd301842ef823aff35e52eb43b92a96b2330fb4e1cbab3bc7110f5
SSDEEP

1536:Ux1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:8OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00090000000167d5-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3024	ctfmen.exe
2148	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1712	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
1712	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
1712	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
3024	ctfmen.exe
3024	ctfmen.exe
2148	smnss.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\satornas.dll	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	2148	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3024	1712	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 3024	1712	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 3024	1712	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 3024	1712	3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe	28
PID 3024 wrote to memory of 2148	3024	ctfmen.exe	29
PID 3024 wrote to memory of 2148	3024	ctfmen.exe	29
PID 3024 wrote to memory of 2148	3024	ctfmen.exe	29
PID 3024 wrote to memory of 2148	3024	ctfmen.exe	29
PID 2148 wrote to memory of 2468	2148	smnss.exe	30
PID 2148 wrote to memory of 2468	2148	smnss.exe	30
PID 2148 wrote to memory of 2468	2148	smnss.exe	30
PID 2148 wrote to memory of 2468	2148	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3137de807cb2fd299ef193650e21ecc0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 844
      4⤵
      Loads dropped DLL
      Program crash
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
52b99ebb7c65931967bbed19b43ec028

SHA1
0bd55f9c06f749fefae7d9246a740217297143a8

SHA256
913c11ae880017d9e9909469a2f9d326c100605521836677e55494b485dc374e

SHA512
43086f5c24bae05a9c6d09f074e0c4ca3c69652e27a4045f6abde8022d66a18fa9d973784247ccfd4e78e641fa8dd466b24abc6dc600f34275438e151df2f677

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
75KB

MD5
184aa4ae8db2bbca76ca57c4e0c3792e

SHA1
f3fbfab4b392636431e9dff65feb42006bbfe4fd

SHA256
a502608409d912f22622df3461bf0bf15ea7279dc2942bccbee9c903e82a8509

SHA512
992e1510c5682f722f38504b90746d95503f58f94d6a312fc85ffcc163965cc702b998d56894c6ab4787a0da00473ea1bb81a196f4ecb086589ff39259cc59aa

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
26af8a7c4cf8146b18d0d9fe77d40760

SHA1
304791beb748df64c576749716d2345a662dbc5d

SHA256
e3f1324abbbcc65c89452b830d70a4a463cf817b0489523670376b4ca51fc586

SHA512
9f38129fbc383854d601b4455e220b2a36a03fd882384334fc132ec1ef0a45228c01b89d6f3cc89b6557ea5ee4f7c13e87ad5f39194cc28e09e6502e5799b156

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
879e548720da89db8e63ba0bbc9581d9

SHA1
b7aa787916fb0c85167064f3f9c9e163334e5556

SHA256
07548efac336263a67931dfeebcc002d0d2d5a474865a9c544715b0b19b0b795

SHA512
362fd34940cba7a2b2f837725c5b496cea10deae9fb0b5fae2dd0d1ed6f43d058394c41de6624248df8679f4731bf062d6c0a744d677284f639988956047ebed

Download Submit
memory/1712-15-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1712-17-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/1712-24-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1712-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2148-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2148-43-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3024-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3024-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads