dd0ad17f45c3c77809b43301619b6fb43db0f033113d3579d9817b1910440a40

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
Size

119KB
MD5

d7af1e14efa3676bd015ed248bba9270
SHA1

26c3f5b976dc9056f117d2d358ce84a0128c609d
SHA256

dd0ad17f45c3c77809b43301619b6fb43db0f033113d3579d9817b1910440a40
SHA512

4fd72c0df790f3c27471e71a6b026345d8392dd8d7f97881c463bbd30579c62ccb5ab14fc6c09098e81e5e6abc8fe1c20b4f5081395445504216b3951bef5856
SSDEEP

3072:IOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:IIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x003900000001340e-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2476	ctfmen.exe
2748	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2372	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
2372	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
2372	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
2476	ctfmen.exe
2476	ctfmen.exe
2748	smnss.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shervans.dll	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
316	2748	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2476	2372	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe	28
PID 2372 wrote to memory of 2476	2372	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe	28
PID 2372 wrote to memory of 2476	2372	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe	28
PID 2372 wrote to memory of 2476	2372	d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe	28
PID 2476 wrote to memory of 2748	2476	ctfmen.exe	29
PID 2476 wrote to memory of 2748	2476	ctfmen.exe	29
PID 2476 wrote to memory of 2748	2476	ctfmen.exe	29
PID 2476 wrote to memory of 2748	2476	ctfmen.exe	29
PID 2748 wrote to memory of 316	2748	smnss.exe	30
PID 2748 wrote to memory of 316	2748	smnss.exe	30
PID 2748 wrote to memory of 316	2748	smnss.exe	30
PID 2748 wrote to memory of 316	2748	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d7af1e14efa3676bd015ed248bba9270_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 920
      4⤵
      Loads dropped DLL
      Program crash
      PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
526fab1810d663043697b77425e43247

SHA1
8cf9c24020b6bb269479d6c86813bc8b46184460

SHA256
5d4df69ba5d725f78c2f6ddb40fe0258c12d80efe92dfb133f3ae8ae6e1fac19

SHA512
e48c2f0d64bcf462463cea193ce8580a549681dedf3350695e14db846f877b635a7afc6d10ed841a4ad0dbf462a4ee13f5b2afa7947955466a87569855d6dc48

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
6f92327eb1e4c4b1e65a350032d0af16

SHA1
57890e34f69fcbef3c99d2652a37db4e6e0ba4f9

SHA256
fd0f76af64cc3a85fea3bc8ce32ee553d826edca8ff31aa9f8a2c56af48ee17e

SHA512
9d5e5ceed68cb8b8df0e2c533104cd312d9e7aab99d167a0008bc62b8e99f2e58d6e08bca99ab05d29e4fd4c497bdcadb7dff46b0913fb13216adeca00f9a3d0

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
c19ad576dccb66f62a5d2cd7b86be886

SHA1
bd8ba4aa79e43b613eb5218e04d1f5615c7a32f4

SHA256
6806ddb2e126b26bd0a163bf90de862eabb555cea8ffee1b7861d1557d1146d2

SHA512
b93ddefdc7dae698875a194ee0f6bfc9848c053d46ce660f18785337e7ec79750ec4e6b85caaf051ca2c31586af2194a9a741047674194fc2b6e0d5cc1e84425

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
119KB

MD5
b2f6a6015069c701294ee68f2854d13b

SHA1
5bc9dbb59f58083a5006f90bfea9ec8e027e5b5e

SHA256
7eca4fcab9338d0a7f1140a3ad8c89c32c8925aab525188f5f24ade649d093a1

SHA512
2d5c74fa62ac647a2f29f70321cb0e179494e2ce2c7554c56148e27fe5bcdc289038fc9b0b371e428c5030adf110c9ebee4334aaa784d3f2e15898459e5970d1

Download Submit
memory/2372-18-0x0000000000520000-0x0000000000529000-memory.dmp

Filesize
36KB

Download
memory/2372-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2372-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2372-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2372-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2476-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2748-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2748-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2748-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads