Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 22:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe
-
Size
70KB
-
MD5
4ffe85d15d655ec631bfc5f7a798f620
-
SHA1
789fb1b4063fc9acab94420263bff67f567aa644
-
SHA256
af665cdd821505081e654d801ac8ba452045995a57ae34062d142f0b5a99d40a
-
SHA512
69c92511047e605aade2f8466623aef554514909b309ede5b91476fe9e8baa7935cbb788d7c05d98201d0dcac6394bc0b46fa48d4be2799f3ab772652fbc39aa
-
SSDEEP
1536:eBq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9b1YTjipvF2a:eBq5ud9qHFO8Kf3rIIb1YvQd2a
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0025000000016013-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2960 ctfmen.exe 2536 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2852 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe 2852 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe 2852 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe 2960 ctfmen.exe 2960 ctfmen.exe 2536 smnss.exe 2212 WerFault.exe 2212 WerFault.exe 2212 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\shervans.dll 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe File created C:\Windows\SysWOW64\grcopy.dll 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe File created C:\Windows\SysWOW64\smnss.exe 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe File created C:\Windows\SysWOW64\satornas.dll 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm smnss.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml smnss.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2212 2536 WerFault.exe 29 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2536 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2960 2852 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe 28 PID 2852 wrote to memory of 2960 2852 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe 28 PID 2852 wrote to memory of 2960 2852 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe 28 PID 2852 wrote to memory of 2960 2852 4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe 28 PID 2960 wrote to memory of 2536 2960 ctfmen.exe 29 PID 2960 wrote to memory of 2536 2960 ctfmen.exe 29 PID 2960 wrote to memory of 2536 2960 ctfmen.exe 29 PID 2960 wrote to memory of 2536 2960 ctfmen.exe 29 PID 2536 wrote to memory of 2212 2536 smnss.exe 30 PID 2536 wrote to memory of 2212 2536 smnss.exe 30 PID 2536 wrote to memory of 2212 2536 smnss.exe 30 PID 2536 wrote to memory of 2212 2536 smnss.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4ffe85d15d655ec631bfc5f7a798f620_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 8244⤵
- Loads dropped DLL
- Program crash
PID:2212
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD57eda187203dd3f600cf170788f171f3b
SHA151da75b4880605192c447c58c767adf225d6cf2e
SHA256fff2a85a8d38854e60e0fffe255285f8891710599cf5991e058afeab4dc74265
SHA51285038b0454129b9ba357d2f33dd6af6ae3376f96a4f7a9e4a8214d277d567ff4387397b0ab71e4fc67daef0a2d4f24d0dda31fe09a41583f8c7f5f45a7a6793a
-
Filesize
4KB
MD5efaf6cde4bec101328cd4f0b59e35eb6
SHA1bf54be18934e66fa36ce02c73c81b2e65abc2bb2
SHA2560ff98f97dad5ca3c757f790d22fed5eb47884e9c349fe5d7b72ea775f82730c5
SHA5121e03260f8da435cee884c0d9ad48584364c75d83870684903b2e1d7b5760a071edbe495d7cb0c2e30bcbaecdd4e2f3ac9dc3c765e1ce3e2bf769448eb97368db
-
Filesize
8KB
MD5c144c2b13c72d270894b1ac5efbe81b4
SHA1142c5d00244f83640feac07378d9bdf18ecefbab
SHA256d50f8d78671a5e14e4d42759a9cba3e547689b00786bbb2323f1a809bee6ede4
SHA5122ea03194cbdd00dcb474bfcb54ab1c6218bfe95476957bcab353cf333800f3192013ddbe310d1f32bf5d5b7e7161321b81dc564402748c302959adc4d2929eb0
-
Filesize
70KB
MD5067329d8e50b4f68b6365c9223531432
SHA13429326aaf64379e6243ddb62913d9a365a73678
SHA2568c47a79d9b04b06ac3334821cac007ca11aebc226d3e0d61ed767597b33c5778
SHA512ff4ad16fb93f57164012b4660e97a716c8f58690fc17ee2bd743e64a6c7be8590bd315fa4acb9aa02ba87fb896f567a9bd37347c48ea202960c6f90bb139a489