Analysis
-
max time kernel
137s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
17-05-2024 00:04
General
-
Target
5fe2c454689339965cc76b3f474ba9f0_NeikiAnalytics.exe
-
Size
231KB
-
MD5
5fe2c454689339965cc76b3f474ba9f0
-
SHA1
132bb729590f7a9a202f5d827e1d88892cb80a75
-
SHA256
407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01
-
SHA512
6ebdd3bfe198734651200ecd7536dad7029f258941e794df76b520074d18adcb268fe4b2f09e0c1addf86c28dc36a1b2c637df9aa48ae5780a47c25ac84a94c0
-
SSDEEP
3072:OU6lAynH4YpRdK66A0W+pmrs5qB6wCopAsJPrtnlVARkEjscM5xaTWvK12qcD:g+SFkI0WO3paPnluGEjscyxLvK12qc
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 9 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe2c454689339965cc76b3f474ba9f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5fe2c454689339965cc76b3f474ba9f0_NeikiAnalytics.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\88C3.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\998D.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD52cbf72539d9760c1b9df317dcedbf36e
SHA18e8fba846e0a3568ae9f062bc81937b1be6e3910
SHA256321d528a8036f2bafd0ac867b8e031e86ad28f61a420e70e5fe7b0e6f09a712f
SHA512ac43476e60441915ad841afe153ae8bb6f9010eb07b0cd1b592a7ba75febddfe68fccca5f327533f7cd84733bcd17f7517b98f13ee984e7e24f86b3ddda6a0ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD59401dcd4f74f7f45fba89498762b83e5
SHA13fccc780862dbae86c19749303ed8d017fa54224
SHA256bd386daee35feb4bffec775b068f7e576bf881cfa7483e0e9732acc272cdce23
SHA512cb44b680a0d4a01fa386e687848332e09bdcbcad5a66c8456cec940319378787901de5347563813101c179aa91c6fb9f235b09de396c7fe70562bc82c88ccc77
-
C:\Users\Admin\AppData\Local\Temp\88C3.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
memory/3428-5-0x00000000007D0000-0x00000000007E6000-memory.dmpFilesize
88KB
-
memory/3428-23-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/3488-1-0x00000000009B0000-0x0000000000AB0000-memory.dmpFilesize
1024KB
-
memory/3488-2-0x0000000000930000-0x000000000093B000-memory.dmpFilesize
44KB
-
memory/3488-3-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3488-4-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB
-
memory/3488-9-0x0000000000930000-0x000000000093B000-memory.dmpFilesize
44KB
-
memory/3488-10-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3488-6-0x0000000000400000-0x0000000000790000-memory.dmpFilesize
3.6MB