Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 03:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe
-
Size
118KB
-
MD5
982e5849326f458dfba4435c9c1ae0a0
-
SHA1
2520efd4d86be4ff41f0fce19a0c27f69df6b9c7
-
SHA256
d4e24a99909fe2f294339a252a84c6fb62c0f5ade41e7ddf9b45f405e7dbcb6a
-
SHA512
6e50ecc9fa6d96a86613515aa477993f9d3734020428e61bb17f121100b38fea1e0bb32aa6fd8dc819444b05eb048a4dc7ae21e8548e4c92ad79bf0a6b870278
-
SSDEEP
3072:NOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPP:NIs9OKofHfHTXQLzgvnzHPowYbvrjD/i
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0039000000015d56-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 3068 ctfmen.exe 2816 smnss.exe -
Loads dropped DLL 6 IoCs
pid Process 1132 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe 1132 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe 1132 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe 3068 ctfmen.exe 3068 ctfmen.exe 2816 smnss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: smnss.exe File opened (read-only) \??\I: smnss.exe File opened (read-only) \??\K: smnss.exe File opened (read-only) \??\M: smnss.exe File opened (read-only) \??\S: smnss.exe File opened (read-only) \??\U: smnss.exe File opened (read-only) \??\H: smnss.exe File opened (read-only) \??\J: smnss.exe File opened (read-only) \??\N: smnss.exe File opened (read-only) \??\O: smnss.exe File opened (read-only) \??\P: smnss.exe File opened (read-only) \??\R: smnss.exe File opened (read-only) \??\G: smnss.exe File opened (read-only) \??\V: smnss.exe File opened (read-only) \??\L: smnss.exe File opened (read-only) \??\Q: smnss.exe File opened (read-only) \??\T: smnss.exe File opened (read-only) \??\W: smnss.exe File opened (read-only) \??\X: smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.Wsman.Management.dll-Help.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_transactions.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc451X.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml455u.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Switch.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_trap.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Path_Syntax.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Keywords.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_execution_policies.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_parameters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_logical_operators.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4400t.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\Amd64\RICFG7.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_split.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_try_catch_finally.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8700T.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.dll-Help.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_FAQ.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\Amd64\EP0SBT00.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Reserved_Words.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_transactions.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scopes.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5600T.XML smnss.exe File opened for modification C:\Windows\SysWOW64\migwiz\MigApp.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_eventlogs.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Continue.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_job_details.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO1500T.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4200t.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5060t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000nt.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\Amd64\KYW7QUR3.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Assignment_Operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_FAQ.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Line_Editing.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_escape_characters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_try_catch_finally.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Break.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_providers.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_transactions.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYW7QURY.XML smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky309.inf_amd64_ja-jp_afbb421e3dc1cb6b\Amd64\kyw7qur8.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_data_sections.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_CommonParameters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_methods.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_modules.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Variables.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5300t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Line_Editing.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_hash_tables.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_type_operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_join.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_methods.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpsd730t.xml smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.XML smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL027.XML smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML smnss.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\gadget.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN090.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.NZ.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html smnss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ecaff9829f3b58ce\Microsoft.IIS.Powershell.Provider.dll-Help.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_pipelines.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_do.help.txt smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Hand Prints.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-5.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_execution_policies.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_debuggers.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_remote_requirements.help.txt smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3687be952df5b9b1\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_command_precedence.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_escape_characters.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPP8700T.XML smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnky003.inf_31bf3856ad364e35_6.1.7600.16385_none_3d4c795ded41268f\Amd64\kyw7qur2.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnrc00c.inf_31bf3856ad364e35_6.1.7600.16385_none_3b11d85d2b1e2536\Amd64\RICFG7.XML smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Command_Syntax.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_62d8f8a551894c9f\Rules.System.NetDiagFramework.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\default.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_try_catch_finally.help.txt smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73db80f37a680574\currency.html smnss.exe File opened for modification C:\Windows\ehome\ja-JP\playready_eula.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b661d7abc4d159c8\epgtos.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_92a65a18e6532ae7\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-8.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4080c452718ce6e7\Report.System.Disk.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_requires.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Language_Keywords.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_remote_troubleshooting.help.txt smnss.exe File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Disk.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29826b65facd5de8\epgtos.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-13.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_117bd8ffb46dd92c\Report.System.Common.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_pssessions.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\webbase.xml smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-netfx3-core_31bf3856ad364e35_6.1.7601.17514_none_69a838f53862fe6b\FrameworkList.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8486739b50ee62de\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\ConnectionManager.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnsa002.inf_31bf3856ad364e35_6.1.7600.16385_none_02a32ac8d56280f6\Amd64\smf6x5u.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Quoting_Rules.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_If.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_arrays.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_68bfa622c568dbc2\Rules.System.Disk.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_remote_requirements.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO3200T.XML smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Variables.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_jobs.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_debuggers.help.txt smnss.exe File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_2_FileShare.xml smnss.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-7.htm smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_remote_troubleshooting.help.txt smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9c4da920e2047ffc\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\GlobalInstallOrder.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-18.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_it-it_433f19f7deb07053\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Ref.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_execution_policies.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_remote_FAQ.help.txt smnss.exe File opened for modification C:\Windows\ehome\en-US\playReady_eula_oem.txt smnss.exe File opened for modification C:\Windows\PLA\Rules\fr-FR\Rules.System.Common.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-2.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnky005.inf_31bf3856ad364e35_6.1.7600.16385_none_3e5e9dc81f7d9f61\Amd64\KYW7QUR3.XML smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2b166002b7f51771\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d4f8a2f961a0e7e4\gadget.xml smnss.exe File opened for modification C:\Windows\ehome\mcetuningoverrides.xml smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2816 smnss.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1132 wrote to memory of 3068 1132 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe 28 PID 1132 wrote to memory of 3068 1132 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe 28 PID 1132 wrote to memory of 3068 1132 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe 28 PID 1132 wrote to memory of 3068 1132 982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe 28 PID 3068 wrote to memory of 2816 3068 ctfmen.exe 29 PID 3068 wrote to memory of 2816 3068 ctfmen.exe 29 PID 3068 wrote to memory of 2816 3068 ctfmen.exe 29 PID 3068 wrote to memory of 2816 3068 ctfmen.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\982e5849326f458dfba4435c9c1ae0a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD5ce36473e090908a717485527c209c4c6
SHA129399c4e85c72a5c2310076909a4a6731c0eb792
SHA2565a495cf9e44a7da4a7ddcad2668123ca7e8a2834f391b53b5a471f34afd0a63d
SHA5126c0cd197116d504ee41d53191c4bb9f951715b2b4b11a5c4d57df7abb248489232a29fcc8c760669359bbdf704c45e5852d3d84df4bb0635e2adedc0378548c2
-
Filesize
118KB
MD5d1e6a491c028caadd855ae1efe409cb1
SHA1afbd12eca074c05f870df8e89c468b59a271ee56
SHA256410df94bc3408f8a3bc902619351da857c24c7eaee35fea58613007d6c1eaa5f
SHA512833d3005e3bf6c4b81f52ea3a758ae9653b73afbc47e19abde550f33933b8ce222c506c55c45ba55216b149835e1801f8eec5c6a5bf4b06f1d5a64e76632986b
-
Filesize
4KB
MD5ff0707235a9e519fe9e2e0ac2d16fa9c
SHA145f1de4215d151769b699f270666d1311031abdd
SHA25660dfc6807d9084a46f6561c2fbeed5b941aadf612790f5a99254221d34b39bc5
SHA5126eeec84008596cb702374905a651f319442e6ea1edb1783d9ec6aa4b594e4a80f99015df8ff1ea2709c5acd01f889733c12e7edf58d09047f2fa4768d8f06408
-
Filesize
8KB
MD52b7dd47a3e7784784f659ef4ecb2f7b3
SHA151a15b308664335c54cea9f3949eac99d4f5bf4e
SHA25685948e71bd41f7aa6450531b9b8d2404ab1ed8464bf9a54913ba24b329367411
SHA512e03a871fc703399eb8795d19ccb54f1fb7f6b564a965b60cbdb6839968eceb2316bb2bc810f6331166a8849cafaf4ae2ed07a68c188c147ccd9769c3502eabb5