c55a8f486def463f724b25d9d701f25d0fd4d68c8464ccad83f06534005dcf9b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
Size

41KB
MD5

17a348c2d084ccba059374abdfc52c90
SHA1

fb8908fecec3c27872ff7a5786677dd347544fbb
SHA256

c55a8f486def463f724b25d9d701f25d0fd4d68c8464ccad83f06534005dcf9b
SHA512

290e3212178badf4fe3eb68ce8fe3d07d9966e557b51544e829ae87f52b94ab9ac85482048f254f6b94da68c22ba2485966578fd5399b6b2bb57a3b56c02a23c
SSDEEP

768:EeMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09CyH:Eq5VwWDjDkdTRqHFOn8tIbbeYiuZIFSD

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x003800000001566b-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2600	ctfmen.exe
2612	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1952	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
1952	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
1952	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
2600	ctfmen.exe
2600	ctfmen.exe
2612	smnss.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smnss.exe	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3028	2612	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2600	1952	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe	28
PID 1952 wrote to memory of 2600	1952	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe	28
PID 1952 wrote to memory of 2600	1952	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe	28
PID 1952 wrote to memory of 2600	1952	17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe	28
PID 2600 wrote to memory of 2612	2600	ctfmen.exe	29
PID 2600 wrote to memory of 2612	2600	ctfmen.exe	29
PID 2600 wrote to memory of 2612	2600	ctfmen.exe	29
PID 2600 wrote to memory of 2612	2600	ctfmen.exe	29
PID 2612 wrote to memory of 3028	2612	smnss.exe	30
PID 2612 wrote to memory of 3028	2612	smnss.exe	30
PID 2612 wrote to memory of 3028	2612	smnss.exe	30
PID 2612 wrote to memory of 3028	2612	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17a348c2d084ccba059374abdfc52c90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 828
      4⤵
      Loads dropped DLL
      Program crash
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
af1f2298ff37123667b4be1dc3cfa135

SHA1
a562549d4a84bd9548a40d76d93230f4ad5e5581

SHA256
33e2b3c572299f195c5e022180bae02be4c23ae07042710a9a4b05dc0571e1a7

SHA512
baa6feb9e4b7159e8c1e7a1afa0071c08f2ea0142acfa577f44b795ea0eedb369223e49efc8947f306b5a192a58e5b602ac52e406a624d4b2cd71c216b65be43

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
e68cc1450b0127762eefd43965c83a2c

SHA1
16ce746b504ac1af36d1b13ea4ecec7f82730c21

SHA256
9a6f897ca471944d56b773cfa7c6b33f11313f54b4baa2e2dd00f6108a485723

SHA512
fb5cf55b38ac4b435b920af54c36c6600d2db7178bc466368fd7c269305a97c7411adececafe02254c56fe95ca8080d6028e8fd649eaae33b2e3488378e6b309

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
b34160ef55b29389034fadf31e11e2f4

SHA1
400b4252213eb5b62a3d22dd20e88ba14d69436d

SHA256
c1aeb96e18b0615920227e2dcebf568281cc9c77622fc17ee3cb7e5286bc5801

SHA512
982731b79c7a99d062d5e9190fbe0007fbfe3ecc1137458c6d4fe5c4e53600ed8d09ec12c734cf4cbff33e9e9e003475778aa26fd006dc10e5b349ae31ed70c2

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
41KB

MD5
403402c8cf912df9ea2ff469882f8f56

SHA1
56b17d4efc9e85a20425345238594c5887323721

SHA256
b593b05ac4f4be5271bafd5775b3620efd521f4b31fb91f222c88fee00451d9c

SHA512
270db73cf2269bd2a21e70270376984cc1d0ca0ecfd873bbe3ddb1728aad45bb622e9b9421cf0226288bda4407508476d37971fca1f3d52a6895f6ccc7d39582

Download Submit
memory/1952-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1952-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-18-0x0000000000350000-0x0000000000359000-memory.dmp

Filesize
36KB

Download
memory/1952-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2600-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2600-31-0x0000000000340000-0x000000000035F000-memory.dmp

Filesize
124KB

Download
memory/2600-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2612-43-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2612-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads