87131ab55700b3f582ea907ccbfd8caf096d052abdb4e4cf587e016bc84feaa7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
Size

75KB
MD5

cdc66d88d7bd0bad4c50ea3a73755dc0
SHA1

60c2a76c9d1c4131b852f5782e28ba48f34c148d
SHA256

87131ab55700b3f582ea907ccbfd8caf096d052abdb4e4cf587e016bc84feaa7
SHA512

a35b997d686f7910dbe5fe3081f98f6cf9f00194827a1b478858669896fc4e742c3f6e3c1248b8ca06fb98a1cddfd6368b3097e51cf93debf05d89acab83f75a
SSDEEP

1536:Rx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3v:rOjWuyt0ZsqsXOKofHfHTXQLzgvnzHP3

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023490-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2916	ctfmen.exe
1872	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
1704	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
1872	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\satornas.dll	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2864	1872	WerFault.exe	93

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2916	1704	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe	92
PID 1704 wrote to memory of 2916	1704	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe	92
PID 1704 wrote to memory of 2916	1704	cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe	92
PID 2916 wrote to memory of 1872	2916	ctfmen.exe	93
PID 2916 wrote to memory of 1872	2916	ctfmen.exe	93
PID 2916 wrote to memory of 1872	2916	ctfmen.exe	93

C:\Users\Admin\AppData\Local\Temp\cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cdc66d88d7bd0bad4c50ea3a73755dc0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1472
      4⤵
      Program crash
      PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1872 -ip 1872
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
d43f35dfb8298c7647572910f656c90f

SHA1
28edfe85241b08ed15633453a93ce43c6a9239f1

SHA256
60acc1e736f309de38698cfacc62cfc5929bb2c6a191d6708d06f99e89c20846

SHA512
4f8e91c67e690ff0cc66b98795dd93271f7bed2500e725d0682237ecd83e0034832b77d5d32768b071f4d91d5c60ac949a86a15c5a508475e1d5f2bfc1c01602

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
75KB

MD5
b6d7920886eb5468583e8df1d9bce736

SHA1
a61241056877036803bb02f98c2e2878704b7f41

SHA256
2b1cc7a52791bacb0e15daa0a32f53a924c9725dc8bbcb4f292b010a3487ef2e

SHA512
c59265003bff3699d7e4d74b2aa1cff0ff7754d52cf220aad05e64d96cdce12c81caf66ae0f62208b15ec943de32d13762dd8a1e4798976ff8d2515f93ca2d1a

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
e99cce29370a1e48939002353ed2996b

SHA1
5d70cda949a0f4581831f3aa0fdf7570a497a9ed

SHA256
7a1e35b19b2c77440e60aadeedaee92a1d509d603335d9b9a04c4255cfacd84a

SHA512
081730bc443f9078df8d196bf021e4673c3190b71334d25415ae4817de2480593a3dcd64ad047e33e659940d98d2161f38361b827263e09f10eb0be0121297e2

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
89165ea38c48cff5397031d2fb5d85ee

SHA1
b93d326c25d7341d7e2a207559c5f5ca70e45483

SHA256
b23e74e45b7a519f45c9820f3394a7d8d763599f0de4cfa48052feb87dcd55ab

SHA512
d88bb8490988f1ce07b8316bffde509bb5e8a0227a271b46be433fd9f852af922ab9438d06434fc2f8787f885f51c7a8792ca1cbc698a9e6f00e9a4650c453a5

Download Submit
memory/1704-17-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1704-22-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1704-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1872-36-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1872-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2916-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2916-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads