583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547

General

Target

583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
Size

75KB
MD5

379ec2a3507a4c38e2165bb2662eb4b0
SHA1

536f43d29568720e32303e56a4d64314b25650cc
SHA256

583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547
SHA512

8db55d772ea71810defcf92c167634432318977f41689165eb6ba111bae546d2cf8e572f517e2eb094d2e02fe8b639dc39ccfd4e19288e2e469007c26f5a0f1b
SSDEEP

1536:fx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T36:5OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPC

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023427-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1792	ctfmen.exe
4984	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
4200	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
4984	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4436	4984	WerFault.exe	93

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 1792	4200	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe	92
PID 4200 wrote to memory of 1792	4200	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe	92
PID 4200 wrote to memory of 1792	4200	583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe	92
PID 1792 wrote to memory of 4984	1792	ctfmen.exe	93
PID 1792 wrote to memory of 4984	1792	ctfmen.exe	93
PID 1792 wrote to memory of 4984	1792	ctfmen.exe	93

C:\Users\Admin\AppData\Local\Temp\583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\583eafb081b3d56529107fd01d8b729e3baf7dd75cae9aad0742c75e63fd3547_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1324
      4⤵
      Program crash
      PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4984 -ip 4984
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
415fd9f18f80aa3ea32d18e3ea316dc1

SHA1
b28b465eceb374e8f34484742977b6de6be5bd15

SHA256
a645e55aedca225c6fa00633665e13768895a88428876d2107a9650e25243803

SHA512
60e858265b98ad7e77e6f3fbb53df37b9d8b3dd9f8508171082e9ae7f09df53f429039cf466a19d1a3524179563b67e8dcf6b6733fe36bd075b9ab8aa2224ffb

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
75KB

MD5
ccb332bfe7d3ada52e6493d2e49af959

SHA1
0af31e26fd0ec1830382ff96effe5b0829a57f7f

SHA256
547ac593d9de073a456c05bfbe6ed3e4fb4767cb6c15c15ed6df99edcddad04d

SHA512
4d93bc19481bcd705689f1109ab57c26e2325be98b550f977d85b5e078973496d2c01e39ca4a53ca9b5d3c04ccd9e6759122d59eb7dc9f912231acc41b718c72

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
89cd96ff1d19888fdbab1e1e65c1f3cc

SHA1
91014c402e4635a45a8dcb4506d2bc3a4bbb71d9

SHA256
22371f6c125cc10c537fd2874081e83721820d66629befdb17260bf94a4e5b51

SHA512
d956949d8a3e0da311c95713c26814c62dedc8a78a56348557167ed2db59a528b737d2b559fc1395b854f0ad9f26d2527a6dc594adff5b6e1d97fe853e9db991

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
f24b99a3f752c7bc1f382ec785c6a5a6

SHA1
5b2fe1ef4440a60ab8581502db98492e39959013

SHA256
4bcdd5a141b1e8896710617a5caac33c96ba8a0efa69746d00319391d4638422

SHA512
38621af1e1652595d7e50d9217ae004e9cd2aa9d8c6c5ad287c22eaa37c7c5392f72e33f9ecd27a5b022845543890783ec8fe89eedeff7f2e63364416448ccd8

Download Submit
memory/1792-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4200-17-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4200-22-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4200-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4984-35-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4984-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads