40f1a4e2a8c27fb4f04e4cd1724b6e11f5cd908610a45f941e4db2d076f9ff53

General

Target

0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
Size

75KB
MD5

0041e00821c7b4d87a687577b489c980
SHA1

5287600ff862650ad79b408f0035d9500a71ad7c
SHA256

40f1a4e2a8c27fb4f04e4cd1724b6e11f5cd908610a45f941e4db2d076f9ff53
SHA512

1a5674aab19e2940d7f24aaf6dc6b938146a05bdefdbd044160146e2ab65414d9f47864745bcb4b1085207d114b81756d53937aa6aabe3c514ce8bd64850103c
SSDEEP

1536:Px1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:JOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002344d-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4232	ctfmen.exe
4872	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
3548	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
4872	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\satornas.dll	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1036	4872	WerFault.exe	91

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 4232	3548	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe	90
PID 3548 wrote to memory of 4232	3548	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe	90
PID 3548 wrote to memory of 4232	3548	0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe	90
PID 4232 wrote to memory of 4872	4232	ctfmen.exe	91
PID 4232 wrote to memory of 4872	4232	ctfmen.exe	91
PID 4232 wrote to memory of 4872	4232	ctfmen.exe	91

C:\Users\Admin\AppData\Local\Temp\0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0041e00821c7b4d87a687577b489c980_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1324
      4⤵
      Program crash
      PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4872 -ip 4872
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
9808d991349826a93c10e3178b36e0a5

SHA1
b3a8e40f672a29c21d2acf6a6cace16b5e656434

SHA256
04ff0fb1e6c5268f7423694f903913e2eadd1962e81ba71cb9c0a9007fcdc35f

SHA512
f3fb9fa05f8008543e0b0c2bf4d1d5c732846613a4bf205918e62f998f98eaac3b9c6b00c4ec55b74a11981f50c36eb88275d45be6b56d7dcaa59369c75c5e5d

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
75KB

MD5
c4cf457d33deab34902c5c9f532f89b7

SHA1
0b4727da3bc994a5a548e74ddc6e0b8858ebb909

SHA256
32479ebe43c315ad22e7bb6456413523218d7d670faa4bbd7063216b61e94932

SHA512
fa2c3c6024d267ca09d82751cca637d8ae57fa2e7de31cddd86e549926dbdf33bb2680099835f9842f323754c384577bb2bd704f09bedd357e908c0350d7122b

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
251d7c7c561823d37fe4d9f9de1af4ba

SHA1
13075e611899b0138cf2228dc34b7ef1b4ede781

SHA256
8adb5e68241f380c93e743e804d1f28b7ca31e7f060b2efecce2a6de144679bb

SHA512
00e9df485cf46924cde83321aad4a70ec1fbfb7fcbc848e41ea791b05f50d6586de2f20efdeed0fc63bc5a521419d28c18482bc802f499cd20b861c8c24df0fa

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
ade9d1546798d1a2362b96c370ab7dec

SHA1
7c349eda9cad1d93a7b2941f6d7b9050838b5fb3

SHA256
8600ab5e6d3d44cd98617d1133961e4aa4c4ae51ae3767187554f225edffd9d9

SHA512
6dd79478274ddb7905c6290828850f4c3a2364e07f85e99b6ebf8506af68df4ed5927d97ec778c7d514a8c37017735a0174d9e83508b666b0d1fbe135f666a0d

Download Submit
memory/3548-17-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3548-22-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3548-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4232-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4232-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4872-36-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4872-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads