cfa79e826e4c1d4edd58c32da307d6a5bf8d93113e963887045f124328acda5f

General

Target

5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Size

118KB
MD5

5a4f115a5123b1f5afccb34dd9716a90
SHA1

61ae68aef95ec07349979d69148d39c61813531a
SHA256

cfa79e826e4c1d4edd58c32da307d6a5bf8d93113e963887045f124328acda5f
SHA512

85b9f62a2bde65d723d2f6f9a80fd0ddf2b32a53700ffd80a9975fcefe084914b78c9a8248a68cb6e1c7ff9a32a6f8bb4d826270a3eaa6cec6638a3bbbfeafc4
SSDEEP

3072:UOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:UIs9OKofHfHTXQLzgvnzHPowYbvrjD/m

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\shervans.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

ctfmen.exesmnss.exe

pid process

2352 ctfmen.exe
984 smnss.exe
Loads dropped DLL 2 IoCs

Processes:

5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exesmnss.exe

pid process

1520 5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
984 smnss.exe

pid	process
2352	ctfmen.exe
984	smnss.exe

pid	process
1520	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
984	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smnss.exe5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe

Drops file in System32 directory 12 IoCs

Processes:

5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exesmnss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\shervans.dll	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3312 984 WerFault.exe smnss.exe

pid	pid_target	process	target process
3312	984	WerFault.exe	smnss.exe

Modifies registry class 6 IoCs

Processes:

5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exesmnss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

smnss.exe

description pid process

Token: SeDebugPrivilege 984 smnss.exe

description	pid	process
Token: SeDebugPrivilege	984	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exectfmen.exe

description	pid	process	target process
PID 1520 wrote to memory of 2352	1520	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe	ctfmen.exe
PID 1520 wrote to memory of 2352	1520	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe	ctfmen.exe
PID 1520 wrote to memory of 2352	1520	5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe	ctfmen.exe
PID 2352 wrote to memory of 984	2352	ctfmen.exe	smnss.exe
PID 2352 wrote to memory of 984	2352	ctfmen.exe	smnss.exe
PID 2352 wrote to memory of 984	2352	ctfmen.exe	smnss.exe

C:\Users\Admin\AppData\Local\Temp\5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a4f115a5123b1f5afccb34dd9716a90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\ctfmen.exe
ctfmen.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\smnss.exe
C:\Windows\system32\smnss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 1336
4⤵
- Program crash
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 984 -ip 984
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
bdaeb67f9ace821d27ced2a96adc15e3

SHA1
9328050d0f27801251db2060211028fcb650864d

SHA256
278aacb2ebc38940f47ef2b5db66da226b692f343bbf9707970281bc4ab4d5a4

SHA512
45564a3cb4431bab19aae969310eb531fe68b38728180566918ebf3d7d3715ffd22f2422f4b884be456b7cb736c190b1432e249addaa60bbdf359314834bfadd

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
118KB

MD5
1f71460e734f8693d3c1a5051418d332

SHA1
ec6006484229ff5caba46fe269628d007d9b61fd

SHA256
5363cfde1970bb6ee84373c376c9e22366532b0f47bb075c183b2b4109b4f03e

SHA512
fa46bdb5b97de7d71d341bb2d1c2d5e460e74c3bddb08b7acaf712931bbfe4a083fd2a17fd68966183cbbf8c09f165f6e42c25162cab8c869b2c6997082b8b55

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
caba389e56222913e94553a9bdc2a75e

SHA1
9e7e56b23a07b20b55ec5cb29faf59c5628e66b5

SHA256
133e3a8d88967f548412c7b0941308627de70571a8e6cdae63d892c455f97fd6

SHA512
c7839b1dea68f07b93726d1d2fa1fd017a67ce3309bc0f6341a3957adea47858b72872216117e0568b4ee4572c4039546b7ca9bdc97add3d4a403fb387fc5f9a

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
4ddd2960f7ffa9c859f089be65a97782

SHA1
10b74830626e88319a6c16bbecbc59de9e4ca75a

SHA256
8b4a980613a575ac351b1719bb692383ef78f6aa041170a0e8a5589453315d17

SHA512
f278c0c1c821b5d4ede0fc18bc2c96cf3b60564fea8bdb79eb6ebc19a3105589e7a29db713d214886cabea761c9f3576f17a3ddca4a0263db73dcf2fd153e88b

Download Submit
memory/984-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/984-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/984-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1520-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1520-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1520-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2352-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2352-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads