72cc50ebb938498bb58db63326a25188be0a75f8db45c15783aa68520f71fefb

General

Target

5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
Size

240KB
MD5

5c8bbe5273a8078f1c0af12a62f66a60
SHA1

76ee87f5312914c0165f533c0e87b0c8765d3c00
SHA256

72cc50ebb938498bb58db63326a25188be0a75f8db45c15783aa68520f71fefb
SHA512

b6ab274312428a4896badb0e6a76cbd1c9b54b3b4d73c2dce0fb8d138bf207e4c07a745cf5234696d7be16fadf5a3a7bc411e95e7b5963a8a5a6384d54f28478
SSDEEP

1536:Bq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9bB:Bq5ud9qHFO8Kf3rIIbB

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\shervans.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

ctfmen.exesmnss.exe

pid process

2688 ctfmen.exe
5044 smnss.exe
Loads dropped DLL 2 IoCs

Processes:

5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exesmnss.exe

pid process

3092 5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
5044 smnss.exe

pid	process
2688	ctfmen.exe
5044	smnss.exe

pid	process
3092	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
5044	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smnss.exe5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe

Drops file in System32 directory 12 IoCs

Processes:

smnss.exe5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe

Drops file in Program Files directory 9 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3684 5044 WerFault.exe smnss.exe

pid	pid_target	process	target process
3684	5044	WerFault.exe	smnss.exe

Modifies registry class 6 IoCs

Processes:

5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exesmnss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

smnss.exe

description pid process

Token: SeDebugPrivilege 5044 smnss.exe

description	pid	process
Token: SeDebugPrivilege	5044	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exectfmen.exe

description	pid	process	target process
PID 3092 wrote to memory of 2688	3092	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe	ctfmen.exe
PID 3092 wrote to memory of 2688	3092	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe	ctfmen.exe
PID 3092 wrote to memory of 2688	3092	5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe	ctfmen.exe
PID 2688 wrote to memory of 5044	2688	ctfmen.exe	smnss.exe
PID 2688 wrote to memory of 5044	2688	ctfmen.exe	smnss.exe
PID 2688 wrote to memory of 5044	2688	ctfmen.exe	smnss.exe

C:\Users\Admin\AppData\Local\Temp\5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c8bbe5273a8078f1c0af12a62f66a60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1336
      4⤵
      Program crash
      PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5044 -ip 5044
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
e76511f24e98c1b691e8ecdb1817e561

SHA1
ab64211617a14f9276c4a820a9e7cea51fd89a36

SHA256
7c651f39338993f33a2a8e22e538f187587e7af19646e5d0074c1323d8816b0e

SHA512
095aaabe21749768756d8b7d9033b6550b8b5fd5ff6003c6306794df779397ab2773beb280ba7ff14d21758deb3a232868ba50ec26cdb35fccfa984dd45bb015

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
240KB

MD5
97b49bb4ff9761381ee2a50a2c0eb086

SHA1
88b7bbb534cbd36751139516229534455707a845

SHA256
e90e68f61d4d01c9af71aa3bb283ac745db4be9411f4f061de6898b33ddfd601

SHA512
354e73dde14d62352dc59dde4c991cc6f9813d22f46391762bbe16e26040f108bb770676055c5f6b9c5679ba12cb343ef9a0de8443b8abdc93448bdf3dd8a31f

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
62cfde54494a09c3abb444e9f08a298e

SHA1
6860dad9ca47e52c269cade98cdb4f7605269f2d

SHA256
dd0df520dc466505dc782bbda2a99a6d53280fb52fa15f8acb79a09f9e08a9c1

SHA512
078e083e7e310a1acc3e547d16cf83232d69ced5eee2b9a70d389724693a15d6a4b258a264eeee33f8ffb7ab53e1584badffe7d00246dc0a7855570b84e4066d

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
42381f13ec2424c5d9a818b431ea2276

SHA1
c078cf3461026c6a1fe98a93de34b2bdab55917d

SHA256
8ce10c487501fe0071f3cd8b30566990072a4190d12a9ffa8838d331f181fc4c

SHA512
8b1ce243cd678c34d62a59b3738b5ebd12241471c0a67d39bac7c3c24b5cfcd21964b7fc3afbca13e0463070c255e132dac4ecd1fdfe095f38b5351084eb433c

Download Submit
memory/2688-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2688-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3092-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3092-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3092-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3092-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5044-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5044-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5044-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads