Overview

overview

7

Static

static

3

151f375ff9...cs.exe

windows7-x64

7

151f375ff9...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    151f375ff9e4bf7466b3864da475ef80_NeikiAnalytics.exe

  • Size

    120KB

  • MD5

    151f375ff9e4bf7466b3864da475ef80

  • SHA1

    a4645b0829b85a2e354f102705643e94af6f6916

  • SHA256

    fc376fae34b736c21b406da588ea38ea4410f8ed7ed2e57c73c0579f61f6e24e

  • SHA512

    0ec8582cac1bf7ce36d79ddbb600c90fdd150dbd64894484345e1030bb4d6801d941c4f694e12701dc61bb89cc009a8140c5a20209d34066ff35f93f40d346ca

  • SSDEEP

    3072:yOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:yIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\151f375ff9e4bf7466b3864da475ef80_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\151f375ff9e4bf7466b3864da475ef80_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 820
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    57ad816246ab392ebf96724a9df23898

    SHA1

    6ea6b23d339e4d29aaacb1ede767132c0f0bf5fd

    SHA256

    4f70055f94eb47e5b98641bd9a0df010e83c227e14f517d2ceb8f8f9c37169b2

    SHA512

    f25aac47a5d1e5d84d08b0bcbce611069a1e9148f45d146db537368e76b0f1482e5826cf62956b165940dc86a005aba505f3c881b6217972f2670c5aa1c22936

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    4465f9c9555e0fbd9f4037533d0c4e8c

    SHA1

    ab7157f6d087e61d574f67693471fbbafe0763ce

    SHA256

    4d13cf364c980787609900cdfbc43af5fcda97bb8cfaf7a78a2284237c25f183

    SHA512

    05703b5ab007d94914ad07b7b2a218b20f949fad8e8e72d9e2c152c35df7383a16bbed6d4aff6bf7603e27617a5df6ad30551f7fb9d8dfc995fda089b3768a97

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    bf2787ffecf6ac89051b270000d0a28b

    SHA1

    0935f0f31a7627884a11af0ec215d755bf5502cd

    SHA256

    d5b113d1a6041c1a1faa752a78421fc1e15f6f5edd049e15f5ca364ad7e8959c

    SHA512

    cbc3f88defbf121245aa3b4d4a8fcaf21519d5a10486143c7431075e0fbf70a0b729dfeaed1c8927a81c6a96fed4f24accbb759e10ae2a7e3bbaefd9278bad06

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    120KB

    MD5

    2df29f43b5e4158c75a6108e7fbfa935

    SHA1

    e0f87f6544c4583f39a6f307527821c50d9c0fd6

    SHA256

    a3a49533e97b4eef46c3cd56a67ea084f5af879b83144c837141658067f1950d

    SHA512

    6153af5d55f07c29cfdcf385a67a3ad0179c6d6c571de67a5ed81527d0ed02e52abd53d281a2fa56332423d57d80aca08b06d9d6f48d92c7d592e46bcd70c92c

    Download Submit

  • memory/1212-16-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1212-18-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1212-27-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1212-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1212-26-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2116-28-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2716-34-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2716-41-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2716-47-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download