709fb7c89cc95255f8465e6b22cccdd2f5416d6d905389d393dc3e986e628a2d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 20:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
Size

75KB
MD5

a9ce2dec6708302a68de0db61b070b50
SHA1

6ab4c1f29c7b80f298eb6eab5d9507dbdad154f9
SHA256

709fb7c89cc95255f8465e6b22cccdd2f5416d6d905389d393dc3e986e628a2d
SHA512

5c1a7091634a61f8c953bddac1babe29ccf1af02f89776a493fde735b84165990d0aad7bdc1a4e8daba2bb59786808b6a62237d3126bdabd1bfcd14bfe5d850e
SSDEEP

1536:4x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:wOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023422-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
5052	ctfmen.exe
4848	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
4848	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3808	4848	WerFault.exe	88

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 5052	2668	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe	87
PID 2668 wrote to memory of 5052	2668	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe	87
PID 2668 wrote to memory of 5052	2668	a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe	87
PID 5052 wrote to memory of 4848	5052	ctfmen.exe	88
PID 5052 wrote to memory of 4848	5052	ctfmen.exe	88
PID 5052 wrote to memory of 4848	5052	ctfmen.exe	88

C:\Users\Admin\AppData\Local\Temp\a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a9ce2dec6708302a68de0db61b070b50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1552
      4⤵
      Program crash
      PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4848 -ip 4848
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
bb4186175bb0ed34fc475c14d455aefc

SHA1
be1f1296a0c2bd7f2ccdaea8e076ee2da264503c

SHA256
3aa3578a82fcee1b6519dd7cbdc73d9b0835cd98a24792d0743f8967307e322a

SHA512
6666afe329b1822e5f7e8f5557326dedfc89356c9f7ed501a99243780761c3ca3e1b577cb8aec3f66e4bc322482b682eaf48aa6fc72115a24a59131bbe3de3e3

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
75KB

MD5
86f62b8bcad3d3ff4cba6c83879933f9

SHA1
4880e2b5bd30046c6acf91128745560c1277952c

SHA256
e8fa745b7e87333844fca8f22d40a17aa47e112017e7fdd21e6cc1593a7cc410

SHA512
4d6cb257c9f3c89dec70839160731eaf55dd50b26b7ac9037a3fe875237dc0f0cd678d3767467446da3ac66ddd51243f8ee7fa18301d6db00c4665a71b4f14cf

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
4054acce3ad7c335533ac25448099051

SHA1
350be03491901ebbca254a59848956e89169938a

SHA256
8d319f8a7906c3b87346d985003273d7ffe4249ae5b6755861a456f45a728ed7

SHA512
972a9b5401f9edcb1d166b11133b707424282f2574a92dd7afe1cfc17ffe1fcb5c2653275d8479ca33686fda4a171d09733cd4a93464c809a7313e81fec70790

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
ce2374cc2ee6483907f74e111385baaa

SHA1
d7ffeb4b05abf7fb65b6e98336ffa1c8cafcee97

SHA256
922a2994929cadc46841b00f2a333011e60d776f32e5150120dc1786fb7ed6c8

SHA512
a350730632ef7572edb685c0cd46f02dc827b6c41215656cdb68437ad0d6e6e77bb5e322524a4eaf6cc9489a51e64ab8ebb2a7066ee3c64d65817f9c5e4ce42e

Download Submit
memory/2668-17-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2668-21-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2668-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4848-35-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4848-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4848-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5052-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5052-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads