Overview

overview

8

Static

static

3

67b342125e...cs.exe

windows7-x64

7

67b342125e...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67b342125eaf54c5557c4f358dbcdf20_NeikiAnalytics.exe

  • Size

    75KB

  • MD5

    67b342125eaf54c5557c4f358dbcdf20

  • SHA1

    98cab288c690a2ef126f4f0d84739f47924df87e

  • SHA256

    33e75770d8d403a4c9b4aaba6f7a1023bea2ddb762763cdc00fc4feb089772ad

  • SHA512

    97816c9766d113a64b241f00aec1aa5f6ea06e7a13b92520097c4f7b4b50b8cc28b9cb71e050ec516d13fddfd86722e3e0c7737a4632bdeadb6e57e71eb444d2

  • SSDEEP

    1536:Kx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3B:aOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPp

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67b342125eaf54c5557c4f358dbcdf20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\67b342125eaf54c5557c4f358dbcdf20_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 808
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    1d38a9a1b970bbabea538fdbc8275aa9

    SHA1

    72abb2a18c72698be4442a2129806a533deb7027

    SHA256

    dbc82442a66ca41a5d96d2a966266de187db76737959ee419338e5f55d8eeb19

    SHA512

    27cc811338d8a82b215a00757960ac39fdfb1f66ba457d4c3c71380f1a519ad9bbc32ed80809188c3f98752e22903f1792d105666764318a85436ae1387098fa

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    6b9ef9bafe8d38b0ff0d272f9b4eaae7

    SHA1

    09d44374e33fed9c8e39499c0f1ae1d32c886ec5

    SHA256

    2948d04d8efc719721dfb8712183cc9e340b9536cb69f4cbbccd48d8ff9ebc23

    SHA512

    76a52daa26b5e6a684f0b963a797ca420daab00f77b874fdcd088d666f77e3eca7f9b9bd6eae2e6a2d56abcbd37fbc481f617028ac87502e7f4953d04e3ca077

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    ea91c20397aa0db2e35684e074e00793

    SHA1

    cf966ec4a1b0ac306ec82e9d570bf37de81e3e5a

    SHA256

    bb4818f307ae21fbb8d2f4bc097486622cfbcf2f5cccaa28d2413ccd0b6ecf5e

    SHA512

    9a863de72815dbc6a659f17264c677b0c174b07f906bba4784e0e4ebafe7d27f0eff861f329241e2cdd7877063973de3b183171542bbcf1e6295bf5d7da58a09

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    75KB

    MD5

    028ca211feb1f22e4a38ae4a57adc932

    SHA1

    350e072d963e3c9b3fedddc3d3565ac8cb782884

    SHA256

    15f769be45bc094de8ab27524d691ad480939f8aa33276ed04c2ef0da9d58b5d

    SHA512

    11188e65d4b153e6ea88fae9bb45de64e2e1a3ba075ec2ec37db313daa20b328a61809e9b8862e614f23006add7a9fbc6cbfb9aef8cd62d141caf3433694f06a

    Download Submit

  • memory/2536-39-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2536-43-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2536-44-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2916-31-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2936-15-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2936-17-0x00000000003C0000-0x00000000003C9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2936-26-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2936-24-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download