3c41ee52bcda16f0fa4b469b6a19430e747b6b4b83999c57d500a10c9a7127d2

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
Size

41KB
MD5

40761e04586d7d32c37733b3b9e060d0
SHA1

e54913f5c548fd3c99e2377bb9b335492bbde8e7
SHA256

3c41ee52bcda16f0fa4b469b6a19430e747b6b4b83999c57d500a10c9a7127d2
SHA512

3004e9c2c4584cb9e907e1383c8c11c656b5022fa17db7964dc735c1c7b370c5039d26210f8f87d676c688a8065cbaa16ceb685706a2686b165cc27252de81a8
SSDEEP

768:seMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09Cy:sq5VwWDjDkdTRqHFOn8tIbbeYiuZIFSz

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0030000000014342-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2704	ctfmen.exe
2596	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2296	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
2296	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
2296	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
2704	ctfmen.exe
2704	ctfmen.exe
2596	smnss.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2480	2596	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2704	2296	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe	28
PID 2296 wrote to memory of 2704	2296	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe	28
PID 2296 wrote to memory of 2704	2296	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe	28
PID 2296 wrote to memory of 2704	2296	40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe	28
PID 2704 wrote to memory of 2596	2704	ctfmen.exe	29
PID 2704 wrote to memory of 2596	2704	ctfmen.exe	29
PID 2704 wrote to memory of 2596	2704	ctfmen.exe	29
PID 2704 wrote to memory of 2596	2704	ctfmen.exe	29
PID 2596 wrote to memory of 2480	2596	smnss.exe	30
PID 2596 wrote to memory of 2480	2596	smnss.exe	30
PID 2596 wrote to memory of 2480	2596	smnss.exe	30
PID 2596 wrote to memory of 2480	2596	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\40761e04586d7d32c37733b3b9e060d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 832
      4⤵
      Loads dropped DLL
      Program crash
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
cd46ab334e65f0fb9bc5b2c98d600f0a

SHA1
95e8bf701e52c2c629666b607c6f6e582ff74b7b

SHA256
52ec14f5676bd5c5015701b0d5625f538b3cb111bd657022d3c314e54c9d7682

SHA512
42515c01ef342460cc8e16e600cbdd6a66a59ff61b34e0abc23878c10e5c313f80faf172b33547d4b47286ef5baf0435407228761cb4813b833c6b1ea0f4e090

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
41KB

MD5
d9c006eb3258ed4ecd6226cf6cd17f51

SHA1
a87dd4da68572c97030c521183d67ee30dda8633

SHA256
6ce7958a03ba38d182e4376c0659b2de4662548dec25e9f318e1bb37c1ca462d

SHA512
db93c453e5fc2a20c6a2659bd915fec123927f51a7e242810a8fb32dd09e9ffa5cb7caa08a79e2d425eecb457f65afad7d9f05acbfb32036d745fb8d66fab632

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
76771ee1828e001c281c64d78b6e8724

SHA1
7143725b5fff1a3645541124353a0d7a1f1dd48c

SHA256
d4b0c2556e513dfdeb94ff79cf682daafa09c60b61521b21fd9ea8dde6a59544

SHA512
f1adce9e28e3e06cc867c7699279606c103f7ef6a35565090c97b35a7bdea9930fecc38d18ebdfce21ea8b140a8c867de3c1445bd4bd770ee716d350217e4320

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
11671444b97103f8e3ef9c8f9f133d99

SHA1
de6ff057657aca70a14a247afefb4e4d7a167531

SHA256
5b8f5b6b0382cec6da9514b736b0fbff7da67d243452a986c87c489a95da4c3d

SHA512
8136878748b214601af27cbd59bfc33dd4c6a6a246e141714de30121dc638de8eb86da47781b676f1211e9f4f99285fa79c9c587179904f8f5c819d2346d387d

Download Submit
memory/2296-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2296-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2296-18-0x00000000002D0000-0x00000000002D9000-memory.dmp

Filesize
36KB

Download
memory/2296-28-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2296-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2596-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2704-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads