f9ff93f32e20b5a12c53d799eb260c3c032c6001c0875c8c6f8d53bce1ebe642

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
Size

143KB
MD5

5d33c7fb1059afb110b42f18f6ef3b30
SHA1

b0cdf935351713eeffe5afb4245bc3a967bdad9c
SHA256

f9ff93f32e20b5a12c53d799eb260c3c032c6001c0875c8c6f8d53bce1ebe642
SHA512

86fad7d1d6b0fd984bc2bd38b76c98519ed517a089e4aa57c13e9797f7591d9564af372730140e7e1b505007dbc4fc6fe45cd11d2f2b7cbb11365854e18fb75a
SSDEEP

3072:IOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPL:IIs9OKofHfHTXQLzgvnzHPowYbvrjD/c

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x002c000000015cb6-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2964	ctfmen.exe
2656	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2696	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
2696	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
2696	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
2964	ctfmen.exe
2964	ctfmen.exe
2656	smnss.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shervans.dll	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\ClearConnect.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2532	2656	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2964	2696	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe	28
PID 2696 wrote to memory of 2964	2696	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe	28
PID 2696 wrote to memory of 2964	2696	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe	28
PID 2696 wrote to memory of 2964	2696	5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2656	2964	ctfmen.exe	29
PID 2964 wrote to memory of 2656	2964	ctfmen.exe	29
PID 2964 wrote to memory of 2656	2964	ctfmen.exe	29
PID 2964 wrote to memory of 2656	2964	ctfmen.exe	29
PID 2656 wrote to memory of 2532	2656	smnss.exe	30
PID 2656 wrote to memory of 2532	2656	smnss.exe	30
PID 2656 wrote to memory of 2532	2656	smnss.exe	30
PID 2656 wrote to memory of 2532	2656	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d33c7fb1059afb110b42f18f6ef3b30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 784
      4⤵
      Loads dropped DLL
      Program crash
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
56c38736d55de7bdce521fc57b543cc2

SHA1
39471bea589ea50b7c2fe6365d847e42e00b215a

SHA256
5681d3d928b1d873a64a9d01d4391ccb8fc2695768e329b06d22faee4b5bcc05

SHA512
92ecc1797a2a1e3d6604a4d04cc0cee4df948d520a5b1fa34c97c001d70bd6adcdd36d61e543e868a78e286d2e4e312a7fec4d30c18b0a45844c91e551c2ad5f

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
143KB

MD5
b27b5f8558608a6f6ee469667981702e

SHA1
b5134758825185ccdcbb56435c996b61f6982b75

SHA256
e5b88b1aaa1dccdd13efaf617492afbc312b268974a6fa59e8acb8274ebfd8f6

SHA512
880be6558cf89af92393d47edc938af0c54f624a5a75d1a42daed4dbbb72f799b0aed29a9d4b655324d24515b01dddfd1e03d751cf5655454ca2a55f3232b2b5

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
40934ae749f0ef8d93fbb4164e0a65c9

SHA1
0f443bfbd18be7952c85b25b9f8cdc25cfa18dd1

SHA256
6a1847db46d9212113a5614fca61e07c5e6c32cb94e29134e872ef4fee26b4ed

SHA512
29f5e416adaab7b595470b83b93782cfe877210f711c534d882712907a028d7b9cc854c043aab246a17931eb0d191daed117ae789680c1db70902a3dbf79c98c

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
98e5b0bdce2565be0a9a1f2d6e2b8b5e

SHA1
af9864d8f6d8ea0b0bfe1f5c9adce01c9cc923be

SHA256
456294f0391730fda6e5f28e9895d7830a598a0d4a013a54687904ee6ee61f7d

SHA512
076ff6168fac80ff6ebb41392ef67d9247cfb05249029a8eac6453f0534adcd8cee213539f4f64a55facae27be55f1f2691cf46e4aa4d99e87acb3cb6f74b4e8

Download Submit
memory/2656-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2656-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2656-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2696-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2696-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2696-19-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2696-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2696-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2964-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads