50edb27e6cddc703db3a111c061c053b7b8c1bfc3786a40fd1a1d18166271a08

General

Target

90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
Size

75KB
MD5

90a0f0f35a6465231c2551bdca76ec00
SHA1

3e85ad4f7fd47aeda0af3cffb341c6874d5ec2bb
SHA256

50edb27e6cddc703db3a111c061c053b7b8c1bfc3786a40fd1a1d18166271a08
SHA512

304257eabccefcb143e8566fd507b384e1e32b82270fa79b41e67752072f19ea4e11d0f8a6f35dc413ae18759303cf43cedb01c8f8df9114109c8cf151be2021
SSDEEP

1536:Ox1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:uOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000233f5-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
5084	ctfmen.exe
4956	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
4956	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\satornas.dll	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3556	4956	WerFault.exe	93

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 5084	2256	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe	92
PID 2256 wrote to memory of 5084	2256	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe	92
PID 2256 wrote to memory of 5084	2256	90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe	92
PID 5084 wrote to memory of 4956	5084	ctfmen.exe	93
PID 5084 wrote to memory of 4956	5084	ctfmen.exe	93
PID 5084 wrote to memory of 4956	5084	ctfmen.exe	93

C:\Users\Admin\AppData\Local\Temp\90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\90a0f0f35a6465231c2551bdca76ec00_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1344
      4⤵
      Program crash
      PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4956 -ip 4956
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
8c2bdbef88b4af41e7fa7855b15719e2

SHA1
9c1a4f125c9918d5199aeb112e9e9b0a48fc27ca

SHA256
d933455a34e8a3a698bf63f99be35cf93112e2301205c81d1f642cae59fd5b79

SHA512
a02bde07942be91a4894c2c660a1acf5dc58856fbc060d72c44e9d8fbb01c75fe22ecaf9f823b35572514c30ea2b313e3433ad401d78fd527c598a056512ae1d

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
75KB

MD5
58629e4f3a65793806245bb99b423042

SHA1
d393e031bd2f1c22ec9b3a37c2d4ea8128d53869

SHA256
e968d1f3820690868f7595445c1f92547f64c81f1b62cc697d522a815c54cfb0

SHA512
9e348d78ec1f2ea54fa2cd42c2158637b03b349d0fdfa65cd5343f080414c1f7cb46ffcad09110f634b34bd60295432d8de855c91f7867362512e65a37e5f5c5

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
543537767c86fb820c38fee3aef3bcf6

SHA1
699be162575f9862b49579b430f7d97375a17c5c

SHA256
73643501d5e229a431d24458b9b964b79cf3f51c8f49f9bcc0b4e82f5da6cb4f

SHA512
a295e7708e162404b16f1ee6a1f1da12c796051eba130506c5bdb733b4a948e77c5280a7d20c12162d0e80872341b81e2d50f4c88c82e692cdafd2099f6f59b2

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
2e23967510ee6bcea2e45965fdcb5f81

SHA1
268084240e80444b09517e83165225ad004bdb7e

SHA256
468a51da352c0418b378bf4e1ce4b75e5b149f08fa3e4637a809107660db8bee

SHA512
99eca52407b00fd4ca8bc29d8c2fec87843768388d708a69fa73a42d3841545f7aef8d4ee817abb9136d64f36ef8833225b26c908d088edbc28ceded25a2ef4b

Download Submit
memory/2256-17-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2256-22-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2256-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4956-35-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4956-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5084-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads