Analysis

  • max time kernel
    146s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 04:03

General

  • Target

    5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe

  • Size

    2.3MB

  • MD5

    5cece2b38365e871d77c40f184bcd4a0

  • SHA1

    54cbe07bd2ba9dd35359ac8ca73bd4e0bbb927a8

  • SHA256

    b8728af4c235ea85ff169eb1f72aacb57bf936f397ff8c4d94707d3d4adb96ea

  • SHA512

    30d2d32ff00dc798eae6c2327678536c3ff9db31921e3f87a13f7dd535777c81c83fb0e1e19ec3ecb14f3ca29072ae6732c80f4689ad49481cf5fa14a86b566f

  • SSDEEP

    49152:jjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:jrkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 892
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    1a21dcf2a7225f3b59e6dc22f0a5384a

    SHA1

    8dd03c541eb1686e2923d78140d0f0f334bbbe98

    SHA256

    e8e7a23e4380a7e3abb341eea00957dbd8b26b96fee06d176d849acf4c3fbe62

    SHA512

    a7ce44362caee2a60d5024453f43bb81f6bc609521a7040a0146c2076edcffa99ed7c9d2b493a5ce77ba9e33bcf17af719a909c00af1d8bcc48f0ca0758c817d

  • C:\Windows\SysWOW64\smnss.exe

    Filesize

    2.3MB

    MD5

    5ae79de223fde4b8f7478f3a2ab9f9b1

    SHA1

    a612a089389bfb824804dc808dddf466180740bd

    SHA256

    690fa9b04608f81b34c579a35b2033e67cd66049bbea44929132d5108e039d8a

    SHA512

    f93140a7eaecbc6d4dac72c34e477c600af862358f39140edae73739a9d4c976cc8a748a7e157997a8d651a59d4f611cb290f2490434995866e519dd70345c54

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    8f4d4cabb1501bd1d0d9958fb8245cea

    SHA1

    3cfa4b48374db3adeb12b948fe0f5d0db448384e

    SHA256

    c4d83c503a5f3b4437971ae9fe0e94b2c082f28c4562abb174cede407cf4435e

    SHA512

    2757f94616cffd0aa9dd07eaf8647762f58a1404aa377ab9ad2df760775a0da7c5111c44a1dddeb4cbc35642ef23c5104e7af7d605f8e49130c0e08fa0c80421

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    77b07d50f1cbb4bad146ab69272d6d05

    SHA1

    351411e58c9bd4779bcec46a138c36fd9bcc77ae

    SHA256

    068ae574d7ceba398d2f66ee83bd92d666af2667617ca83a37dbb0ffca31f6e4

    SHA512

    1da14904d9aad88506b13098cf47b60e985c8bada173f8a95fcea10e6a2980f5d9e3ee517b698bbcdc3f5c7f5bea7e3aff6babcba5eb8baec1b6edea210b467a

  • memory/1992-26-0x0000000002900000-0x0000000002909000-memory.dmp

    Filesize

    36KB

  • memory/1992-13-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1992-27-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1992-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

  • memory/1992-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/1992-30-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/1992-31-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

  • memory/1992-24-0x0000000002900000-0x0000000002909000-memory.dmp

    Filesize

    36KB

  • memory/2500-36-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2500-29-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2512-38-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/2512-39-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

  • memory/2512-46-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2512-50-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/2512-54-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB