Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:03
Static task
static1
Behavioral task
behavioral1
Sample
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe
-
Size
2.3MB
-
MD5
5cece2b38365e871d77c40f184bcd4a0
-
SHA1
54cbe07bd2ba9dd35359ac8ca73bd4e0bbb927a8
-
SHA256
b8728af4c235ea85ff169eb1f72aacb57bf936f397ff8c4d94707d3d4adb96ea
-
SHA512
30d2d32ff00dc798eae6c2327678536c3ff9db31921e3f87a13f7dd535777c81c83fb0e1e19ec3ecb14f3ca29072ae6732c80f4689ad49481cf5fa14a86b566f
-
SSDEEP
49152:jjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:jrkI9rSjA5aDo73pzF2bz3p9y4HgIoov
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
smnss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\shervans.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
ctfmen.exesmnss.exepid process 6084 ctfmen.exe 684 smnss.exe -
Loads dropped DLL 2 IoCs
Processes:
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exesmnss.exepid process 2156 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe 684 smnss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exesmnss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
smnss.exedescription ioc process File opened (read-only) \??\K: smnss.exe File opened (read-only) \??\L: smnss.exe File opened (read-only) \??\M: smnss.exe File opened (read-only) \??\N: smnss.exe File opened (read-only) \??\O: smnss.exe File opened (read-only) \??\U: smnss.exe File opened (read-only) \??\V: smnss.exe File opened (read-only) \??\H: smnss.exe File opened (read-only) \??\T: smnss.exe File opened (read-only) \??\X: smnss.exe File opened (read-only) \??\G: smnss.exe File opened (read-only) \??\P: smnss.exe File opened (read-only) \??\R: smnss.exe File opened (read-only) \??\W: smnss.exe File opened (read-only) \??\E: smnss.exe File opened (read-only) \??\J: smnss.exe File opened (read-only) \??\Q: smnss.exe File opened (read-only) \??\S: smnss.exe File opened (read-only) \??\I: smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exesmnss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe -
Drops file in System32 directory 64 IoCs
Processes:
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exesmnss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\grcopy.dll 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml smnss.exe File opened for modification C:\Windows\SysWOW64\NdfEventView.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml smnss.exe File opened for modification C:\Windows\SysWOW64\tcpbidi.xml smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt smnss.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\satornas.dll 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml smnss.exe File created C:\Windows\SysWOW64\shervans.dll 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml smnss.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml smnss.exe File created C:\Windows\SysWOW64\smnss.exe 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt smnss.exe File created C:\Windows\SysWOW64\grcopy.dll 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml smnss.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exesmnss.exepid process 2156 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe 684 smnss.exe -
Drops file in Program Files directory 64 IoCs
Processes:
smnss.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\vi-VN\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\README.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\BuildInfo.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Resource\Xbox.Smartglass.Loc.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\BuildInfo.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\excluded.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\added.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\index.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreRating\StoreRatingRules.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt smnss.exe -
Drops file in Windows directory 64 IoCs
Processes:
smnss.exedescription ioc process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_805682e34c6552d0\wsmanconfig_schema.xml smnss.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mccs-syncutil_31bf3856ad364e35_10.0.19041.746_none_aed5253f365b5b9c\LiveDomainList.txt smnss.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\avtransport.xml smnss.exe File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Disk.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Network.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\servbusy.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\26.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-11.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\401-4.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iana-tzdb-timezones_31bf3856ad364e35_10.0.19041.1081_none_7844725cf8ddff9b\timezones.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..lcontrols.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_40b016a173f49507\r\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\Alphabet.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\hololensDiagnostics.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeprovisioningstatus-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4054ef70f69f6ff9\wpr.config.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\HvsiMachinePolicies_ContainerRealtime.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\405.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_501.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\oobe-textinput-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\tokens_zhCN.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_10.0.19041.1_it-it_b1e93b97f39c4d00\resource.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\proxyerror.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..p.desktop.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_278c03d4cb0b9781\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\x86_netfx35linq-framework_assemblylist_31bf3856ad364e35_10.0.19041.1_none_2c307273305d92dd\FrameworkList.xml smnss.exe File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Diagnostics.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\http_400.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\DisableAboutFlag.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\dnserror.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\forbidframingedge.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\080a\tokens_esMX.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\404-6.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\forbidframingedge.htm smnss.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b0c852643271e4bc\default.help.txt smnss.exe File opened for modification C:\Windows\PLA\Rules\Rules.System.CPU.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.configci.commands_31bf3856ad364e35_10.0.19041.1081_none_21d54f6a980a590b\AllowMicrosoft.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\FX_schema.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404-12.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_757b1fb62148c452\r\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\hololensDiagnostics\views\hololensDiagnostics.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\http_501.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\0c0c\tokens_frCA.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-light-progress-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc smnss.exe File opened for modification C:\Windows\WinSxS\amd64_multimedia-generalmididata_31bf3856ad364e35_10.0.19041.1_none_3eae594ef5c099df\gmreadme.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_edda8130b19d4286\baseTemplate.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b77f4dc3a1a5900\Rules.System.Network.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Rules.System.Network.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsfin.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-assemblylist_xml_b03f5f7f11d50a3a_10.0.19041.1_none_d02d4b7bc0e2f0bf\FrameworkList.xml smnss.exe File opened for modification C:\Windows\servicing\Editions\ProfessionalEducationEdition.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\forbidframingedge.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\backstack-chrome-breadcrumb-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\500-18.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\pdferrorquitapplicationguard.html smnss.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_247add106824ed63\default.help.txt smnss.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\about_Mocking.help.txt smnss.exe File opened for modification C:\Windows\PLA\Rules\es-ES\Rules.System.CPU.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\404-4.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_37a8fc596f462cbc\3.html smnss.exe File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\b4c1984536e5d701139b00001815341f.WebDAV_schema.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.19041.207_none_11794cc79cc85d1d\r\ceb497ee0184aaa4681d2fb2ef242a5b8551eea8.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\http_500.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\proxyerror.htm smnss.exe -
Modifies registry class 6 IoCs
Processes:
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exesmnss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
smnss.exedescription pid process Token: SeDebugPrivilege 684 smnss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exesmnss.exepid process 2156 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe 684 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exectfmen.exedescription pid process target process PID 2156 wrote to memory of 6084 2156 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe ctfmen.exe PID 2156 wrote to memory of 6084 2156 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe ctfmen.exe PID 2156 wrote to memory of 6084 2156 5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe ctfmen.exe PID 6084 wrote to memory of 684 6084 ctfmen.exe smnss.exe PID 6084 wrote to memory of 684 6084 ctfmen.exe smnss.exe PID 6084 wrote to memory of 684 6084 ctfmen.exe smnss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6084 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5c10cbadb713eedc488d8ed28f77e9c1a
SHA190a2d0b74fc617f2a23cea6fe74153e4b87724ce
SHA256c36ddeb6f169494f7a987263a59feee9cfa3a35ea0b8299cdc1996ba83dd97c8
SHA512e50b44062b258a5ef9f072c4ba01732035ea2b2b1be57ca69ef1c1a8f889d3ae76e03cd6f0d914d22c0f371c37c91f31b409ef6597649b501aa07fabf703a7c4
-
Filesize
2.3MB
MD5d7a5f0c29a0d6a263e3f5389ba8ffe5a
SHA196e3d26adaf8cc526e67d2045b8f043784073570
SHA256a04d92c38fa5d724950f1881742b8c7975b0d69bd91a296fad08e83a6863b02f
SHA51262f701e45b6f482a835060840a920782e56c755c5ff649355778cf78dec898f357146c78843cb65b97c579ad031717c05c6b572d9d4205ac57c847ad8b0ebb02
-
Filesize
183B
MD5bfd43f98ba1d526b6aad2b5d581bba0c
SHA135cf64511142d0d99df1362e4fd537d05ee793e4
SHA256e751bc67c72fd8f30986b8602f7c0e3414b110caaa69eaf4cc4910538de3a0eb
SHA512482ef7878f04a848e7f015030164037f6fdb9f85978db39e6d2582cb6935c7886fea05066458ca64d648522402e2b6d9623c18165d1f4ce077e6f0f1f31ae170
-
Filesize
8KB
MD5125fdaa866cd05822d317ef22038d78f
SHA1f7d0db89f1d77ccf5f533810384d1d9e1f742caa
SHA256f4c7590b277a3cb9e5d336ee4f3702252e9780496641b3505b1f1263579540ab
SHA51258e3e84e22a81ed832e564671cb4dcb45fa9e710caf12a0cc9daa4a11f036f67ebe045ce7075cb4fd93a9487700ab9f72a4648fb428a19b2872f2151aa7e702e