Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 04:03

General

  • Target

    5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe

  • Size

    2.3MB

  • MD5

    5cece2b38365e871d77c40f184bcd4a0

  • SHA1

    54cbe07bd2ba9dd35359ac8ca73bd4e0bbb927a8

  • SHA256

    b8728af4c235ea85ff169eb1f72aacb57bf936f397ff8c4d94707d3d4adb96ea

  • SHA512

    30d2d32ff00dc798eae6c2327678536c3ff9db31921e3f87a13f7dd535777c81c83fb0e1e19ec3ecb14f3ca29072ae6732c80f4689ad49481cf5fa14a86b566f

  • SSDEEP

    49152:jjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:jrkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5cece2b38365e871d77c40f184bcd4a0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:6084
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    c10cbadb713eedc488d8ed28f77e9c1a

    SHA1

    90a2d0b74fc617f2a23cea6fe74153e4b87724ce

    SHA256

    c36ddeb6f169494f7a987263a59feee9cfa3a35ea0b8299cdc1996ba83dd97c8

    SHA512

    e50b44062b258a5ef9f072c4ba01732035ea2b2b1be57ca69ef1c1a8f889d3ae76e03cd6f0d914d22c0f371c37c91f31b409ef6597649b501aa07fabf703a7c4

  • C:\Windows\SysWOW64\grcopy.dll

    Filesize

    2.3MB

    MD5

    d7a5f0c29a0d6a263e3f5389ba8ffe5a

    SHA1

    96e3d26adaf8cc526e67d2045b8f043784073570

    SHA256

    a04d92c38fa5d724950f1881742b8c7975b0d69bd91a296fad08e83a6863b02f

    SHA512

    62f701e45b6f482a835060840a920782e56c755c5ff649355778cf78dec898f357146c78843cb65b97c579ad031717c05c6b572d9d4205ac57c847ad8b0ebb02

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    bfd43f98ba1d526b6aad2b5d581bba0c

    SHA1

    35cf64511142d0d99df1362e4fd537d05ee793e4

    SHA256

    e751bc67c72fd8f30986b8602f7c0e3414b110caaa69eaf4cc4910538de3a0eb

    SHA512

    482ef7878f04a848e7f015030164037f6fdb9f85978db39e6d2582cb6935c7886fea05066458ca64d648522402e2b6d9623c18165d1f4ce077e6f0f1f31ae170

  • C:\Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    125fdaa866cd05822d317ef22038d78f

    SHA1

    f7d0db89f1d77ccf5f533810384d1d9e1f742caa

    SHA256

    f4c7590b277a3cb9e5d336ee4f3702252e9780496641b3505b1f1263579540ab

    SHA512

    58e3e84e22a81ed832e564671cb4dcb45fa9e710caf12a0cc9daa4a11f036f67ebe045ce7075cb4fd93a9487700ab9f72a4648fb428a19b2872f2151aa7e702e

  • memory/684-41-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/684-49-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/684-47-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/684-51-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/684-46-0x000000007FA70000-0x000000007FE41000-memory.dmp

    Filesize

    3.8MB

  • memory/684-45-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/684-32-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/684-43-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/684-33-0x000000007FA70000-0x000000007FE41000-memory.dmp

    Filesize

    3.8MB

  • memory/684-40-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2156-24-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2156-29-0x000000007FA70000-0x000000007FE41000-memory.dmp

    Filesize

    3.8MB

  • memory/2156-28-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/2156-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

  • memory/2156-19-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2156-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

    Filesize

    3.8MB

  • memory/6084-27-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB