052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7

General

Target

052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
Size

352KB
MD5

d5df833c0ce25ac076226cc6d3a37f40
SHA1

9b969bb1429394b73affb775ed48e619955e871e
SHA256

052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7
SHA512

dc82bf4731c7569cf1670c893e6d207e1da125ddb040c335dd4cb95d5788a079820530cdc3a22091f075556627a25136f1bb967a5911ba9c5a82d4ff7f4d26f2
SSDEEP

6144:cIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:tKofHfHTXQLzgvnzHPowYbvrjD/L7QPs

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000235ec-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3372	ctfmen.exe
2080	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
1044	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
2080	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shervans.dll	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2260	2080	WerFault.exe	98

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 3372	1044	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe	97
PID 1044 wrote to memory of 3372	1044	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe	97
PID 1044 wrote to memory of 3372	1044	052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe	97
PID 3372 wrote to memory of 2080	3372	ctfmen.exe	98
PID 3372 wrote to memory of 2080	3372	ctfmen.exe	98
PID 3372 wrote to memory of 2080	3372	ctfmen.exe	98

C:\Users\Admin\AppData\Local\Temp\052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\052929843e0a7c31eec345051ace63173d87bce5b8fdfd98ea2aeaff6d255db7_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1324
      4⤵
      Program crash
      PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4040,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=3024 /prefetch:8
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2080 -ip 2080
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
4004989859265ae8e0d2dac5ee2ac3de

SHA1
241708cbc4aa38a555da68a362dd9ba1d9f3709a

SHA256
a744de145c20d285f3941584cd053b0d9eaef8ca6108be07d607c22aa0cccd0f

SHA512
44ef6517d7ba1d4e73dd965c910093dbf4a33e029e44d94016db4fddf2a278032a9e6dc45620a998dae7b1bce75883ce72419c197e4f7c1809e7ff8ad3ac46e4

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
352KB

MD5
9c7f33031f31872edc48c13392f91456

SHA1
e036ea306a214b4453b10ce32bc8db77cdd06ee4

SHA256
761a5cacab09b236dc3361e079b907c5a21742878bab1d73a3c0d12f6957c493

SHA512
fb46f567ce8e97b5d850fad82389e36401364a6e90f6d8c7a2b82909bcb529364a4de73f1940ae25e42bbee6ad4fa3441229d02adda27fb76ebac41b6140aa7f

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
38d024dfbade0a6ebdb471aad6338bb8

SHA1
c55f18a2c19956cb7a13d4aec12ba7220811207e

SHA256
2abdc8841d832fdf484380a516e6d48d1f41ee26f093aa0adfb7a5fc177cec95

SHA512
016b88729c525c8d01b2564b0c2079713d07c8e7df038d902c4e3c7d4cd2e605fdaf641becdd2e686ef991906e91385e83fef8a95fd5e2c7d719945000bdb843

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
52538c0c3b0e7e94f3fc6be54fd3e661

SHA1
24ff6d3b0926ae9246d579d7229a3af8be389b1d

SHA256
24869b7aed6048790b9d2087d5354fdb5084480b43901a4a8aa202713b7bda74

SHA512
968242665f214bb4060e721a4c4cce6798fe7cbc3e9457ed0d0a44549bee24c44a228aba97086ba8e5d42f95cf1b69c18b897a24f82374fa891e0d69e608fcd9

Download Submit
memory/1044-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1044-23-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1044-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1044-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-32-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2080-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2080-40-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3372-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3372-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads