2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855

General

Target

2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
Size

2.3MB
MD5

c8d10638d48535fcd5b79c9efbc35280
SHA1

6d87ad1bd3ffc2845c4c4f14d1e3a6c49e917c1e
SHA256

2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855
SHA512

47906454d26f8554b35c89ed256a79c2c19325ccae815fb7ea0649337572cc760e2cb3db5f669a3d91911f4827bed2a9be27c76623d029ecbb0b3e920f7bf955
SSDEEP

49152:4jvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:4rkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002338b-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2628	ctfmen.exe
1872	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
3688	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
1872	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\grcopy.dll	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\satornas.dll	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3688	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
1872	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2456	1872	WerFault.exe	96

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3688	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
1872	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 2628	3688	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe	95
PID 3688 wrote to memory of 2628	3688	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe	95
PID 3688 wrote to memory of 2628	3688	2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe	95
PID 2628 wrote to memory of 1872	2628	ctfmen.exe	96
PID 2628 wrote to memory of 1872	2628	ctfmen.exe	96
PID 2628 wrote to memory of 1872	2628	ctfmen.exe	96

C:\Users\Admin\AppData\Local\Temp\2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e5fd712c7d1d156bf6c56933f4c49db8ed1f83804b35c64260e93cb30cde855_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1476
      4⤵
      Program crash
      PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3772,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1872 -ip 1872
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
adf824216f0c639c288847789a87f5ef

SHA1
65ab7c5ce5e8ac586349405c642d8fc1b7afb8b5

SHA256
e09b36dd4d937e32bea5d341580374e7c4414c381bec6b0e89dc20d274b73a24

SHA512
0211053f442147d488a8e5c331abfab6fe8569af77d4dbbbbe233f529b553d8eafdeadb84c4750bcfbd1d06854ba86a0bc08c5e1af171013db41ba1677a891e1

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
2.3MB

MD5
5cac3dc9830a76938ad266ae060fe323

SHA1
523e63dd403ee4bb5283e84ad4692915adaf34d9

SHA256
6cee313b1c01ca7028cfb6e3e7292b36d1b39924be8c6ed9f2e3eecf6c0de6f1

SHA512
3c13319f629fa80b7abd53f714ba7dfaab1724e4292d833f66b5bc9d90212c527529b2f4ce7098d785106fa7fd6aabf65b1f8edf470a1255cbf3ef5c6bc41d9c

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
6c6d5893f55527eb6d405b2f56af0464

SHA1
c392ed68e44e504450660d0fbfb2efc5dc2cd2a6

SHA256
a99b9d13749f4537704b1120dea2ec2ff76f172c31fb5f037ad456ccc2f09f13

SHA512
14ea64d16d9c08d2134ad2fe116ab59a90c4695ed985445bdf10711babc18a138933f6c28c6b86bdc79ff522be40fff26f6592d25536ee0ea73fe86ab8375333

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
a644fd4540d26ea5ac0940323e04bb32

SHA1
cd93521bec128a4f9ef57d036eea1d48149264a1

SHA256
56d9108b32112fe9f055cbb94aebfd56971c8d860780a489dd1d40d621517e16

SHA512
badc8e0914ba0f3928e417de603d232ea3c050ca0312fd39ae0157c698d6e5550c9c3dce1bd26b39ba09102a4272d2f6f9f3901993508758f50a725f3ec77aa3

Download Submit
memory/1872-34-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1872-33-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/1872-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1872-42-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/1872-44-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2628-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2628-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3688-19-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3688-26-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/3688-23-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3688-22-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3688-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/3688-2-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads