Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 07:59

General

  • Target

    8dbe665aad05f41f0a75ee7c75ff52ed92cac1a2508b7e0377a0d3ba25b9b3ed_NeikiAnalytics.exe

  • Size

    352KB

  • MD5

    4e41691f5254bbf8e942f71e4c36de50

  • SHA1

    c49937d0c62667a79c2dea5daeb0de3607d49231

  • SHA256

    8dbe665aad05f41f0a75ee7c75ff52ed92cac1a2508b7e0377a0d3ba25b9b3ed

  • SHA512

    d05145486f5793d9aa07645863a39538aee36c7541e5082b223f2bca73da8654bbffcb28b843cdfd820a60e9f766602d3a772804e39d4e304fab3f83f9d74cf3

  • SSDEEP

    6144:0Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:VKofHfHTXQLzgvnzHPowYbvrjD/L7QPs

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dbe665aad05f41f0a75ee7c75ff52ed92cac1a2508b7e0377a0d3ba25b9b3ed_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8dbe665aad05f41f0a75ee7c75ff52ed92cac1a2508b7e0377a0d3ba25b9b3ed_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    3693fd7e258a446754c2bc33b5035a6e

    SHA1

    a5f205c208fab6b676d7794f93eb7d5344c0e013

    SHA256

    108e09de9f2560240b87be5225aed54393b1e46afbf4ee42de2b4fbc7ec82a54

    SHA512

    5956726e925a762b1bed1d99e8cfb1857ab0695ebf1a362a494724f349c052143cbf6480aeb1d25017acec69a19336a337a01ea9447010ecc2e1adfec00048a2

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    1f7c561387b69a4dbd59d3d620f486bf

    SHA1

    7d131cdc845be3fb8842fb9a9bf89fa41390021d

    SHA256

    0faff39ff2d64ee26e968db17c4cbce2d003d0cdaecce69d30e93843a474e0c4

    SHA512

    aa2996db4fb9609cd6bfde224622b925d563974e03f6c97f849c8aa048c45c5c23894b3bf0aa716ed23d6beebbd2fee557605f3acd20174f884c25b9f37afd56

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    b17953e3cef76988b97c23f05f23af26

    SHA1

    bef6214cb74d46c1a3d18dfd3474af4b2c358f27

    SHA256

    0b9f56383af586bd7d0793b2259da575f40df43b002fbc47cb498f83a575bcb9

    SHA512

    eb85de1f22b48c895171db24b908b0a3a54c221c9b78b966628cc205cb9c2ecbd1baae636743c97cfe9988da82534f952475d015a7e8702b5755878a3c32d4fc

  • \Windows\SysWOW64\smnss.exe

    Filesize

    352KB

    MD5

    b2ae6c132a1ff3cffafa5737301a79a6

    SHA1

    88a2242f553ff29444d71196c9f58cbad5c13072

    SHA256

    800a5a2e3bc508e8e48e980f72201822d6ef2a3f31d0440da1fb94417d56f013

    SHA512

    198ac307f5ece4deac8f6294bef2c8ce8763f9d9bc435ac6c3abfe5f9867c89c3f9ce95aa6f6bc313a4f86e7512d370e52cb9e05f108f6ac8edb91cae0525eb0

  • memory/1312-27-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/1312-25-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1312-18-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

  • memory/1312-0-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/1312-16-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2604-33-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/2604-40-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2604-43-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/2652-26-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB