Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
6f7924bc5c686401699d098dc0498c00_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
6f7924bc5c686401699d098dc0498c00_NeikiAnalytics.dll
-
Size
120KB
-
MD5
6f7924bc5c686401699d098dc0498c00
-
SHA1
86b16449afe356b0ab996c9c0b7f4733bf76c3ff
-
SHA256
d2070dbf5078d10ae21ce0c59be425827ad6ccadc321e519ec54461c12b49ade
-
SHA512
f21790a6a8841146fb7a48bf35a9054141d15280885d43d1f1fe6beb5e3cd9ff5372a4e778b9c94e8e19d0f08ee3a4366b4bbea9fea541bdee2b281efe8450ac
-
SSDEEP
1536:HnRNW0YPy+XeCT2L5YSvHSRSjRU8KBPoo//B6EcjAvf0ArtPOA3:HnRNW0Ya+XTe5YMjTyPooB605POA3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f763534.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f763534.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f761017.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f761017.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763534.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761017.exe -
Executes dropped EXE 3 IoCs
pid Process 2116 f761017.exe 2184 f7611ad.exe 1852 f763534.exe -
Loads dropped DLL 6 IoCs
pid Process 1816 rundll32.exe 1816 rundll32.exe 1816 rundll32.exe 1816 rundll32.exe 1816 rundll32.exe 1816 rundll32.exe -
resource yara_rule behavioral1/memory/2116-21-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-15-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-19-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-18-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-17-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-16-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-14-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-20-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-23-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-22-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-66-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-67-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-68-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-69-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-70-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-107-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-108-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-109-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-114-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2116-146-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1852-163-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/1852-204-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763534.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761017.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763534.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763534.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: f761017.exe File opened (read-only) \??\E: f763534.exe File opened (read-only) \??\G: f763534.exe File opened (read-only) \??\H: f763534.exe File opened (read-only) \??\G: f761017.exe File opened (read-only) \??\K: f761017.exe File opened (read-only) \??\M: f761017.exe File opened (read-only) \??\I: f763534.exe File opened (read-only) \??\E: f761017.exe File opened (read-only) \??\J: f761017.exe File opened (read-only) \??\N: f761017.exe File opened (read-only) \??\I: f761017.exe File opened (read-only) \??\L: f761017.exe File opened (read-only) \??\H: f761017.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f761084 f761017.exe File opened for modification C:\Windows\SYSTEM.INI f761017.exe File created C:\Windows\f766097 f763534.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2116 f761017.exe 2116 f761017.exe 1852 f763534.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 2116 f761017.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe Token: SeDebugPrivilege 1852 f763534.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2060 wrote to memory of 1816 2060 rundll32.exe 28 PID 2060 wrote to memory of 1816 2060 rundll32.exe 28 PID 2060 wrote to memory of 1816 2060 rundll32.exe 28 PID 2060 wrote to memory of 1816 2060 rundll32.exe 28 PID 2060 wrote to memory of 1816 2060 rundll32.exe 28 PID 2060 wrote to memory of 1816 2060 rundll32.exe 28 PID 2060 wrote to memory of 1816 2060 rundll32.exe 28 PID 1816 wrote to memory of 2116 1816 rundll32.exe 29 PID 1816 wrote to memory of 2116 1816 rundll32.exe 29 PID 1816 wrote to memory of 2116 1816 rundll32.exe 29 PID 1816 wrote to memory of 2116 1816 rundll32.exe 29 PID 2116 wrote to memory of 1100 2116 f761017.exe 19 PID 2116 wrote to memory of 1164 2116 f761017.exe 20 PID 2116 wrote to memory of 1200 2116 f761017.exe 21 PID 2116 wrote to memory of 664 2116 f761017.exe 23 PID 2116 wrote to memory of 2060 2116 f761017.exe 27 PID 2116 wrote to memory of 1816 2116 f761017.exe 28 PID 2116 wrote to memory of 1816 2116 f761017.exe 28 PID 1816 wrote to memory of 2184 1816 rundll32.exe 30 PID 1816 wrote to memory of 2184 1816 rundll32.exe 30 PID 1816 wrote to memory of 2184 1816 rundll32.exe 30 PID 1816 wrote to memory of 2184 1816 rundll32.exe 30 PID 1816 wrote to memory of 1852 1816 rundll32.exe 31 PID 1816 wrote to memory of 1852 1816 rundll32.exe 31 PID 1816 wrote to memory of 1852 1816 rundll32.exe 31 PID 1816 wrote to memory of 1852 1816 rundll32.exe 31 PID 2116 wrote to memory of 1100 2116 f761017.exe 19 PID 2116 wrote to memory of 1164 2116 f761017.exe 20 PID 2116 wrote to memory of 1200 2116 f761017.exe 21 PID 2116 wrote to memory of 2184 2116 f761017.exe 30 PID 2116 wrote to memory of 2184 2116 f761017.exe 30 PID 2116 wrote to memory of 1852 2116 f761017.exe 31 PID 2116 wrote to memory of 1852 2116 f761017.exe 31 PID 1852 wrote to memory of 1100 1852 f763534.exe 19 PID 1852 wrote to memory of 1164 1852 f763534.exe 20 PID 1852 wrote to memory of 1200 1852 f763534.exe 21 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763534.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7924bc5c686401699d098dc0498c00_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7924bc5c686401699d098dc0498c00_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\f761017.exeC:\Users\Admin\AppData\Local\Temp\f761017.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\f7611ad.exeC:\Users\Admin\AppData\Local\Temp\f7611ad.exe4⤵
- Executes dropped EXE
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\f763534.exeC:\Users\Admin\AppData\Local\Temp\f763534.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1852
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:664
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e8050c63a2d6a65a44adf703de2d46d2
SHA1bee5559436f1c2937514b962cf3ed28d04a7df34
SHA25604c95726d7333dd5f54df4925ba9a2feb736439e86fd243199b897f76ff75c51
SHA512b6a7beaf088f17adb817a32e309a30426eae975231cc9598f32fe97f7f744a4895e9cbd98e46f06f258fca883be7b67850e9a819097858b0778ae6fb2dc628ce
-
Filesize
257B
MD5334c86b6f5b2809733a89fa309a7addf
SHA10df997d6ed59c144c81dd3286a73585325bac08e
SHA256ba49435982b924d148194c4b54589a4f05bc2f6e240323c27ec4fc29025ed07f
SHA5126968020a2d14e073f4ac192f15e143cd7cec7e762020dbc52d3a794d301b1dbda8eb0952bcf901ec891abb3d111aaf0bfb7a6e5a901045bf90dcec8148bdb6d3