Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 01:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5045544b93190b16c6e376969fd69920_NeikiAnalytics.dll
Resource
win7-20240508-en
windows7-x64
15 signatures
150 seconds
General
-
Target
5045544b93190b16c6e376969fd69920_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5045544b93190b16c6e376969fd69920
-
SHA1
826e569e26a6fa419091318a4197a959f5a2e94e
-
SHA256
864a4e026a870c5a36621bdb79bcb822839ce493baec8726f59627a57090d111
-
SHA512
7ee029633b6525cbcf2e3d28d36d8937eaca3a2d3fb93f42cd0466f5527b5f36225b9827c77d513e1afb9fe2e6753efb07e894a171c8d049d7975c5bf336300f
-
SSDEEP
1536:tDSgoP4FZJPagi7drwMTzukOfCgPzpFLKGWMrr6zCXqd0r4a7hFceecl9cuvy3:ZSX4zG7drT6b31F+aLqdJG7ll
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f761d02.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f761d02.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f761b2e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761d02.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761d02.exe -
Executes dropped EXE 3 IoCs
pid Process 2600 f761b2e.exe 2688 f761d02.exe 2844 f7644be.exe -
Loads dropped DLL 6 IoCs
pid Process 1028 rundll32.exe 1028 rundll32.exe 1028 rundll32.exe 1028 rundll32.exe 1028 rundll32.exe 1028 rundll32.exe -
resource yara_rule behavioral1/memory/2600-19-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-16-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-18-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-20-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-15-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-23-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-21-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-17-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-14-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-22-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-62-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-63-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-64-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-65-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-66-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-68-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-94-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-95-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-97-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-98-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-101-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-102-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-140-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2688-147-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/2688-183-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761d02.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761b2e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761d02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761b2e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761d02.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f761b2e.exe File opened (read-only) \??\G: f761b2e.exe File opened (read-only) \??\H: f761b2e.exe File opened (read-only) \??\I: f761b2e.exe File opened (read-only) \??\N: f761b2e.exe File opened (read-only) \??\O: f761b2e.exe File opened (read-only) \??\J: f761b2e.exe File opened (read-only) \??\K: f761b2e.exe File opened (read-only) \??\L: f761b2e.exe File opened (read-only) \??\M: f761b2e.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f761bab f761b2e.exe File opened for modification C:\Windows\SYSTEM.INI f761b2e.exe File created C:\Windows\f766c2b f761d02.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2600 f761b2e.exe 2600 f761b2e.exe 2688 f761d02.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2600 f761b2e.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe Token: SeDebugPrivilege 2688 f761d02.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1640 wrote to memory of 1028 1640 rundll32.exe 28 PID 1640 wrote to memory of 1028 1640 rundll32.exe 28 PID 1640 wrote to memory of 1028 1640 rundll32.exe 28 PID 1640 wrote to memory of 1028 1640 rundll32.exe 28 PID 1640 wrote to memory of 1028 1640 rundll32.exe 28 PID 1640 wrote to memory of 1028 1640 rundll32.exe 28 PID 1640 wrote to memory of 1028 1640 rundll32.exe 28 PID 1028 wrote to memory of 2600 1028 rundll32.exe 29 PID 1028 wrote to memory of 2600 1028 rundll32.exe 29 PID 1028 wrote to memory of 2600 1028 rundll32.exe 29 PID 1028 wrote to memory of 2600 1028 rundll32.exe 29 PID 2600 wrote to memory of 1112 2600 f761b2e.exe 19 PID 2600 wrote to memory of 1164 2600 f761b2e.exe 20 PID 2600 wrote to memory of 1208 2600 f761b2e.exe 21 PID 2600 wrote to memory of 2484 2600 f761b2e.exe 23 PID 2600 wrote to memory of 1640 2600 f761b2e.exe 27 PID 2600 wrote to memory of 1028 2600 f761b2e.exe 28 PID 2600 wrote to memory of 1028 2600 f761b2e.exe 28 PID 1028 wrote to memory of 2688 1028 rundll32.exe 30 PID 1028 wrote to memory of 2688 1028 rundll32.exe 30 PID 1028 wrote to memory of 2688 1028 rundll32.exe 30 PID 1028 wrote to memory of 2688 1028 rundll32.exe 30 PID 2600 wrote to memory of 1112 2600 f761b2e.exe 19 PID 2600 wrote to memory of 1164 2600 f761b2e.exe 20 PID 2600 wrote to memory of 1208 2600 f761b2e.exe 21 PID 2600 wrote to memory of 1640 2600 f761b2e.exe 27 PID 2600 wrote to memory of 2688 2600 f761b2e.exe 30 PID 2600 wrote to memory of 2688 2600 f761b2e.exe 30 PID 1028 wrote to memory of 2844 1028 rundll32.exe 31 PID 1028 wrote to memory of 2844 1028 rundll32.exe 31 PID 1028 wrote to memory of 2844 1028 rundll32.exe 31 PID 1028 wrote to memory of 2844 1028 rundll32.exe 31 PID 2688 wrote to memory of 1112 2688 f761d02.exe 19 PID 2688 wrote to memory of 1164 2688 f761d02.exe 20 PID 2688 wrote to memory of 1208 2688 f761d02.exe 21 PID 2688 wrote to memory of 2844 2688 f761d02.exe 31 PID 2688 wrote to memory of 2844 2688 f761d02.exe 31 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761b2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761d02.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5045544b93190b16c6e376969fd69920_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5045544b93190b16c6e376969fd69920_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\f761b2e.exeC:\Users\Admin\AppData\Local\Temp\f761b2e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\f761d02.exeC:\Users\Admin\AppData\Local\Temp\f761d02.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\f7644be.exeC:\Users\Admin\AppData\Local\Temp\f7644be.exe4⤵
- Executes dropped EXE
PID:2844
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2484
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD50fff167ad388f94920c4f7a1728b7c64
SHA11ae71ba192a65186511e4a4fc65f5d825ce504f6
SHA25622d7732737e5a69f175940540d73c308f4ca59a13e842d59076cc151631e5cc4
SHA512cd8da25a281dd1de9671d57ed4f56d94d7b4082e5c924a86c851923da13f458a6c16e6efc4b3139c82c7ee86c571440d255eaf36617eca462f4fcb3adc03047c
-
Filesize
97KB
MD55debde32e4654de86c376edfb40f2bac
SHA1edbd4c4d583ccde97b1126a3e326b8410cd22ffa
SHA256e27dea2668bfdb15b8257cbbf8e36e71bc1a8a2aeb276b8aa72806831c1f76a2
SHA512411a2099737fa613ae076308fa424f5820388ec73fc5c2ce83b54eb6214c6074e390b7c1c4f1d3431c94bbe4c6fc75a65c0751eef4eb6c35a28d43814a304be0