Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
16-05-2024 23:11
General
-
Target
5329cdeaab5392b315d8c3b9770a9e60_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5329cdeaab5392b315d8c3b9770a9e60
-
SHA1
f4f951c659c043800bc49ba30c4f7a09d408871d
-
SHA256
4298482bcd2d34520996a6ab20852c53e071db85e2b2b0a9dada3ad9725464a3
-
SHA512
a38c8aae47e3734bb4d22a44b5216153278e7067a250fff601305ee2c4d20796f64a211999daab61d4856d1097c2c5e63e2f62727f84f97d22b7ee3d20c1c3bd
-
SSDEEP
1536:1lAcs9dMUkD2j5pEZtutIJmJynO4VJmV0WKCJ/uhddHYVnBPW5cp415XtC2KW6Ar:DARMdycZtutINVQcCJWd1YpVNp41621
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5329cdeaab5392b315d8c3b9770a9e60_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5329cdeaab5392b315d8c3b9770a9e60_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761777.exeC:\Users\Admin\AppData\Local\Temp\f761777.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76194b.exeC:\Users\Admin\AppData\Local\Temp\f76194b.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763360.exeC:\Users\Admin\AppData\Local\Temp\f763360.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD5aca69152b039f1528909d2ea53640775
SHA16e6870af6ffcf186ac5592e7eff1f05c8c89bd34
SHA2569950aa1af9c378861f04a65f2a535a86a289cba1a478a974d95431adbfd7bfda
SHA512cebf8ef450d5c182505af921ea01b4ac8840209ba6d014ba046d68192c5109cdce57c899d6ef405ed4cd79b2a12530c1eeb889d6489adceb3c5185942c23b27c
-
Filesize
97KB
MD50f5e7469fc03ad46251eb7501f1cbff5
SHA130f63ee0e3b82a4c53e9b459111c4b3256f833ef
SHA25629b47ee57b43981d78ae40b5c32ce38211cfaade9f8d342612e734616e07c601
SHA5128d28af2f376c22a3c649d2594905283fe3ece5953e11f62c5c42d372b668dc8b00c224fe5e65511db0689280a15b8b1a4b40864172f26d12230a02bf9e1f51de
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB