Analysis
-
max time kernel
131s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
16-05-2024 23:11
General
-
Target
5329cdeaab5392b315d8c3b9770a9e60_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5329cdeaab5392b315d8c3b9770a9e60
-
SHA1
f4f951c659c043800bc49ba30c4f7a09d408871d
-
SHA256
4298482bcd2d34520996a6ab20852c53e071db85e2b2b0a9dada3ad9725464a3
-
SHA512
a38c8aae47e3734bb4d22a44b5216153278e7067a250fff601305ee2c4d20796f64a211999daab61d4856d1097c2c5e63e2f62727f84f97d22b7ee3d20c1c3bd
-
SSDEEP
1536:1lAcs9dMUkD2j5pEZtutIJmJynO4VJmV0WKCJ/uhddHYVnBPW5cp415XtC2KW6Ar:DARMdycZtutINVQcCJWd1YpVNp41621
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5329cdeaab5392b315d8c3b9770a9e60_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5329cdeaab5392b315d8c3b9770a9e60_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57415e.exeC:\Users\Admin\AppData\Local\Temp\e57415e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574258.exeC:\Users\Admin\AppData\Local\Temp\e574258.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e575d14.exeC:\Users\Admin\AppData\Local\Temp\e575d14.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57415e.exeFilesize
97KB
MD50f5e7469fc03ad46251eb7501f1cbff5
SHA130f63ee0e3b82a4c53e9b459111c4b3256f833ef
SHA25629b47ee57b43981d78ae40b5c32ce38211cfaade9f8d342612e734616e07c601
SHA5128d28af2f376c22a3c649d2594905283fe3ece5953e11f62c5c42d372b668dc8b00c224fe5e65511db0689280a15b8b1a4b40864172f26d12230a02bf9e1f51de
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5387e3f91771e1ad7ef3eb3b12c8017e0
SHA117610bd21f214ac62127041ad07db60d93dd44e7
SHA256ea12a9ba61c70cf68f8c9bb484ec1f72f448607112c0232a03dc06bde1d2fe63
SHA512add1a3a6a1e7046f5fd33772ec53fcdae1254e1d1b820e81f7db15c45cae5917703b22587af6ec8939a833f53b84701d746bc4f5243f9e3f35dde0b8123b4b32
-
memory/2336-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2336-112-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2336-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2336-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2336-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2604-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2604-17-0x0000000003D30000-0x0000000003D32000-memory.dmpFilesize
8KB
-
memory/2604-14-0x0000000003DC0000-0x0000000003DC1000-memory.dmpFilesize
4KB
-
memory/2604-13-0x0000000003D30000-0x0000000003D32000-memory.dmpFilesize
8KB
-
memory/2604-30-0x0000000003D30000-0x0000000003D32000-memory.dmpFilesize
8KB
-
memory/3108-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3108-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3108-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3108-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3108-125-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/3108-127-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3408-42-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-26-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-9-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-6-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-37-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-36-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-38-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-40-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-39-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-8-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-43-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-11-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-53-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-54-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-55-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-27-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-28-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/3408-29-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/3408-32-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-16-0x0000000001B00000-0x0000000001B01000-memory.dmpFilesize
4KB
-
memory/3408-31-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-66-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-67-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-70-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-72-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-73-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-75-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-76-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-77-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-85-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/3408-87-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-88-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-108-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3408-94-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-12-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-25-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-10-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3408-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB