Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
16-05-2024 23:41
General
-
Target
5a95e71afa7321983863504bd04a4f30_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5a95e71afa7321983863504bd04a4f30
-
SHA1
fa0a2516257a5ac1ed6ee6cce187b0e6bb2b7c40
-
SHA256
d9d3ce0fbbee2339b50632a2074764ce282b376993de9b5a2ca15c1285933a8b
-
SHA512
7053a9af179cf5c5355f49f251ea842095847ae85fd0eb6e74e76e2627dd9f57a695b6b995ea655a8185466f42ff172968b2eab798a605ab657ae47f9ac8cfe0
-
SSDEEP
1536:yq6zAcgLaSZ0Wx2jhcVBNdyNK3be65sp5oaO3GzOUNSS9Q8gpVlWNHHKATrmnJue:IsSWx2jUON0bejzyejFQ8g1qHqATinz
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a95e71afa7321983863504bd04a4f30_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a95e71afa7321983863504bd04a4f30_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76225f.exeC:\Users\Admin\AppData\Local\Temp\f76225f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762694.exeC:\Users\Admin\AppData\Local\Temp\f762694.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f76422e.exeC:\Users\Admin\AppData\Local\Temp\f76422e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5f358ffb36ecf9ddf75d6ccedfd79ff23
SHA1aebb1d05215cabe30e6f5f323678a52c7ac404af
SHA256c4d6e3ed05a104911df9b3311282f2dbad3b791bf2cac6d12a4c207ae1331cf5
SHA512b020c8f1ef8fb55841013a13c9cf75e4f5891ca9fc7627f2c1c82180a2d910880aeda303b48f631d2304db4d421fea901dcb01e3443c8f93ad564133fb30bca8
-
Filesize
97KB
MD561e6cdae2a508f3a351073dc2c63b13b
SHA178aa12c40e1a957fb0c1a160547dae00ea5fcea2
SHA256c0eb9792103d51b9ec5355c50185528b84b5c7d1959c6406c4a61c9901ceef5b
SHA5123ca1b4bc543bb1a54e2ba80456e344fd83c0348c87baacf91c14bbce554e6c12452e63ea9ef58953c2e14434d98ed949c242aff3d00a60aede79fb767d754005
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB