Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
16-05-2024 23:49
General
-
Target
5c8b82efbe08bc1ace58f4b18d452170_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5c8b82efbe08bc1ace58f4b18d452170
-
SHA1
8113f162446f8379bc10ff7f077b4a82e453427c
-
SHA256
ff77211b6940e2fcf655b36c521a73be459b36d1940be93cd5b5f4debb9da5fc
-
SHA512
f09fadb659beab0ee78220d399e74960d1520847b24e16157132c3a079e693216329ea241753cf0d95a712741ec578e8465dad29eb746cc00e528fcd6ae7e540
-
SSDEEP
3072:TTzj7qGxGE+rPDJtRjhFGVAkYGLkmz02K39O:TTjlGjPvCnY8Q2
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c8b82efbe08bc1ace58f4b18d452170_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c8b82efbe08bc1ace58f4b18d452170_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761390.exeC:\Users\Admin\AppData\Local\Temp\f761390.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761564.exeC:\Users\Admin\AppData\Local\Temp\f761564.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f76363d.exeC:\Users\Admin\AppData\Local\Temp\f76363d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5b7b8ac9718537658b0c36852316c3a2e
SHA15a1b7978bb9acb1579bac2edad6790d1affa36e5
SHA25681ed26e2f62210c0dfcfcc9a61be5a69bf4d472e04a1691937c0502bd5636531
SHA51276e48b5a15decb4f30c17da37e59f04b7afaa6c1aaf61e52f247cd519fa7d59f51c41df406c2f15e717dbaba33052fd9bd2322538c04b1466e6e53bbff98ba45
-
Filesize
97KB
MD530bb1a320d706fa531ed6ff558456e0c
SHA1c9a458a40bc90acc6f20169842d39a65a4e5ddd4
SHA256fa08b78a48886a8963aa36ae76bb922c5598b721d43e127de093e862176dc147
SHA512b84fc2bea9bebfb70a0df5ef673c6e94c6ba47c420f28880d5ba8c6c0cdc1dfbe059148c417ee5006df6b7fbe28ce4471909fd8c0c1cbbc70d05675afbd8973a
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB