Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17-05-2024 02:27
General
-
Target
89e46153d428fec4239503765c83adf0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
89e46153d428fec4239503765c83adf0
-
SHA1
5db7d9495ec9451737f65727530c3735da6e2fb0
-
SHA256
8ea96c78d3b780edcc6df7ef6bc70d150a05ec41d28c5e260bdece033e1837c4
-
SHA512
9e4451d04edfc3c65587b6b20840d298efbae3244195580d3336275fc8064e3f545a3bce8b1ae44186003d5928cbd4b8310ba87e044541ba6e8c519b8dc99057
-
SSDEEP
3072:qgiawSKcuj9DkEiWZYYM43YsIWmpk+rE90:DNwiu1kEd5M1pk8ES
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89e46153d428fec4239503765c83adf0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89e46153d428fec4239503765c83adf0_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761999.exeC:\Users\Admin\AppData\Local\Temp\f761999.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761c66.exeC:\Users\Admin\AppData\Local\Temp\f761c66.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763543.exeC:\Users\Admin\AppData\Local\Temp\f763543.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5ea2511ae9454b9cfcf4db58150dc45c7
SHA18e2c7075307830a9bcf0ff524cddc6a2ea80f452
SHA256ad791c445cfece3c03f9a8c9e270740992e8396fb8ea0909fdb430c04fba3839
SHA51273717b344a640e26c2ecb9446b014f9179452da02451a7505ba005fbb5154ab6105751985765613c5d72add88b39bfc36a8e67ffa379c2c0d1a477e952487b46
-
Filesize
97KB
MD5f1e527d726e7613a8e47337ee171ca15
SHA1928861c7946f6da73268e3931a65984a666beeae
SHA256911e8b1001f13a8a09daa946bcb8780b46cabaf2a0b3a6e024e7b61909f3d31d
SHA51245f0341bfc31266f28599ad575a02276c36b6cbb178acb9f6e8b0f6dc5c37bcf88bf53adf95635055c53e00455cc5bcb82fb9561a365a57393465072f50cbe88
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB