Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
17-05-2024 02:29
General
-
Target
8a556d77b8953370b9a07d4ebf1a5610_NeikiAnalytics.dll
-
Size
120KB
-
MD5
8a556d77b8953370b9a07d4ebf1a5610
-
SHA1
71a8f4ff990e33a3b606dd9dbc6e26b9b55024d0
-
SHA256
a9c4ad716b593a01e04df95c02c2943ed167989db198dc057fd9a16986461a00
-
SHA512
e8d9d04fc24f24f656aca49e4647b44cd89d8c5629a915d69f51d14ed8aa3fc33011ada8e80b2cca19ad44ea098b5ec73b4fd7dc2074188921aa7eb993611e9f
-
SSDEEP
1536:zzureJadXopl09Zm5gArRWVdJaVRySfP5p6fLagdr6FbzYpmn:zzKei8OZm51h3h7EVdUzem
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a556d77b8953370b9a07d4ebf1a5610_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a556d77b8953370b9a07d4ebf1a5610_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761056.exeC:\Users\Admin\AppData\Local\Temp\f761056.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7611bc.exeC:\Users\Admin\AppData\Local\Temp\f7611bc.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f762c2f.exeC:\Users\Admin\AppData\Local\Temp\f762c2f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5a9d6f8318fb66734025af8302005b73f
SHA1d75de0d339db3e5e9377b3881780046ef1705b64
SHA2565e9e490cd3b5dd94ef4d08a05a714d811bdf7a942fab42f782f1c63846eb4121
SHA512d1a4b725909575a488de2218cc64abbe4504e2a8d1ce90907360d3f19b741919de327d01ed1cf81d1e3157deb2906f29d6854a4a705cfb24e13d539b69269fa4
-
Filesize
97KB
MD50d810d782f2adee06bb872d6cc715600
SHA1e6f7a18d91e9635ad1bb52074571587a8ddb95f4
SHA25644e36d0c4140fadb7179afab4664ba615f035a482632bd64a82c3e5304fdc81e
SHA512ede0654045bc3d630d3bc424ec22bdcc0d4260cf4617745be8a39f80eaae4eb472369226fed86b3db6bb246bc33461dccebaab957de735129080923e87269ac4
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB