Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
17-05-2024 03:31
General
-
Target
99d3b9d3f97f1e0af1dd1d1e4ae5bdb0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
99d3b9d3f97f1e0af1dd1d1e4ae5bdb0
-
SHA1
0d249d14cd44f1c7ddfe2fa62da876b1cf8061c5
-
SHA256
a72c4699fc3b7eac096dfc49cd89f7319838ff268fc554da231126fad77bdedb
-
SHA512
c74c72d35203024f18b643e9e6e40995fa7b5a2c48115ef1f679bd451713d425502159f14ee405004b50ea6d82718a8ac22435899414869552f59d73592d8b80
-
SSDEEP
1536:lrCTagNIaz7khu0y6YfQ7BU+BNxiX9VVMg7bln/8n79D9mGtAysjSPWj:le1R7khuvfQBtkVG6bF/4DntejgWj
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99d3b9d3f97f1e0af1dd1d1e4ae5bdb0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99d3b9d3f97f1e0af1dd1d1e4ae5bdb0_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f760f4c.exeC:\Users\Admin\AppData\Local\Temp\f760f4c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7610f2.exeC:\Users\Admin\AppData\Local\Temp\f7610f2.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f762ae7.exeC:\Users\Admin\AppData\Local\Temp\f762ae7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5ec065997b770f85fd20c8679e35e8894
SHA144dc3c43dcdb5da5f5fd4eca48ab91fa6fbb69e5
SHA2563994de6d60586a578bb3bd0193b1ddf8d4b374b34d662b97d8d5fb9fed1ef6cc
SHA5125bbc16e7bebd7cd1bc2acced61913bf765fa0e6114444d45638e9a22a544f0ddffc3ab75a1cde5d9e87a789a3b2c874cef9525bcedc52985e2d4373a5aee8299
-
\Users\Admin\AppData\Local\Temp\f760f4c.exeFilesize
97KB
MD54015d01e867de192cd7121f087a0ad2c
SHA16e09432af4d03ec692035f6f478e6544bdac3df3
SHA25611603d0e4b078954eeda79c407f8c0981737c7d6663115c98feb051a68385e8c
SHA512398c693aa9052781bb71dec4d2290dbbd70b5dcae0b144e6e15c50d40bf612c38d951e94d0c1c13e6984499bf6861198ca084a185d21c97e9b629b7c2f096f9d
-
memory/1120-24-0x0000000000410000-0x0000000000412000-memory.dmpFilesize
8KB
-
memory/1204-37-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1204-39-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1204-47-0x00000000001E0000-0x00000000001F2000-memory.dmpFilesize
72KB
-
memory/1204-33-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1204-9-0x00000000000C0000-0x00000000000D2000-memory.dmpFilesize
72KB
-
memory/1204-81-0x00000000000C0000-0x00000000000C2000-memory.dmpFilesize
8KB
-
memory/1204-77-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1204-10-0x00000000000C0000-0x00000000000D2000-memory.dmpFilesize
72KB
-
memory/1204-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1204-36-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1204-34-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1508-62-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-65-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-18-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-16-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-15-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-23-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-22-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-19-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-60-0x00000000004A0000-0x00000000004A2000-memory.dmpFilesize
8KB
-
memory/1508-59-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/1508-61-0x00000000004A0000-0x00000000004A2000-memory.dmpFilesize
8KB
-
memory/1508-63-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-21-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-64-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-66-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-129-0x00000000004A0000-0x00000000004A2000-memory.dmpFilesize
8KB
-
memory/1508-68-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-69-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-14-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-20-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-17-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-84-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-85-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-88-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-89-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-90-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1508-152-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/1508-153-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2060-82-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2060-109-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2060-110-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2060-170-0x0000000000900000-0x00000000019BA000-memory.dmpFilesize
16.7MB
-
memory/2060-204-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2060-205-0x0000000000900000-0x00000000019BA000-memory.dmpFilesize
16.7MB
-
memory/2564-108-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2564-99-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2564-100-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2564-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB