Analysis
-
max time kernel
138s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
17-05-2024 03:31
General
-
Target
99d3b9d3f97f1e0af1dd1d1e4ae5bdb0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
99d3b9d3f97f1e0af1dd1d1e4ae5bdb0
-
SHA1
0d249d14cd44f1c7ddfe2fa62da876b1cf8061c5
-
SHA256
a72c4699fc3b7eac096dfc49cd89f7319838ff268fc554da231126fad77bdedb
-
SHA512
c74c72d35203024f18b643e9e6e40995fa7b5a2c48115ef1f679bd451713d425502159f14ee405004b50ea6d82718a8ac22435899414869552f59d73592d8b80
-
SSDEEP
1536:lrCTagNIaz7khu0y6YfQ7BU+BNxiX9VVMg7bln/8n79D9mGtAysjSPWj:le1R7khuvfQBtkVG6bF/4DntejgWj
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99d3b9d3f97f1e0af1dd1d1e4ae5bdb0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99d3b9d3f97f1e0af1dd1d1e4ae5bdb0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57537f.exeC:\Users\Admin\AppData\Local\Temp\e57537f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575534.exeC:\Users\Admin\AppData\Local\Temp\e575534.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576f73.exeC:\Users\Admin\AppData\Local\Temp\e576f73.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576f83.exeC:\Users\Admin\AppData\Local\Temp\e576f83.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57537f.exeFilesize
97KB
MD54015d01e867de192cd7121f087a0ad2c
SHA16e09432af4d03ec692035f6f478e6544bdac3df3
SHA25611603d0e4b078954eeda79c407f8c0981737c7d6663115c98feb051a68385e8c
SHA512398c693aa9052781bb71dec4d2290dbbd70b5dcae0b144e6e15c50d40bf612c38d951e94d0c1c13e6984499bf6861198ca084a185d21c97e9b629b7c2f096f9d
-
C:\Windows\SYSTEM.INIFilesize
256B
MD5be7b675664e869b2817a6b67a9a69186
SHA1ab75e7b9f7814af376d725a65d5417f3c21d6e79
SHA2560e9d2d0cd763e79b190169bdd06ffc1cd2e361056727bca867ebf18e163e0f76
SHA512bd0fdf9a2f41b21ac4c5cdcc8227bb31b2414d6c68bd0d9942aec85338ecf8de86ae3c3db632cd0da9a108994c989c5a7f2db8d7d7968a22e92cbe366ac70d49
-
memory/944-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/944-121-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/944-36-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/944-64-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/944-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3436-170-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3436-133-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/3436-169-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/3436-57-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3436-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3436-69-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3436-74-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3696-58-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-85-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-12-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-10-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-8-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-9-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-29-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-37-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-38-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-39-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-41-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-40-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-43-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-44-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3696-20-0x0000000001B40000-0x0000000001B41000-memory.dmpFilesize
4KB
-
memory/3696-11-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-60-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-62-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-15-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-16-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-13-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-14-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-117-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3696-105-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3696-98-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-32-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3696-35-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3696-75-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-76-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-79-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-81-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-83-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-84-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-97-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-89-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3696-95-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3856-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3856-67-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3856-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3856-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3856-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4768-17-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/4768-30-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/4768-31-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/4768-21-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/4768-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB