Overview

overview

10

Static

static

3

8fcdb76412...cs.dll

windows7-x64

10

8fcdb76412...cs.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fcdb76412a96b10c668b68196b3a850_NeikiAnalytics.dll

  • Size

    120KB

  • MD5

    8fcdb76412a96b10c668b68196b3a850

  • SHA1

    b499fa31a7f3eb9b707f54a77d8ed1f906706495

  • SHA256

    db944cc1ab8c9aa2583aab530d49daae58db084555cb0c3e2b65da0d92b3821f

  • SHA512

    7a03ca6b3ff3cdaf1d77149d48b568775c7b2e6b44d74c1191142deba4037b54a8aa9d145991d19fc3d09bb93dd247bbe203f1848716dca761db02af3a2240f0

  • SSDEEP

    1536:c6W94JW6kR+uZyI/oJwcj6bAHP4yPwO39fxcgcpTw17IovI0UFpqHeN03gd9MK6J:U9sgyI/oJrj6bAHP4nQ9Wwl+FFkH80w

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 14 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:772
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:776
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:332
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2956
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:3000
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2672
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3420
                  • C:\Windows\system32\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8fcdb76412a96b10c668b68196b3a850_NeikiAnalytics.dll,#1
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4388
                    • C:\Windows\SysWOW64\rundll32.exe
                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8fcdb76412a96b10c668b68196b3a850_NeikiAnalytics.dll,#1
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1692
                      • C:\Users\Admin\AppData\Local\Temp\e5749ca.exe
                        C:\Users\Admin\AppData\Local\Temp\e5749ca.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:3380
                      • C:\Users\Admin\AppData\Local\Temp\e574ac4.exe
                        C:\Users\Admin\AppData\Local\Temp\e574ac4.exe
                        4⤵
                        • Executes dropped EXE
                        PID:3436
                      • C:\Users\Admin\AppData\Local\Temp\e5775cc.exe
                        C:\Users\Admin\AppData\Local\Temp\e5775cc.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:1480
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3516
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3728
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3820
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3884
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:3996
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                            1⤵
                              PID:804
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:1484
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:2912
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                                  1⤵
                                    PID:4968
                                  • C:\Windows\system32\backgroundTaskHost.exe
                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                    1⤵
                                      PID:2220
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      1⤵
                                        PID:4964

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\e5749ca.exe
                                        Filesize

                                        97KB

                                        MD5

                                        7d10036706cdbc5f0fcb382d89306291

                                        SHA1

                                        40fbe2cdae73d4e7e0884de355abae9a20fc8c7d

                                        SHA256

                                        26fb5508c0aa46661b9c39bc3a994c45c35547248daa3c3306f261f54956164d

                                        SHA512

                                        deaef32dc20900bde5b4054c10aa327a5bc782c61024c54cc6222d23674cc4aeb8aaca122cc0d37534bea7de78cc7bff4f46dd113ed6e276513620a0239f7d39

                                        Download Submit

                                      • C:\Windows\SYSTEM.INI
                                        Filesize

                                        257B

                                        MD5

                                        84be87f0487542ea596132b686556f73

                                        SHA1

                                        5a43a6002c39e4a2c06fb39f45685ba51321ea0c

                                        SHA256

                                        078db2448951590ceebd34174696ccd38d9ce2aa0e200092ede1ba374f5a0dd3

                                        SHA512

                                        71332b5e3a846ba4928babed4f4e543b5615e27012e9d7deaf9141b27587355dc04963b0556a35e972e543701e4f695acb5a8aa0f1b7ffd1d028ce4294af6712

                                        Download Submit

                                      • memory/1480-148-0x0000000000400000-0x0000000000412000-memory.dmp

                                        Filesize

                                        72KB

                                        Download

                                      • memory/1480-147-0x00000000007F0000-0x00000000018AA000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/1480-113-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1480-114-0x0000000004370000-0x0000000004371000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1480-104-0x00000000007F0000-0x00000000018AA000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/1692-28-0x00000000044A0000-0x00000000044A1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1692-0-0x0000000010000000-0x0000000010020000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/1692-14-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1692-18-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1692-27-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3380-39-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-55-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-32-0x00000000019F0000-0x00000000019F2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3380-11-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-12-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-5-0x0000000000400000-0x0000000000412000-memory.dmp

                                        Filesize

                                        72KB

                                        Download

                                      • memory/3380-17-0x0000000001A00000-0x0000000001A01000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3380-9-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-31-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-37-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-36-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-38-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-35-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-40-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-41-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-6-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-10-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-8-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-54-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-29-0x00000000019F0000-0x00000000019F2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3380-57-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-56-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-59-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-61-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-63-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-66-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-69-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-88-0x0000000000400000-0x0000000000412000-memory.dmp

                                        Filesize

                                        72KB

                                        Download

                                      • memory/3380-13-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-26-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3380-79-0x00000000019F0000-0x00000000019F2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3380-70-0x0000000000770000-0x000000000182A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/3436-89-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3436-92-0x0000000000400000-0x0000000000412000-memory.dmp

                                        Filesize

                                        72KB

                                        Download

                                      • memory/3436-45-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3436-44-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3436-46-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3436-33-0x0000000000400000-0x0000000000412000-memory.dmp

                                        Filesize

                                        72KB

                                        Download