Overview

overview

10

Static

static

3

a3c64e52e7...cs.exe

windows7-x64

10

a3c64e52e7...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 04:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe

  • Size

    1015KB

  • MD5

    a3c64e52e7d5a52602a9af68a7d6a630

  • SHA1

    94e5e8a8befc15b8fc30fe429628391aa0465884

  • SHA256

    a76cfe68e2df2450412ea3bd95d8e1df0bed4c01b375d0c5afee7e142e05f64d

  • SHA512

    c5cb25f47443adecd9d8ec70dc5dec32bc2e17c98e53501445f3fe36a44b083b2fb45d08c6de559c2f7a5e0bc765b42ee1dae806c428284d4fdec5df5614d73d

  • SSDEEP

    24576:H7z7G7ws7X71Fkx7I7+Kt47l7ZsZGC757q7g7O7hGLb47hGdb0Gd6zam8:H7z7G7ws7X71Fkx7I7+R7l7xC757qU77

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BCE.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe
            "C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe"
            4⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1368
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DB2.bat
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4928
              • C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe
                "C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe"
                6⤵
                • Executes dropped EXE
                PID:432
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1904
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4708
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:3268

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Defense Evasion

      Modify Registry

      5
      T1112

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        Filesize

        251KB

        MD5

        4cd836cb7315137caef2e00f915022f6

        SHA1

        640651bd615542cd88f9b0ba32aefd49add3cbf7

        SHA256

        d81a2f9c21d3c144a4819e634be2940e7528d43d748a5ce84ea3ff38f4e0c4e2

        SHA512

        6da5df97fee3ef22ecd7174524f775fd95b755fdaab21417c865664f3da999c02eb0f33cb736204cb353c260b7b92f6589006c07b3b57a2b52d468a1322234f6

        Download Submit
      • C:\Program Files\7-Zip\7z.exe
        Filesize

        570KB

        MD5

        c6ab43ce192643c240e4d16fdf00f07f

        SHA1

        432b50919c07a6342fa3dba3d238258559add237

        SHA256

        43d390617b81ff919be9e6a8a6c7bf790b60cca9cf37a5ac27c1601143032c00

        SHA512

        1597b7ae0758c083bf0558d1d2349b6c29a1a1aa6cb98eb553496cb2efaf2f5f05aa6c57d6f08655dcfbfada51fbb83fbbd5fed9fde91f260131e8e5ca54c0f7

        Download Submit
      • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        Filesize

        636KB

        MD5

        2500f702e2b9632127c14e4eaae5d424

        SHA1

        8726fef12958265214eeb58001c995629834b13a

        SHA256

        82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

        SHA512

        f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\$$a4BCE.bat
        Filesize

        620B

        MD5

        6287195d7696e864edabe3ad0a1b524e

        SHA1

        dab5c79e8349c4f7d2b46167979d3480ca2b0692

        SHA256

        d5d19e45db0b001df756eaae25097a966a5d921b4fccef2ffb529ceca7f026e7

        SHA512

        698bfc129198135dd41cd98e7da63bf42d2ab1719d287ff023feaed4325f07936ac6b0ca64df8bac785146e09d248f9cf66e29ece8db6aa32c3997f34875229c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\$$a4DB2.bat
        Filesize

        620B

        MD5

        5e77825febae3a9c77d824ee99250e0f

        SHA1

        877b00660c34060fb62e4e045e3ea6bedd9e25cd

        SHA256

        1b1c6b4d1e82aaf609773c70f3a5cb78db8dd18e3130cb505c4caa33f5283bff

        SHA512

        f50a261a44dad3c3aaedbc4508415d72271a50352037a25c4f071893889db69110db8a766b30b70363546b929fb568d978fa30051dbd858c0c24b90cdcfef89f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe.exe
        Filesize

        962KB

        MD5

        04e9563c7bba02d1378bf3eeef7bc4bb

        SHA1

        be811a8564a5c215fb9d037e093273bdef0806a0

        SHA256

        9fb2f67b3cfa0bcf0b2557792b652e8f0b08ff18a7f8a03127abbaf840ef6d93

        SHA512

        c9f59138844261359d7e1f00613ca8691cb9100bf4ebccf29091522fe99fb9b97878703637acf2cdccabbf7bc049c6bc0f96e21cfbf208c2a16b3e5557d99619

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe.exe
        Filesize

        989KB

        MD5

        f22571c6d92113e9cff6c5c2dc5a7366

        SHA1

        70cb002b768551b0fe90f1c226cf38b0e5067746

        SHA256

        6fa687e8e811b62ba14ba7d99bae55dcad0fc54a27f1014a1b80bd0f922db369

        SHA512

        01d7794270e24647e9aa4a84e79d999d30d8194f7b53f88e1468cb178e4e51e4a768bb746090fe27902b77608dfa05f1a6ded11dccdc5cdf29017d5fbaf91ac3

        Download Submit
      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        7fed7b53952578d87020b408a92977f7

        SHA1

        37142388d44b6402b174d18c26052474dd291980

        SHA256

        fbf4af6393fcd93fea4f2081dc472703c282967d35d5231e93592643b93eb882

        SHA512

        a1ed93f597ee723adbd62a9d7b2b7027685bd13ee64f99aab90e20338e9ab51f67fea3b4556782189161a861a3a42d0f627ad4e136abf8d52c1519523982cdd1

        Download Submit
      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        57d96c198adb32be1a39065a02a20f3c

        SHA1

        abbe60c6ab6a703bdea9ce99bf2fc59510001abe

        SHA256

        08611b2014b8e9d4ea0ffed9cb688dc5bacaf2ec1403e368f60ed1e90e373f27

        SHA512

        73cc04e41fd0885c34cbfebbaf16d1fb067cacc851986a47f0c812a37615cab9e043b8c1c1dd2a7c091cca1c99bdcb8560f579b7b87c49a38cb0b0b7cf7307fa

        Download Submit
      • F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.ini
        Filesize

        9B

        MD5

        de299d58575b595bc358a5c5edd0767d

        SHA1

        0d30c906a5b5647289c7788d31dd3afd642350a4

        SHA256

        32ef1af1131d89e96d59ac0d3f8e232e839355587a679a2df2479b5277a704e3

        SHA512

        c8e20bb98c427a3a0eea8769df090d59353f0b484321e82b381cfca18b111bd1d782713f2f5bf815e5832a0e12ec909a0324fe9ba013c626327cabf27a464bbc

        Download Submit
      • memory/116-9-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/116-0-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/432-39-0x0000000000400000-0x0000000000446000-memory.dmp
        Filesize

        280KB

        Download
      • memory/1368-28-0x00000000007C0000-0x000000000184E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/1368-34-0x0000000000400000-0x0000000000445000-memory.dmp
        Filesize

        276KB

        Download
      • memory/1368-31-0x00000000007C0000-0x000000000184E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/1368-19-0x0000000000400000-0x0000000000445000-memory.dmp
        Filesize

        276KB

        Download
      • memory/1368-29-0x00000000007C0000-0x000000000184E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/1368-26-0x00000000007C0000-0x000000000184E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/1904-40-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1904-57-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1904-13-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1904-739-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1904-1252-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1904-1281-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1904-53-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1904-4807-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1904-47-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1904-5246-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download