sality | 0c1c157c24d9fe99e7dadd695926dd3d61dfa973a8c7a755968b730b8815d1d2

General

Target

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Size

732KB
MD5

bebb67767b53cd13f67283cdc9bd9570
SHA1

b02fe6f21cdf9a6377c2cf0b3de608f7117f6d90
SHA256

0c1c157c24d9fe99e7dadd695926dd3d61dfa973a8c7a755968b730b8815d1d2
SHA512

c2be48ff93f5645ccf5fc7305382c5ab4a803bd39d4165f6bd3a73e7daa8db6047708485b2f54c5eefb3637946b4e3eeece77c4ae9a507bcd88de1422770b7fa
SSDEEP

12288:WTyjXW+48qWywrU4kGFezOAVuJ5PIzww7F5DO3HYffIERagUj7K:MIXW/8yw1ez54lIvF5SXYHIMa/j7K

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	rundll32.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

rundll32.exebebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe

Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

2964 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

rundll32.exe

pid process

2964 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

pid process

2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

pid	process
2964	rundll32.exe

pid	process
2964	rundll32.exe

pid	process
2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2064-6-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-8-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-9-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-15-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-16-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-12-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-7-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-3-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-13-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-11-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-10-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-33-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-40-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2064-39-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral1/memory/2964-70-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-84-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-69-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-64-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-83-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-62-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-71-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-66-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-65-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-63-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-60-0x00000000025B0000-0x000000000363E000-memory.dmp	upx
behavioral1/memory/2964-126-0x00000000025B0000-0x000000000363E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

rundll32.exebebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

pid process

2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
2964 rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

pid	process
2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
2964	rundll32.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	2964	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

pid process

2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
2964 rundll32.exe

pid	process
2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
2964	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	pid	process	target process
PID 2064 wrote to memory of 1124	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	taskhost.exe
PID 2064 wrote to memory of 1172	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	Dwm.exe
PID 2064 wrote to memory of 1228	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	Explorer.EXE
PID 2064 wrote to memory of 2404	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	DllHost.exe
PID 2064 wrote to memory of 2964	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 2064 wrote to memory of 2964	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 2064 wrote to memory of 2964	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 2064 wrote to memory of 2964	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 2064 wrote to memory of 2964	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 2064 wrote to memory of 2964	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 2064 wrote to memory of 2964	2064	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 2964 wrote to memory of 1124	2964	rundll32.exe	taskhost.exe
PID 2964 wrote to memory of 1172	2964	rundll32.exe	Dwm.exe
PID 2964 wrote to memory of 1228	2964	rundll32.exe	Explorer.EXE
PID 2964 wrote to memory of 2404	2964	rundll32.exe	DllHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe"
2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2064

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2404

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

8

T1112

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F762E12_Rar\rundll32.exe
Filesize
664KB

MD5
9f4ad2e1a21330ed5442d666e37a3b47

SHA1
af241db65197924eab63e20fd481bbdd8aafb053

SHA256
d895f7d839dedecac0558587ec722eb06ecf352399380aa6137052e1bc168783

SHA512
c9763e0c148ac7ced9263256afaae6d08de6a6b42a688df91d2faf7973ae725da9ed74cd88f1393ce6aa96e8bd227da9c0c7421af2be21427c3d102bd7018dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
Filesize
732KB

MD5
bebb67767b53cd13f67283cdc9bd9570

SHA1
b02fe6f21cdf9a6377c2cf0b3de608f7117f6d90

SHA256
0c1c157c24d9fe99e7dadd695926dd3d61dfa973a8c7a755968b730b8815d1d2

SHA512
c2be48ff93f5645ccf5fc7305382c5ab4a803bd39d4165f6bd3a73e7daa8db6047708485b2f54c5eefb3637946b4e3eeece77c4ae9a507bcd88de1422770b7fa

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
f63450dd7ecb8436b2d496373cb0ec4b

SHA1
c52fba1471636d989168694161b1024a06f8e113

SHA256
234987e788dd24bf447ea6335da55ff24ba60df404552a7827cfca657a27f58a

SHA512
024edb5214077a455eb2da4b8e3c084a2e2b393c850d50964681362ccc0287eb05dd2d92fb92f2caf22d4c31743a7b661bda547cf1f1be654a453f917ab8ca2d

Download Submit
memory/1124-17-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2064-59-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2064-13-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-15-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-30-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2064-16-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-29-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2064-26-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2064-12-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-7-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-3-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-6-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-11-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-10-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-33-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-9-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-42-0x000000000A800000-0x000000000A8BF000-memory.dmp

Filesize
764KB

Download
memory/2064-8-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-27-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2064-31-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2064-40-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2064-39-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-63-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-84-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-87-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2964-69-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-64-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-83-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-62-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-71-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-86-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2964-66-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-85-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2964-65-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-70-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-79-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2964-60-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-44-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2964-126-0x00000000025B0000-0x000000000363E000-memory.dmp

Filesize
16.6MB

Download
memory/2964-150-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads