Analysis
-
max time kernel
122s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-05-2024 07:51
General
-
Target
d465fac50566ebe39ab269f4e2ce1e60_NeikiAnalytics.exe
-
Size
1.7MB
-
MD5
d465fac50566ebe39ab269f4e2ce1e60
-
SHA1
82d42c87b1cb8d88355a7b14bfd4df8c3136907f
-
SHA256
912d9c221640ffb590edb4b941ddbb813533d5a2e2b1ff5a550c523c1b7bfeb3
-
SHA512
5b6e21cbbf298c82d02f061b29d1ae841d3c1841812a4241c78b15d55dbdf024ca31c4ee6c5e4843da2e5681af9012159b4a55c3b08635ed9e7fe7932fa30f56
-
SSDEEP
49152:+Qrth7VaHBIW2Y4exvJIvIrdMsJq7vBw2GoNNDjLK/:+g6fT4exM+MsMvFNNm
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 16 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d465fac50566ebe39ab269f4e2ce1e60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d465fac50566ebe39ab269f4e2ce1e60_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\pft4C4D.tmp\Disk1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\pft4C4D.tmp\Disk1\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer4⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exeC:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER2⤵
- Executes dropped EXE
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD562d5f9827d867eb3e4ab9e6b338348a1
SHA1828e72f9c845b1c0865badaef40d63fb36447293
SHA2565214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5
SHA512b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732
-
Filesize
600KB
MD52824f4218935be2c1d34a03cc4509ebb
SHA1bea7c1fab69aa64ebdfc1cf0e0cea8d12a462c6a
SHA2567f649d7d9bbb2458c512b8d2a7366a3b94262ca7b4b4c6c90124f776e5f4967b
SHA512ece7ecf2ef24d6d2e2189ca3e2bb1a2007eb857a528aee6909dac3dc6439b0414107521085d5214a5236cbb4563e5fa5a517910bc409ca17fbe79b1e238b0ccd
-
Filesize
76KB
MD5003a6c011aac993bcde8c860988ce49b
SHA16d39d650dfa5ded45c4e0cb17b986893061104a7
SHA256590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a
SHA512032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7
-
Filesize
172KB
MD5377765fd4de3912c0f814ee9f182feda
SHA1a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1
SHA2568efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb
SHA51231befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710
-
Filesize
32KB
MD58f02b204853939f8aefe6b07b283be9a
SHA1c161b9374e67d5fa3066ea03fc861cc0023eb3cc
SHA25632c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998
SHA5128df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59
-
Filesize
220KB
MD5b2f7e6dc7e4aae3147fbfc74a2ddb365
SHA1716301112706e93f85977d79f0e8f18f17fb32a7
SHA2564f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1
SHA512e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83
-
Filesize
1.6MB
MD5d1f484db90b203b904b489089b1696f9
SHA1c3f0ea01831006b9c1db31bdc3936036bdad9955
SHA25659bb941bd66158629b1f256bc62e75532c83126129377fc484146b787cd29933
SHA512357509e5c3032686937bdd1cc0f02e3c60df77ab46b31f267bbc4883ec21b8b31084e62d27fb17b2dbee9ed00fcd76af4061e99d9286eb123b7333bdeed66111
-
Filesize
337KB
MD58e3e070adffe275f385da05f289068c3
SHA1f1e41d1686a24b7ee6a77be259a1497e6110fea0
SHA2566901a8620178dc3a8bfe822c6132f235b183aaf83832bb18f0c54a4e73e19142
SHA512473e3afa30ea658ff22b1114dff89d928244f72181a29f4eb6626d0b0dd0d179007b811805da6459340a77ed2ce717dd7f130ae9ff0889102bfe66070996812a
-
Filesize
164KB
MD5fb6674a519505cc93e28cf600bbc23a3
SHA1d5dbd3dabc4872710d5bdabfb3829f976efe92c6
SHA256fe95a9fc8b2cdb5add76fbd326b1a11801eaa43c7d908f20cbdf413fd4d8dfde
SHA512fd4e93d545a704bbc197bcbfd1731c24fffff7aa05db11ed4ad9bcac458253b8fb368d13e48df3d3d322044f4d4cc9e134c24cc7bee4079110f591623e988912
-
Filesize
586KB
MD5ac1fc265bbf27347d0c4d48d78c525f5
SHA166a8c5b03df48bb8753b466e875dcaa6522cb6ba
SHA256f1430adc9c2705cf9006a05cbf03189c8614ff4b5089a030d288a88ba31d3a97
SHA5120d47c3d60ea8b7ccc8fc2a03a580e3aa6882151ffd861baf383cc38fabb279f6e2e30e2db636d9258951c138e1f3af8ca6d2bda916e9d5dc1d7d9a54acd557b8
-
Filesize
417B
MD520e96d28b69a07012399a0ddfcd8bcdd
SHA1eccc5cca525b072ae1534b0d453ceaafe4796636
SHA2566fef3b3dc49f3b9b73d3255a29e1945a3db268acf8bfadc38f1e3b2753f2473f
SHA5120aa71551c0caa1bb76a85d4b67f8749df95999e4c7d89f99e8927a08a02ee9045117f5aaecf2d4f4d49817667a85a06a12aec9d22e2fe98513421d5027568e57
-
Filesize
172B
MD5f538540e2cfc9a49e1d1a19d7db8234f
SHA14ccc89fe6709a2b58d675e70e1150af32a399d4d
SHA2562f6f2a479b5a083238d960bb24c5f9f9bd551777e9f66205defeeac6db51eb81
SHA512d469cba1840803096590d7d44c998459623fc1176f10e14884ac62abc2daa18924c2b174c432bbfdda571c10affe84c6cd54668cce58d8f927e5a31225d88044
-
Filesize
1.3MB
MD5b38d1438c58e25b138a08bc2a468e246
SHA1696e961005fb3d9254175a8fa9f98822fe2697fb
SHA2562449d741ea853caab606e0b2fc37e9a802f3bc29099a7c50a8e2f4f18691efe5
SHA512c1b2e5b955d8469415cfa91c834f06e27e1358175c5901bcc99d4e70cb135b1374f066f172c561009a19462b3b4f6fee608fead8278e300a20233760ccbee692
-
Filesize
5KB
MD59efcc61a0baa38a6d7c67a05a97c7b87
SHA172b713a72ef7e972dfd5be5f79da8e9aacedb296
SHA2567ccb3a50ca08c66a220e4da614cbaba1d05157359edd174223c788b86d929edf
SHA512ac57100b76826af9f7650417dd765c23b522e31a1f3b44bfe9e70ed520bf6c6eb1978118a8147c99487b05a7a4c4afc964f457b79f921ff8236e4d60561b1238
-
Filesize
252KB
MD548ea604d4fa7d9af5b121c04db6a2fec
SHA1dc3c04977106bc1fbf1776a6b27899d7b81fb937
SHA256cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b
SHA5129206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707
-
Filesize
324KB
MD561c056d2df7ab769d6fd801869b828a9
SHA14213d0395692fa4181483ffb04eef4bda22cceee
SHA256148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66
SHA512a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172
-
Filesize
134KB
MD5eec32d940738c80c8e75f41ed48be71b
SHA196fae009a4dfae76b582388e8ede2d7fd4ff5e8c
SHA25677c4ca02b451a66356cad30ae3a1b32086afc58a9c9379f9b361a489a0888586
SHA51262849cc890b74919e13a22bdef2a8e6547c8f48aaa1c25d6aee50319733fd419eca196babf1a2f5ad15a138a2522bea157a3e9981198da86c9dda9427e14823a
-
Filesize
97KB
MD58e239e3a73c7a907f7640508af089b2e
SHA1df57e131341dd1f3b7921c6a19bbc0b721f29cca
SHA2564b8089496d4b1e8dc53629eb6e77bf965759e4af044553d4ce8206b602e3cd23
SHA5121c4b715096db2acfaf4c029eca24ec695c20865516303bf96e0b42f591bc97873ea6aff4111eb04a9b757e43d227e1d72afae51818d8dca36531bb83306de689
-
Filesize
14KB
MD59356e74c9b0ab998f80cc794efb00df3
SHA1dd7669aacc3925705b42bcbefc5e623b37330e27
SHA2561696e38d881aa3fafcc31e102f6375338b1a17fbcd635d996e16c74eeb9aaaac
SHA512064e276d1a88fa87325bf6dbee35b925e9cd9873c8ea45043653a06612a211df8852980f0c70910f0b06754162955bbeec420a7bf135237543d7e3c6c875e9d8
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
692KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
356KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
692KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
692KB
-
Filesize
176KB
-
Filesize
332KB
-
Filesize
224KB
-
Filesize
76KB