Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-05-2024 08:52
General
-
Target
e29596c87bece3c26cf8c8e0e768bcc0_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
e29596c87bece3c26cf8c8e0e768bcc0
-
SHA1
0aa46000e5b9200e441246c0628b69d0727a0a72
-
SHA256
efaca9be3f27a1b370e45cef80d8edf805b5df41e29dcbfb41066d09e3efbfb8
-
SHA512
c35cd30ba9f423235155d4a6679ad1055aa393cf5efbc34a3b49d14841caa084ef8dcb8941857e199901c0637b60c3f0c7aab74195d0c5b29e39f010b3ad7ad1
-
SSDEEP
24576:rsFRhoq8oLxlGuzAGKFDuXNR2TGxTEcuC+/Kt+/:Syo3xKFDuXA2TTc/48
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e29596c87bece3c26cf8c8e0e768bcc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e29596c87bece3c26cf8c8e0e768bcc0_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\{09C46B87-87CE-45BC-B5E1-D633263C7333}\e29596c87bece3c26cf8c8e0e768bcc0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\{09C46B87-87CE-45BC-B5E1-D633263C7333}\e29596c87bece3c26cf8c8e0e768bcc0_NeikiAnalytics.exe /q"C:\Users\Admin\AppData\Local\Temp\e29596c87bece3c26cf8c8e0e768bcc0_NeikiAnalytics.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{09C46B87-87CE-45BC-B5E1-D633263C7333}" /IS_temp3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E5747B7_Rar\e29596c87bece3c26cf8c8e0e768bcc0_NeikiAnalytics.exeFilesize
1.3MB
MD5d78a46725cd818925f14cd46c37e0f1c
SHA13cc92903d643170801d0b0c2e64bcdf918e001bf
SHA256779aa087af2bbc0dd0b647d2c2d273d41f0b59a82618741705268f456b35d4e7
SHA51203ad6a26d655bb7b153c80b4e40c804254151b783a42dc8d18a9751c037646d0e8eaa6c6854db6d563446b7a54e6f696d1b2afa9f9d8a07f48926d6e0b61787e
-
C:\Users\Admin\AppData\Local\Temp\{09C46B87-87CE-45BC-B5E1-D633263C7333}\_ISMSIDEL.INIFilesize
760B
MD517366a2634645b63cc06c54bec0a1e26
SHA12bcc35fe4f5bcb8414856ea3a30c65f0fdabb7e5
SHA256f5d7f99eda5776761d5f178d4a120735a6035ac8358c98c9bf723459a3fc5117
SHA512ac62b450afb5c96bee1c8e9efa6a6efa8a56db99875d4a1c2d13a582aacf7e940e1cb407e44cc62c8b14e53e37650cd29451de6e0e4b36781356139463a3e7f0
-
C:\Users\Admin\AppData\Local\Temp\{09C46B87-87CE-45BC-B5E1-D633263C7333}\_ISMSIDEL.INIFilesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
C:\Users\Admin\AppData\Local\Temp\{09C46B87-87CE-45BC-B5E1-D633263C7333}\e29596c87bece3c26cf8c8e0e768bcc0_NeikiAnalytics.exeFilesize
1.4MB
MD5e29596c87bece3c26cf8c8e0e768bcc0
SHA10aa46000e5b9200e441246c0628b69d0727a0a72
SHA256efaca9be3f27a1b370e45cef80d8edf805b5df41e29dcbfb41066d09e3efbfb8
SHA512c35cd30ba9f423235155d4a6679ad1055aa393cf5efbc34a3b49d14841caa084ef8dcb8941857e199901c0637b60c3f0c7aab74195d0c5b29e39f010b3ad7ad1
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5814ca7513e0520bee046f2717a6d72f0
SHA102b6aef3a2ce1e87626997015d45ab5119ef0df9
SHA256fdd56698d24510539c61a82bbedc8cc2b3ac2e4422e34b5a59e4b13fa01e908d
SHA5122143bfd7bfd26c7eb00fee0c882715a60f589cbc93b3e675c3f17d2cb8245a4590ed8438fbdb602c99ac6325d2bea1825364e6df93c46611e99056aeb407c80b
-
memory/3172-74-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-73-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-102-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-108-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-127-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/3172-109-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-80-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/3172-76-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-119-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-101-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-75-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-89-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-90-0x00000000024E0000-0x00000000024E2000-memory.dmpFilesize
8KB
-
memory/3172-44-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/3172-86-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-91-0x00000000024E0000-0x00000000024E2000-memory.dmpFilesize
8KB
-
memory/3172-87-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-88-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-71-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3172-77-0x0000000004730000-0x00000000057EA000-memory.dmpFilesize
16.7MB
-
memory/3548-41-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-61-0x0000000000720000-0x0000000000722000-memory.dmpFilesize
8KB
-
memory/3548-63-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-70-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/3548-42-0x0000000000720000-0x0000000000722000-memory.dmpFilesize
8KB
-
memory/3548-45-0x0000000000720000-0x0000000000722000-memory.dmpFilesize
8KB
-
memory/3548-31-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-49-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-47-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-46-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-1-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/3548-40-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-33-0x0000000000720000-0x0000000000722000-memory.dmpFilesize
8KB
-
memory/3548-34-0x0000000003560000-0x0000000003561000-memory.dmpFilesize
4KB
-
memory/3548-4-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-32-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-30-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-3-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/3548-0-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB