Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17-05-2024 17:18
General
-
Target
0507872e031c245ec65195dea3229470_NeikiAnalytics.dll
-
Size
120KB
-
MD5
0507872e031c245ec65195dea3229470
-
SHA1
9bfc75c73b52142c1d2db8c7dc7d2b25a67b44c2
-
SHA256
8eab44941d3be506e2149d30d4817bf6874791ab01a6a743f579a88b0af373e7
-
SHA512
646894012737faae1e1afd75d7a0c7cfb3d683c27e36c127495b53ff9ee3227c6f5dab1e265132ebbb9dd0b03e003d4e49b405269da7870f7f75827840e8fca1
-
SSDEEP
1536:2/bqK7nO3SMcJMkC3DNUXbU2uUkBUCNyaZmPs7SNyVAUk/zqTRjJvwrO5/wM/beJ:2zf7KMMR354JmxqRUDv6u/w6beF
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0507872e031c245ec65195dea3229470_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0507872e031c245ec65195dea3229470_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761287.exeC:\Users\Admin\AppData\Local\Temp\f761287.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7613ee.exeC:\Users\Admin\AppData\Local\Temp\f7613ee.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762e51.exeC:\Users\Admin\AppData\Local\Temp\f762e51.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5c37360b0f80963e47f89662e697222de
SHA1ae6d5bb076bd6b2f0aba419774de45647ddbbd0c
SHA25616447e9e324820d4c218a554d971b088b2fe2e812ffb19c6b470590a2a73ed6b
SHA5120522d1f2a74d98117ebd0accd6fe139f6defd376ede8882748469359ef367ebd718376884f358e5b714a6c03fa9d3ba592cef70b8ee86ec73fbb6e750cde704c
-
\Users\Admin\AppData\Local\Temp\f761287.exeFilesize
97KB
MD50c48a8cc52278600b2a42404c33bd1cf
SHA1ca8197097289d3892bb59109f3b07f1cd5a9edcf
SHA256e179e774b601413dc1039bd3e697ee1e71d2a052e3cf8e73f50042cb8f0003e4
SHA512eda872fde11a8f0a9ca6e6174caca9cc34e709955d0fbeb5bcccfffb5e2cb67754c35200da412100a9712176f909b487c6ae11c2258e586261255acf51894a48
-
memory/1112-22-0x0000000001F90000-0x0000000001F92000-memory.dmpFilesize
8KB
-
memory/1660-52-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1660-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1660-32-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1660-33-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1660-43-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1660-51-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1660-78-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1660-8-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2460-102-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2460-105-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2460-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2460-177-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2472-54-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2472-173-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2472-95-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/2472-103-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2472-96-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2472-168-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/2896-20-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-84-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-61-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/2896-63-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-62-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-64-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-66-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-65-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-68-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-69-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-11-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-14-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-82-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-60-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/2896-86-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-42-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/2896-18-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-21-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-19-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-16-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-120-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/2896-150-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-149-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2896-13-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-17-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-15-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2896-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB