Analysis
-
max time kernel
148s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-05-2024 21:25
General
-
Target
37a8422d2b7e1e7709518a1c73c88b40_NeikiAnalytics.dll
-
Size
120KB
-
MD5
37a8422d2b7e1e7709518a1c73c88b40
-
SHA1
883fb36e38caf2f990513300f7177bafc6190f2d
-
SHA256
f00bbb6299643284cdf0d16e9d47dc79e83399d957018aafbd2432004ad8e33c
-
SHA512
4b36ad1c62fa726c4477de606831378ccb6cae9c18dd0b0104c5d8d213a4dc6a316238d01f9cb4f4c46ad8a745fde0fe393f4732080e83b374d02e1ba60de8a2
-
SSDEEP
3072:SJaeXpw8Tgw/K02UA1H+6APMo2lHrPbUU:SJaCp1TNp2lP4MoGLAU
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37a8422d2b7e1e7709518a1c73c88b40_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37a8422d2b7e1e7709518a1c73c88b40_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573c9b.exeC:\Users\Admin\AppData\Local\Temp\e573c9b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573df3.exeC:\Users\Admin\AppData\Local\Temp\e573df3.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576699.exeC:\Users\Admin\AppData\Local\Temp\e576699.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573c9b.exeFilesize
97KB
MD5d4c4f8a8f32907e9328f6ca813a3b3ce
SHA11bf0d56475d8d32a96357edb174b5bec97340ee9
SHA2566a25c1983f441074afc73199242e115c4bb753cde6913098ad8dd0cd1130888d
SHA51207b175de563f672ad8026b965283a0b9ddf357170524b3e330667a4b1bf7ae405bbdb8dad36d0d3bdfba62391b641a194838298b4dffe9f872b2f6972c22159b
-
C:\Windows\SYSTEM.INIFilesize
257B
MD530b946017548221cdeca55174b48a0a2
SHA1ba504d0da959fddafad32bd0caa81aabc5f256c0
SHA2565963f32feb355ef03720969df9b8fc016db9be12f73a7b81102d3788a5e84378
SHA512f17e27b84cb163d6d6ddf315ae0b530001ee6a94bd4690f5412ae405b87174925d7b1da7b154d13f63e10e1e21bd0fbbfef503a9bf43f0b1b0adb38615dd016b
-
memory/1656-39-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-62-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-8-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-40-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-70-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-31-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1656-21-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-29-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-24-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1656-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1656-33-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-35-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-34-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-12-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1656-16-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/1656-75-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1656-11-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-10-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-36-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-37-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-38-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-9-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-6-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-59-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-60-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-58-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-57-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-54-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1656-55-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1996-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1996-23-0x0000000003500000-0x0000000003501000-memory.dmpFilesize
4KB
-
memory/1996-13-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/1996-22-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/1996-17-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/3484-51-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3484-52-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3484-53-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3484-87-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3616-101-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/3616-88-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/3616-90-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/3616-141-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/3616-109-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/3616-108-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/3616-94-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/3616-140-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3616-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB