Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-05-2024 21:54
General
-
Target
0b76861c541b49745b9bf714a0bdd660_NeikiAnalytics.dll
-
Size
120KB
-
MD5
0b76861c541b49745b9bf714a0bdd660
-
SHA1
ae8b3827e7f57bc4a2afc32acac6b6326ba7293b
-
SHA256
a68ff706938fc2c3006b6829b4a3addfb69bfb89252811da70555b944041f06f
-
SHA512
baea0abd643accb0f947538222a76712bf8f67034e96c7b2ae47289bb6f811874a42a7562caf38f75a9913466e07fce785c0c5f58838943b3385a05624f4c9ce
-
SSDEEP
1536:X5VTYSacOZmA1Ah8OkJUNUhk/4mzg7i0Xj3NaEFbTB7TReM/urdvlEi9hv/:X5VTyZlAiRJyY7Vj9aax71eMGrHEAn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0b76861c541b49745b9bf714a0bdd660_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0b76861c541b49745b9bf714a0bdd660_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f769d97.exeC:\Users\Admin\AppData\Local\Temp\f769d97.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f769fa9.exeC:\Users\Admin\AppData\Local\Temp\f769fa9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76b22f.exeC:\Users\Admin\AppData\Local\Temp\f76b22f.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5adddb55298a5dd6f9ef6d67d9084f55a
SHA1356a637c32e208986da71c3aa5e660f2aee5a18a
SHA2563808794b7f7c3a93e9bb676913fd66b21321a34d2be0c202051ce6ac7aa68ca1
SHA512cd63438f6d02cecd6b5f401dc2792d0e1f54a52e7f8f31b5240158aed1d18e1a778c982bcd74888493e6546a50e0e53ed3f08ad7fe575064c402914f9c0d4f45
-
\Users\Admin\AppData\Local\Temp\f769d97.exeFilesize
97KB
MD5c47dd693d8ca9e213f2bd7e4d1312d86
SHA1cdbe66be963bc7aeb0989fbe11f9ef3376063720
SHA25647648b9fd2462abbd0563361a19c05b47659dd3da5c0c4f269214c237cd5fac3
SHA5126d2f6631b2694aadd76172b5335a326b47dc1cabe38b5ca44fd40a8311934cc55abb631deb1801c47fb1130cb1ee17b2b420e30f0950d9f5ef1524e5e5b4d297
-
memory/1076-21-0x0000000001C40000-0x0000000001C42000-memory.dmpFilesize
8KB
-
memory/1324-97-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1324-168-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1324-78-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1324-100-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1324-98-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2428-164-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2428-54-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2428-92-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2428-159-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2428-101-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2428-163-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2428-99-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2468-41-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-104-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-12-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2468-18-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-16-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-40-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-56-0x0000000000310000-0x0000000000312000-memory.dmpFilesize
8KB
-
memory/2468-55-0x0000000000310000-0x0000000000312000-memory.dmpFilesize
8KB
-
memory/2468-39-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-20-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-13-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-19-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-62-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-63-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-64-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-66-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-65-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-17-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-144-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-80-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-81-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-83-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-84-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2468-107-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-38-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/2468-105-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2468-15-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2736-53-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2736-50-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2736-30-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2736-29-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2736-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2736-74-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2736-52-0x00000000002A0000-0x00000000002B2000-memory.dmpFilesize
72KB
-
memory/2736-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2736-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2736-42-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2736-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB