Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
18-05-2024 00:21
General
-
Target
5dcb9fab84a4dfc5134c75ffdf394350_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5dcb9fab84a4dfc5134c75ffdf394350
-
SHA1
cf24d91f98b86cbd10bf633880d0b39fa849a50e
-
SHA256
6c33c7539adafb2bbcfa859c11f07a6195f15b30e0d74d8254f4095d7b83bc5f
-
SHA512
f67f655701ef903e7083c45ab1111832bad2956278b9427a1e6e8a903c3c3bf1e8c5b640c01df34957eea9a77b448d55b9633749976f6fd4ea399078e1987165
-
SSDEEP
3072:2GE6vkU4wz97yi9VlAuK14ftxuaqwIoYbCIHl:2QZL1/3K6ftlqbCI
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5dcb9fab84a4dfc5134c75ffdf394350_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5dcb9fab84a4dfc5134c75ffdf394350_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761d70.exeC:\Users\Admin\AppData\Local\Temp\f761d70.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761fb1.exeC:\Users\Admin\AppData\Local\Temp\f761fb1.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f7638fb.exeC:\Users\Admin\AppData\Local\Temp\f7638fb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
256B
MD55e45e67ace3037e0e0d8c436f2054b7d
SHA1f2435af4142cb59f293d03f7829e60b23085f700
SHA25636fd8beaa86fe46798983263acd31433b3574de7d3366275eaaed93b8df2e93d
SHA51261de6259d3316dcf502321f3424b480f66a0c8fd69884694dc2d41fa1a3fb0cd8657d642f1954965c02417afa1b709480372dc5a33489fcd830035c237bb6ad0
-
\Users\Admin\AppData\Local\Temp\f761d70.exeFilesize
97KB
MD562b3f4042c8d60735479b7a9ca2c230a
SHA1b24c8c64ef5f5a6ef1d227bb46aa6c024010d0b4
SHA256e88ecb5bc5d4eb60e189e864cc873417e890d39e67e07c356119e4c11efafd98
SHA512883cf54b1abdb61e1c64981da4fd7371775d26c2c34ab6cfec6fb88d585f44e5521f43ed67d53c5d2da65d642dd64a745d1f61a44813f1a98e238580945fda16
-
memory/1112-29-0x0000000002130000-0x0000000002132000-memory.dmpFilesize
8KB
-
memory/2584-97-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/2584-99-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/2584-199-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/2584-162-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/2584-198-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2584-96-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/2708-92-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2708-98-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2708-150-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2708-91-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2708-59-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2988-8-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/2988-37-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2988-41-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2988-9-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/2988-77-0x0000000000100000-0x0000000000102000-memory.dmpFilesize
8KB
-
memory/2988-58-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/2988-74-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2988-40-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2988-38-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2988-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2988-46-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/2988-45-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/3040-22-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-62-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-63-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-64-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-65-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-61-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-57-0x0000000001820000-0x0000000001821000-memory.dmpFilesize
4KB
-
memory/3040-79-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-80-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-82-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-60-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/3040-20-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-15-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-23-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-21-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-17-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-100-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-102-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-104-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-146-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-145-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3040-18-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-16-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-19-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-13-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/3040-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB