Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-05-2024 01:21
General
-
Target
6999f3ff092785abe3b1dcdf3cb85860_NeikiAnalytics.dll
-
Size
120KB
-
MD5
6999f3ff092785abe3b1dcdf3cb85860
-
SHA1
2e167b872fc78b0021840cb7517a7c482978f6ca
-
SHA256
0dc800260fe842781a5c99c90cc1e0e01743960e09717201c8eafe7ad76f4c3c
-
SHA512
e432ae4c88b069f2f3f2c3eeb39992b5b91fa5b171e82786674b922b3db0012e24a077e71d12f63235615e70ea747dbb6d189db0245ab3941e35f29aae443ab3
-
SSDEEP
1536:evryDKeQr6NwD1RJa7AAGqefixu9FRNQQbIpCQyT+XY0bLj6kU4Kh1ver3iOpOM:ejyOF6uD1RU2MsFxOo0PjAxW7iOg
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6999f3ff092785abe3b1dcdf3cb85860_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6999f3ff092785abe3b1dcdf3cb85860_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5746fc.exeC:\Users\Admin\AppData\Local\Temp\e5746fc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57492e.exeC:\Users\Admin\AppData\Local\Temp\e57492e.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57736b.exeC:\Users\Admin\AppData\Local\Temp\e57736b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5746fc.exeFilesize
97KB
MD5caf260eb3f50fb44c8b449a570b49e86
SHA14055cb39f99593a239e98ef22bc1075e27d463a1
SHA25682d8e013801fe64612a3086700ba9caa2db68b5c0a4dcdab753c6270816fb88d
SHA5128b685a2f481ac333dd1b7a8619847a0668ab662254e9c5fad51d33ba56c1dd57ea5e431bc129a22e618e2398f904efa31bf252b3ffbb7585bd60905be6e413f5
-
C:\Windows\SYSTEM.INIFilesize
257B
MD590c94e6d44e9cf19c6614a18e7fd79b2
SHA1aad66aeff28356af75e7a5840d3065e22c563f3a
SHA256f4206e614ff0709cb638c3fabb5869688bf932050be6edfc098631a92d44b8ae
SHA5129778821bd8880db3b6d58ad9e32200c45c812dca7bee38b3cee59a519915552dcc9bed89633b2ef2847b18ae951455f8a399a04d30c6bf40f79296c1310f4810
-
memory/384-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/384-29-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/384-30-0x00000000040F0000-0x00000000040F2000-memory.dmpFilesize
8KB
-
memory/384-26-0x00000000040F0000-0x00000000040F2000-memory.dmpFilesize
8KB
-
memory/384-48-0x00000000040F0000-0x00000000040F2000-memory.dmpFilesize
8KB
-
memory/384-22-0x00000000040F0000-0x00000000040F2000-memory.dmpFilesize
8KB
-
memory/1252-91-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1252-36-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1252-45-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/1252-53-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1252-47-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/3004-41-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-11-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-18-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-31-0x0000000001A30000-0x0000000001A32000-memory.dmpFilesize
8KB
-
memory/3004-25-0x0000000001A40000-0x0000000001A41000-memory.dmpFilesize
4KB
-
memory/3004-21-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-10-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-32-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-37-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-38-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-39-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-19-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-40-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-20-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-12-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3004-6-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-35-0x0000000001A30000-0x0000000001A32000-memory.dmpFilesize
8KB
-
memory/3004-56-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-57-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-58-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-60-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-62-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-64-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-66-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-67-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-68-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-76-0x0000000001A30000-0x0000000001A32000-memory.dmpFilesize
8KB
-
memory/3004-72-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-9-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3004-87-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4648-54-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4648-92-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4648-110-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4648-142-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4648-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB