Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
18-05-2024 01:59
General
-
Target
71bf557af059e84b2393502a23035b10_NeikiAnalytics.dll
-
Size
120KB
-
MD5
71bf557af059e84b2393502a23035b10
-
SHA1
9e8d9fb88c6f4231df799e2ee344e47558dcd4e8
-
SHA256
4f1685e794740ffdc9f745bceb81a7a81452714a8aa50b9a0a9afcb6215069cc
-
SHA512
950f4b66d8cd2f653b07f6ae4f0693b0426f4fa5ee7b4d1f8f167c7e24774933873cf7f2c10a985f8e0525d825fa44c11175e2a8bc21ba483f9e40b705068687
-
SSDEEP
3072:eHrfBgynLi9sDfiJdQRCPh1zIRONHJ9FEupeVj42onm:ErfCyLCwfudGCPh1URObEh42onm
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71bf557af059e84b2393502a23035b10_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71bf557af059e84b2393502a23035b10_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76227e.exeC:\Users\Admin\AppData\Local\Temp\f76227e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762433.exeC:\Users\Admin\AppData\Local\Temp\f762433.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763e0a.exeC:\Users\Admin\AppData\Local\Temp\f763e0a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD559f28a0ef7dee3b542ea544202e09137
SHA1c8c9cf5521911cc3cb1905b21cf0e469e064aab1
SHA256a83aebc8007c5a9c61ed8afb58fa8a83f87edf9b89f6b914f2bd096ebab5c66f
SHA5127cf194598efa3826e6db26c148f6d44b91177b6132a4f03760c97ea237bee5a4eabe0117d3ad3aea7ac4a7b8334cdfb8f4c6641059736e0bccf9c785c150c5e1
-
\Users\Admin\AppData\Local\Temp\f76227e.exeFilesize
97KB
MD5fae4bfd1175d7bed1e02a018c07537b0
SHA1f67698366b29359c2d442e05aa36a98b30f17a6b
SHA2566d24e447bbd40cdb4753cab916400bba25dc7a3257fb11f420cd238f7b1b546a
SHA51247665606f48be8d8e745f3efe6f814b3a916ae81dc81853968045061cee919234389b258f9b53cd924a93d981c1553f8b765c3e051a9941f4ecd189556e6274d
-
memory/1108-24-0x0000000000510000-0x0000000000512000-memory.dmpFilesize
8KB
-
memory/2552-159-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2552-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2552-103-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2552-97-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2552-106-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2932-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2932-59-0x00000000002B0000-0x00000000002C2000-memory.dmpFilesize
72KB
-
memory/2932-81-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/2932-8-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/2932-33-0x0000000000200000-0x0000000000202000-memory.dmpFilesize
8KB
-
memory/2932-34-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/2932-77-0x00000000002D0000-0x00000000002E2000-memory.dmpFilesize
72KB
-
memory/2932-79-0x0000000000200000-0x0000000000202000-memory.dmpFilesize
8KB
-
memory/2932-9-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/2932-42-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/2932-78-0x00000000002D0000-0x00000000002E2000-memory.dmpFilesize
72KB
-
memory/2932-57-0x0000000000200000-0x0000000000202000-memory.dmpFilesize
8KB
-
memory/2932-60-0x0000000000200000-0x0000000000202000-memory.dmpFilesize
8KB
-
memory/2952-209-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2952-102-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/2952-210-0x0000000000A80000-0x0000000001B3A000-memory.dmpFilesize
16.7MB
-
memory/2952-105-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/2952-107-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/2952-171-0x0000000000A80000-0x0000000001B3A000-memory.dmpFilesize
16.7MB
-
memory/2952-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2992-22-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-66-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-67-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-65-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-84-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-64-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-63-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-58-0x00000000002A0000-0x00000000002A2000-memory.dmpFilesize
8KB
-
memory/2992-23-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-85-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-87-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-19-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-20-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-43-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2992-50-0x00000000002A0000-0x00000000002A2000-memory.dmpFilesize
8KB
-
memory/2992-88-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-18-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-21-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-108-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-110-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-131-0x00000000002A0000-0x00000000002A2000-memory.dmpFilesize
8KB
-
memory/2992-155-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-154-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2992-16-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-17-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-15-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-13-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2992-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB