Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-05-2024 06:58
General
-
Target
a7b2df41f56f1e1862a40c2f995b23b0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
a7b2df41f56f1e1862a40c2f995b23b0
-
SHA1
bc691751b27754c80b4663b0d8fa4fc1bf073c17
-
SHA256
f4828eee64fe3ca22473db49a49e4ce69848cb07e8f439ffac2eb38290ea3754
-
SHA512
86d0e5136695bff4777025f923bcabaae316e06084183fa859a8929bc750279f2e55bc17772d67100a83a2aa579d50e6790e86c6ea413bd9c3240b4fbf99e29f
-
SSDEEP
1536:AHGuKM2xLdnkNVq8llMQ5gCC8CGugXWRJbIuUwM+U3kZMBGZxNEbSHkRDx:n2l6CBvdeUupUBeUbSHU
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7b2df41f56f1e1862a40c2f995b23b0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7b2df41f56f1e1862a40c2f995b23b0_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76226f.exeC:\Users\Admin\AppData\Local\Temp\f76226f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762462.exeC:\Users\Admin\AppData\Local\Temp\f762462.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763e38.exeC:\Users\Admin\AppData\Local\Temp\f763e38.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD50de22898ae2526407a272171e6555fc3
SHA18414f56302e8d2b8103a4d0a374a9c433086b7bf
SHA256638b643458398d16f534948a193bdf30aff9033b07b3788c20f781374fef0313
SHA512aa5ce2d5b424c8b0051f1b02ec827ed0b59cbca62d5a87a7ff9168e7671c447a7efe124fcb7c4d87ec1aeb44b15c6259addcfe33d77cb8e1d68dceefe754a85c
-
\Users\Admin\AppData\Local\Temp\f76226f.exeFilesize
97KB
MD52dfe678f9674d3fc21bcb4e680f3b7d5
SHA1ce44876399f8d9f377f8b4fbaf3d88f3b8bf02b0
SHA256369197c45a5ec10aed193472aaabb1d80afed2e0bb8642a75d1306e153f733d7
SHA512b49175b7d43fda011a129508daa2227ab43975fd21a1e66a5ad31b0b076ff2fde2165245fce2ae5ec1c293f04029a940f4e545c03a4df12eb8a042b72c28bb81
-
memory/1124-29-0x0000000001F10000-0x0000000001F12000-memory.dmpFilesize
8KB
-
memory/1640-167-0x0000000000A60000-0x0000000001B1A000-memory.dmpFilesize
16.7MB
-
memory/1640-84-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1640-107-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/1640-105-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/1640-104-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1640-205-0x0000000000A60000-0x0000000001B1A000-memory.dmpFilesize
16.7MB
-
memory/1640-206-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2376-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2376-58-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2376-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2376-39-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2376-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2376-47-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2376-38-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2376-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2376-78-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2376-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2376-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2376-82-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2420-63-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-90-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-14-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-12-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-17-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-64-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-65-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-66-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-67-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-69-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-70-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-19-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-21-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-22-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-23-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-85-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-88-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-15-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-48-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/2420-108-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2420-16-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-50-0x0000000000370000-0x0000000000372000-memory.dmpFilesize
8KB
-
memory/2420-51-0x0000000000370000-0x0000000000372000-memory.dmpFilesize
8KB
-
memory/2420-18-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-20-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-122-0x0000000000370000-0x0000000000372000-memory.dmpFilesize
8KB
-
memory/2420-152-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2420-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2500-99-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2500-100-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2500-106-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2500-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB