Analysis
-
max time kernel
135s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
18-05-2024 06:58
General
-
Target
a7b2df41f56f1e1862a40c2f995b23b0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
a7b2df41f56f1e1862a40c2f995b23b0
-
SHA1
bc691751b27754c80b4663b0d8fa4fc1bf073c17
-
SHA256
f4828eee64fe3ca22473db49a49e4ce69848cb07e8f439ffac2eb38290ea3754
-
SHA512
86d0e5136695bff4777025f923bcabaae316e06084183fa859a8929bc750279f2e55bc17772d67100a83a2aa579d50e6790e86c6ea413bd9c3240b4fbf99e29f
-
SSDEEP
1536:AHGuKM2xLdnkNVq8llMQ5gCC8CGugXWRJbIuUwM+U3kZMBGZxNEbSHkRDx:n2l6CBvdeUupUBeUbSHU
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7b2df41f56f1e1862a40c2f995b23b0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7b2df41f56f1e1862a40c2f995b23b0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573633.exeC:\Users\Admin\AppData\Local\Temp\e573633.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5737b9.exeC:\Users\Admin\AppData\Local\Temp\e5737b9.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5751f8.exeC:\Users\Admin\AppData\Local\Temp\e5751f8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575217.exeC:\Users\Admin\AppData\Local\Temp\e575217.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573633.exeFilesize
97KB
MD52dfe678f9674d3fc21bcb4e680f3b7d5
SHA1ce44876399f8d9f377f8b4fbaf3d88f3b8bf02b0
SHA256369197c45a5ec10aed193472aaabb1d80afed2e0bb8642a75d1306e153f733d7
SHA512b49175b7d43fda011a129508daa2227ab43975fd21a1e66a5ad31b0b076ff2fde2165245fce2ae5ec1c293f04029a940f4e545c03a4df12eb8a042b72c28bb81
-
C:\Windows\SYSTEM.INIFilesize
257B
MD56ee54fcddbf4c476fa7e18ef07ea31e0
SHA1167aeefd3090198be36a933800404ae42254d7bd
SHA256a211253cae04040a3ca4dafa143707072b9a1f760c9c6784eb2c0245c18e31d7
SHA5124af3b003487659d73c1c15673c7ea1e0b3762f291cd2f6f51a516687e2159c92f76a3fce092c1c0c6377c22d14e79d2df844450b54fd43b933eb8926ad971b83
-
memory/1688-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1688-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1688-168-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1688-69-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1688-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2460-121-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2460-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2460-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2460-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2460-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3452-25-0x00000000035E0000-0x00000000035E2000-memory.dmpFilesize
8KB
-
memory/3452-53-0x00000000035E0000-0x00000000035E2000-memory.dmpFilesize
8KB
-
memory/3452-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3452-22-0x0000000003C00000-0x0000000003C01000-memory.dmpFilesize
4KB
-
memory/3452-21-0x00000000035E0000-0x00000000035E2000-memory.dmpFilesize
8KB
-
memory/3452-29-0x00000000035E0000-0x00000000035E2000-memory.dmpFilesize
8KB
-
memory/3840-57-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-87-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-32-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-36-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-37-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-38-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-40-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-39-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-42-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-43-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-10-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-18-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3840-24-0x00000000040F0000-0x00000000040F1000-memory.dmpFilesize
4KB
-
memory/3840-59-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-60-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-12-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-28-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/3840-8-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-19-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-27-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-11-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-117-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3840-30-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/3840-20-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-74-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-76-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-79-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-81-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-83-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-85-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-6-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-88-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-94-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/3840-95-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-96-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3840-100-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4884-66-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4884-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4884-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4884-133-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4884-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4884-169-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4884-170-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB