Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-05-2024 13:49
General
-
Target
d1662ab299378f2723c3e6380f28a9b0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
d1662ab299378f2723c3e6380f28a9b0
-
SHA1
be4d9e1999c619634db7a2e5641f6ce596ad01df
-
SHA256
4881000348f05a389943f348004f49f459deba85cc036ba602fe01422f11b063
-
SHA512
714a07c22f5962460452f2f007d934cd85e3e6b2a0e0cea143d3da80047a70d2aefc2d7d1c22d18c584cc7afec675099efb4ef62a7aa470c1c27ed2a839b4350
-
SSDEEP
1536:Oha3vD29f/tRttKWCpG74JfjxRrktcE4JjSsQ5wDp3kZjbQxB9ex5:Ma3efFGpZJf9mc3RS5wDpUZAex
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1662ab299378f2723c3e6380f28a9b0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1662ab299378f2723c3e6380f28a9b0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5744d9.exeC:\Users\Admin\AppData\Local\Temp\e5744d9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57469e.exeC:\Users\Admin\AppData\Local\Temp\e57469e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5779b4.exeC:\Users\Admin\AppData\Local\Temp\e5779b4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5744d9.exeFilesize
97KB
MD5492eb9dab6ef3f0dc076df488b4fa4e6
SHA1c3c46f17afbc76c806a56cf8406b8b864c112892
SHA2562d4712920db10496c94e66e2180d73591b83465cf5417d7919b32bc47e9cb8bc
SHA51239aab8672240a5750b83c6657deddd1083482de0af6778408990ed334af48897683c6dfa99d0fdbf317840bce13fd50fceb6e8fcac9ca67d6a921eb3bca20e1a
-
C:\Windows\SYSTEM.INIFilesize
257B
MD524486f371f888d7ce2c43206b1026489
SHA18d8608c4998d8bf2676655301d803e05c1bf7b86
SHA2561980a82cc093199d0ffa3a0f8c2b5a7b864ecc25cff7e4bf628e0c29a0d26fa0
SHA512b075f002a031ee4813d77ba75a443ab7e845dcd4a9c6a2af4ccbcd1f703f10d9f8c668de9c7f07abb3596b55188b0ffbe11e1278633ae052c5a3198965f2ecd1
-
memory/216-125-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-126-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/216-96-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-109-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-100-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/216-93-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-99-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-46-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/216-44-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/216-45-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/900-40-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-56-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/900-20-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-8-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-24-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/900-11-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-10-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-37-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-38-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-39-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-31-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/900-41-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-9-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-12-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-19-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-47-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-18-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-33-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/900-32-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-58-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-59-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-66-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-67-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-68-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-71-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-73-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-81-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/900-92-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/900-28-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/3612-30-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/3612-53-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/3612-25-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/3612-21-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/3612-29-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/3612-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4004-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4004-172-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB