Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-05-2024 14:27
General
-
Target
d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
d7482856356ba5eaa99a9b31e27b1da0
-
SHA1
d1e5c06a21f85753335134fb769d5af1f2b2f960
-
SHA256
ec0398121807170f8d46b94adc67331ebd4d7ae0654e60d9b2cc797f017f0606
-
SHA512
0bb279c031f484a00c24332412f64b4bb621eca1eda5c512a6b1a1305830b2fd1ddcf941967be9933c78baae9061cbd158f590c5d118b56a9d66fbb09bd05c76
-
SSDEEP
1536:NM7KWetpU3dlJeG6x91fBSpBR4a9+RluX1/3GuZrvRLs3WOnAFaVP3O0gC:67KVDUtlJeGONSp7P+buX1uuZyP3pgC
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57466f.exeC:\Users\Admin\AppData\Local\Temp\e57466f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5747e6.exeC:\Users\Admin\AppData\Local\Temp\e5747e6.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e577733.exeC:\Users\Admin\AppData\Local\Temp\e577733.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57466f.exeFilesize
97KB
MD510155e9649226fd5f4fdafd0694cf7b2
SHA13738e32f62c4be523233c303ab56edbe631cd7a9
SHA256ff98d4e25d02fcd822b9acd48f4a74559d328e0ecc9273d3e9ee0ab368d3b265
SHA512421e34f56752970ebc8f44ecc152e8da2f792695201167e069fcbd633e4502afbb801f333b65e15aed3d03cf6627d440d9458b1dd1d6d0f9223f64b08106bb16
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5f1976d5296cf8a51a70a1a6ebc1b221b
SHA1898079b0726352269d52d3ece52bb1791d6026a8
SHA25612ae3152f6b73e6362e4901f5ae8871068f1b88c93bb1adc9bce16ba296bbc05
SHA51214e943f97b0a7e811a52e42d98ddeb78a27dca2c9c34dc9e441a96ae3c84dcbe026d8c9cd51a91137eb55e709006c1a561a1da04548b36f3505a88a99a83b3b6
-
memory/1412-29-0x00000000012F0000-0x00000000012F2000-memory.dmpFilesize
8KB
-
memory/1412-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1412-20-0x00000000012F0000-0x00000000012F2000-memory.dmpFilesize
8KB
-
memory/1412-21-0x0000000001300000-0x0000000001301000-memory.dmpFilesize
4KB
-
memory/1412-24-0x00000000012F0000-0x00000000012F2000-memory.dmpFilesize
8KB
-
memory/2896-37-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-63-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-33-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-35-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2896-11-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-14-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-18-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-23-0x0000000001A00000-0x0000000001A01000-memory.dmpFilesize
4KB
-
memory/2896-30-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2896-28-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2896-10-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-9-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-8-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-36-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-19-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-38-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-39-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-40-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-90-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2896-80-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2896-71-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-46-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-54-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-56-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-57-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-58-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-61-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-27-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-64-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3472-97-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3472-107-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3472-115-0x0000000001BC0000-0x0000000001BC1000-memory.dmpFilesize
4KB
-
memory/3472-114-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3472-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3472-149-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4032-44-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4032-43-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4032-42-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4032-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB