Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
18-05-2024 14:57
General
-
Target
dca4d38a685d77497813fcc67716f020_NeikiAnalytics.dll
-
Size
120KB
-
MD5
dca4d38a685d77497813fcc67716f020
-
SHA1
ce938d10b8abd1126ac8d1e5e5dbc6f4b55573a6
-
SHA256
39c84a6897b7f87d3ab0aa58539a126ddc1e325ba2260bb801f0152feca109ed
-
SHA512
7ddc03634074ed983f594ab9d9ae7694352c7a66c59a843ec9e77c76566067ab493aa690cb268df77c04cd4aa4fc666efaf0b381fee7034b033bfb5379bd26c7
-
SSDEEP
1536:csrq81iCj0GexXxuQ55iRLPvJmVR0LghGQ0Yq1SKzJG5RX+8xjV+hM4ZZg6AkmKE:cIMmexXxLnYhmN4FYJKVXYV+hNJA5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dca4d38a685d77497813fcc67716f020_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dca4d38a685d77497813fcc67716f020_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761036.exeC:\Users\Admin\AppData\Local\Temp\f761036.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7611eb.exeC:\Users\Admin\AppData\Local\Temp\f7611eb.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f762be1.exeC:\Users\Admin\AppData\Local\Temp\f762be1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f761036.exeFilesize
97KB
MD556e0494e6a9d806f6a4494f942effa8c
SHA1a873d190d5a248ae4172d704df356e3ca90e315c
SHA256509cd106696784644bdf10df3fa4c48cc559fd6c66f769e2d04d595d8e3fb2ac
SHA512c8616eb1c753d1ab2473cf94bd9c7ad366a3434c6476dfa14750bdeccef737ff7455b870e94c79c643f5011a9ced2174a3cfd875cd71304cfe15e791917c197d
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5f3e088706eb106a08906ad66a3bbb039
SHA15d9e628565bcc0280ae7af925eeb6e421a4321e6
SHA256469d6945c51162fc9b311908c8e440e1bad840333024fc5fbb7addc890756afe
SHA512e6af0273b66bf0b143a87598ac6c76495d81c71da7e117960b97cdc8a19e3918986ccbd7c5ae15ba9c9a222f88ab4e310a52ac7f70cc9e20433b32b5f2549726
-
memory/1080-29-0x0000000000210000-0x0000000000212000-memory.dmpFilesize
8KB
-
memory/1816-100-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1816-97-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1816-197-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB
-
memory/1816-198-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1816-155-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB
-
memory/1816-98-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2056-10-0x0000000000170000-0x0000000000182000-memory.dmpFilesize
72KB
-
memory/2056-77-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2056-38-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2056-61-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2056-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2056-9-0x0000000000170000-0x0000000000182000-memory.dmpFilesize
72KB
-
memory/2056-48-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2056-39-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2056-60-0x00000000002E0000-0x00000000002F2000-memory.dmpFilesize
72KB
-
memory/2056-59-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2056-80-0x0000000000170000-0x0000000000172000-memory.dmpFilesize
8KB
-
memory/2508-170-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2508-91-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2508-90-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2508-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2508-99-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/3036-52-0x0000000002EC0000-0x0000000002EC2000-memory.dmpFilesize
8KB
-
memory/3036-51-0x0000000002EC0000-0x0000000002EC2000-memory.dmpFilesize
8KB
-
memory/3036-65-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-66-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-67-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-68-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-18-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-22-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-82-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-83-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-23-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-19-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-49-0x0000000002ED0000-0x0000000002ED1000-memory.dmpFilesize
4KB
-
memory/3036-64-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-20-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-16-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-101-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-102-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-105-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-107-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3036-142-0x0000000002EC0000-0x0000000002EC2000-memory.dmpFilesize
8KB
-
memory/3036-143-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-15-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-14-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-21-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-17-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/3036-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB