Analysis
-
max time kernel
35s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-05-2024 19:57
General
-
Target
3e94ca37c72a65fa6428992dd2826f10_NeikiAnalytics.dll
-
Size
120KB
-
MD5
3e94ca37c72a65fa6428992dd2826f10
-
SHA1
e5643029837525a0ab140e1411c1597af8299c83
-
SHA256
bab077766582f4f389b1283af3c506f320e57d35b118f249a9350d84925d0bea
-
SHA512
a75cae2b431f47bb7b2410e0dfa7b185c14f1efe4bfed1c205d12daf0e28eb4c9d601d996940ba174ef4ed9597dabbfc007a215d735443a6c58cf63f4ec9a233
-
SSDEEP
3072:kVYjjytHKJ7Wc5eMeuVJmFnI2TWUvZOiXI47o6r:kVYjjytmJzeuHuIOfOi4f6r
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e94ca37c72a65fa6428992dd2826f10_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e94ca37c72a65fa6428992dd2826f10_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7752b2.exeC:\Users\Admin\AppData\Local\Temp\f7752b2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f775698.exeC:\Users\Admin\AppData\Local\Temp\f775698.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f779869.exeC:\Users\Admin\AppData\Local\Temp\f779869.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f775698.exeFilesize
97KB
MD5fceace990ba96de2842e229fbbefac17
SHA19102994afe48ff9343244eae5159bceb05209cfe
SHA256a4debb401e0016ac0cf783e13cc2c0e9502bad1e54d306bb18b13a1556d35844
SHA512cef5fff16fce0922eb68fcddba1be9439f04dfe159e7c4748ee621b1a442b9cd575a5bf66a318e222443960c949e2e7aa166c9d9551d123be789fb4388dcae88
-
C:\Windows\SYSTEM.INIFilesize
257B
MD520b401deb38cafd6cb2804865b84409e
SHA1c5997958fafa324a3f9a3ecd0501f59bab86ea3e
SHA2567e020bb835ef67b824f5a005ea5767866dd26aa5d6147a11d22d5849b9b469a2
SHA51272455c1d29b131df691fab09fb2da2bbf6c18b5cf009e32579da9d1247358ffbf0842f9ef55e185740c13a2401aaac33d2fee775e06d8a4fb6063653e7ca59c0
-
memory/1036-92-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1036-63-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-67-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-65-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-144-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-50-0x0000000000480000-0x0000000000482000-memory.dmpFilesize
8KB
-
memory/1036-48-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/1036-145-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1036-20-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-19-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-18-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-16-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-120-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-99-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-72-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-15-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-21-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-22-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-13-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-14-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-17-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-75-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-93-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-64-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-90-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-59-0x0000000000480000-0x0000000000482000-memory.dmpFilesize
8KB
-
memory/1036-66-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-69-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-70-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1036-71-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1104-28-0x0000000000210000-0x0000000000212000-memory.dmpFilesize
8KB
-
memory/2004-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2004-234-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/2004-89-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2004-87-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/2004-169-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2004-88-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2004-170-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/2220-37-0x00000000000E0000-0x00000000000E2000-memory.dmpFilesize
8KB
-
memory/2220-118-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2220-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2220-38-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2220-47-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2220-57-0x00000000000E0000-0x00000000000E2000-memory.dmpFilesize
8KB
-
memory/2220-60-0x00000000001B0000-0x00000000001C2000-memory.dmpFilesize
72KB
-
memory/2220-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2220-61-0x00000000000E0000-0x00000000000E2000-memory.dmpFilesize
8KB
-
memory/2548-232-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2548-199-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2548-233-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2548-121-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB