Analysis
-
max time kernel
143s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-05-2024 19:58
General
-
Target
3efa4ca4720c0da820ee6a50438e5010_NeikiAnalytics.dll
-
Size
120KB
-
MD5
3efa4ca4720c0da820ee6a50438e5010
-
SHA1
64e144eb762bb8d6d45c69f4006efd31b105c687
-
SHA256
e2010219610aedfa8d24edfd72a4c0675ac4d63088dc190e0d3f7bedb8ca57f2
-
SHA512
3c7408302e4020765f2b064634bc63c245fe02116b91de325d5eddb510e353dbce2a50909ac0e235d96449c23d6b0c05c86a0655c2c7c8e6f66d09ce47c3573f
-
SSDEEP
1536:3+2hbYEyuHC5K/GvO8Qq5KtlNQ4BrGIRlxKxPWzRJK9NreATm:CEy2+28QukNQ4RGIRlDRJK9N8
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3efa4ca4720c0da820ee6a50438e5010_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3efa4ca4720c0da820ee6a50438e5010_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e575554.exeC:\Users\Admin\AppData\Local\Temp\e575554.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5756ea.exeC:\Users\Admin\AppData\Local\Temp\e5756ea.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e578a8d.exeC:\Users\Admin\AppData\Local\Temp\e578a8d.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575554.exeFilesize
97KB
MD5480ab7ea9f490214d7669ae78b81fef4
SHA15c60425bcb60570e89878f27dcc5e0e712a321e7
SHA2565f7040fe2bc08636fe0cdc0e39ca434023f67231ec0240ca5b65b1531cfa99f2
SHA512c034a800d27d1b36ca80dc0b0c0518b3a3ae22260ece6ac276f11cb11f66e9fc531fdba312865be3a24509a5b87a7736eeb3273a25f6af672f931563be77b31f
-
C:\Windows\SYSTEM.INIFilesize
257B
MD547bc113843b1ec97e5532eb95bf90cad
SHA1b65b9ceb497ecee22d7729658490a6bb6a6da848
SHA256903c7bc650b0340c48721cb5f651b5b430b007a88f921168ae3f94685f9d9761
SHA51260ed0231ae1baed048a96932c47d3df9a5b56828315add845c08df2acaa46c9e83504024f4a3c1eac296650c59f9f7082786af24728857de447a33e81beb132b
-
memory/3008-40-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-34-0x00000000006F0000-0x00000000006F2000-memory.dmpFilesize
8KB
-
memory/3008-9-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-10-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3008-18-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-71-0x00000000006F0000-0x00000000006F2000-memory.dmpFilesize
8KB
-
memory/3008-32-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-28-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-27-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-82-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3008-67-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-26-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-11-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-62-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-22-0x0000000003FB0000-0x0000000003FB1000-memory.dmpFilesize
4KB
-
memory/3008-31-0x00000000006F0000-0x00000000006F2000-memory.dmpFilesize
8KB
-
memory/3008-60-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-36-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-37-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-58-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-39-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-56-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-55-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-38-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-6-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-14-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-54-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3632-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3632-101-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3632-120-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4764-85-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-99-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-116-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-50-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4764-87-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-115-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4764-89-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-44-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4764-46-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4764-83-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-88-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-86-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4948-29-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/4948-19-0x0000000000C50000-0x0000000000C52000-memory.dmpFilesize
8KB
-
memory/4948-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4948-48-0x0000000000C50000-0x0000000000C52000-memory.dmpFilesize
8KB
-
memory/4948-23-0x0000000000C50000-0x0000000000C52000-memory.dmpFilesize
8KB
-
memory/4948-30-0x0000000000C50000-0x0000000000C52000-memory.dmpFilesize
8KB