Overview

overview

10

Static

static

3

48de47b466...cs.dll

windows7-x64

10

48de47b466...cs.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll

  • Size

    120KB

  • MD5

    48de47b466d13b494716389ed860ec30

  • SHA1

    958fd877c96843efaef3e6881eb18f63411a2ae0

  • SHA256

    610eb98abec78e784ec1d07aac77af7438ba6c290c1f09d256c3f360e20aed3a

  • SHA512

    e8f71e4d21bac9ddd038f5c9e7ea6fcba6f0b8839b203f79763679f57049f2a3fe831d7cb30daa17912bd8c156ee2f5bd3a3bc47d8a2ea7302f87e1ea3870846

  • SSDEEP

    3072:3ve1fZjr7BeZ55IsQ+9FMm5RDbXlBeU5:3vsRjr7B8b6a1BeU5

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 11 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1112
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1188
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2848
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll,#1
              3⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2992
              • C:\Users\Admin\AppData\Local\Temp\f761bda.exe
                C:\Users\Admin\AppData\Local\Temp\f761bda.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3004
              • C:\Users\Admin\AppData\Local\Temp\f761d60.exe
                C:\Users\Admin\AppData\Local\Temp\f761d60.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Drops file in Windows directory
                • System policy modification
                PID:2708
              • C:\Users\Admin\AppData\Local\Temp\f7637a4.exe
                C:\Users\Admin\AppData\Local\Temp\f7637a4.exe
                4⤵
                • Executes dropped EXE
                PID:2600
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2456

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Defense Evasion

          Modify Registry

          5
          T1112

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          3
          T1562

          Disable or Modify Tools

          3
          T1562.001

          Credential Access

          Discovery

          System Information Discovery

          2
          T1082

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            b83adca6f785027191378a6b7b24f6d5

            SHA1

            a8b37eff6d3687d7a84a1c634687e14218e34b3b

            SHA256

            b33e5e0b7d886534255ed5646396e0925a70ab58d96666cffb2926a53e7a43c0

            SHA512

            733727acca65deff32bf930a6ff6841592fb17e8d196af35b17e279ed4aea56a5e7e4120b1bd4503a234e23bdbb80e8993f1dfc099053d9c042076b7b935d539

            Download Submit
          • \Users\Admin\AppData\Local\Temp\f761bda.exe
            Filesize

            97KB

            MD5

            bb23844c21aff9e48c2ae2a11fd325c5

            SHA1

            972724c994d7e3750f57fa0cb8b93e038aba08e8

            SHA256

            b384c4b405a31e72385c056e0491f40a1d4daf28cc4b5cb7a9a53f2a5174c9bd

            SHA512

            d2c77708614cdfd617e041e396d9572a6d9a10e1ac2b21224f03aa6f26a6eedd4fcfc3a39cfb18bdad036996129c3faece741f2fa929d5e4176e3fd414fabac1

            Download Submit
          • memory/1112-19-0x0000000002030000-0x0000000002032000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2600-96-0x0000000000260000-0x0000000000262000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2600-74-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2600-165-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2600-94-0x0000000000270000-0x0000000000271000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2600-93-0x0000000000260000-0x0000000000262000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2708-86-0x00000000003F0000-0x00000000003F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2708-161-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2708-87-0x00000000003E0000-0x00000000003E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2708-157-0x0000000000910000-0x00000000019CA000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2708-58-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2708-95-0x00000000003E0000-0x00000000003E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2992-53-0x0000000000230000-0x0000000000232000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2992-1-0x0000000010000000-0x0000000010020000-memory.dmp
            Filesize

            128KB

            Download
          • memory/2992-26-0x0000000000240000-0x0000000000241000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2992-55-0x0000000000250000-0x0000000000262000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2992-9-0x00000000001F0000-0x0000000000202000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2992-56-0x0000000000230000-0x0000000000232000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2992-70-0x0000000000230000-0x0000000000232000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2992-10-0x00000000001F0000-0x0000000000202000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2992-35-0x0000000000240000-0x0000000000241000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2992-72-0x00000000001F0000-0x00000000001F2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2992-25-0x0000000000230000-0x0000000000232000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3004-54-0x00000000002D0000-0x00000000002D2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3004-16-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-59-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-61-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-17-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-18-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-34-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-75-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-76-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-78-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-38-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-46-0x00000000002D0000-0x00000000002D2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3004-39-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-37-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-36-0x00000000002E0000-0x00000000002E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3004-60-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-97-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-98-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-100-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-102-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-104-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-105-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-107-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-143-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-144-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/3004-15-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-14-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-12-0x0000000000660000-0x000000000171A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/3004-11-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download