Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 20:43
Static task
static1
Behavioral task
behavioral1
Sample
4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll
-
Size
120KB
-
MD5
4bceefbe345b452abeb46ece84d2ed50
-
SHA1
c77be676463a84a7350f0a43f3117e79562efa16
-
SHA256
93fe6d0e6779b13610e5106a44faa5f7089232d5ef85926bf9a0eb8a6e774a5d
-
SHA512
d0f877869d769d866750b6b05165c7c63b5043b0830591c634a4b9577edd323d10bd24a23766d80884dfa7b490721d59240b929b7d54d726dab53afb57e9f392
-
SSDEEP
1536:LKlY9zzPhfAkgf1nF8BleBXWX8TtKjf1ZIh8O8uOyVh8Y2Cdv4TVEKLx3yScvxv/:mizPGnF8BuEk3Y/CdyFncvRu3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
f761b9c.exef7619b8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7619b8.exe -
Processes:
f7619b8.exef761b9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761b9c.exe -
Processes:
f761b9c.exef7619b8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761b9c.exe -
Executes dropped EXE 3 IoCs
Processes:
f7619b8.exef761b9c.exef7638ad.exepid process 2880 f7619b8.exe 2632 f761b9c.exe 1644 f7638ad.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exepid process 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/2880-18-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-22-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-24-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-20-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-26-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-25-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-23-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-21-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-19-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-17-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-66-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-65-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-67-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-68-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-69-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-71-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-72-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-73-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-74-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-80-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-91-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-93-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2880-158-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2632-165-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx behavioral1/memory/2632-192-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx -
Processes:
f7619b8.exef761b9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7619b8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761b9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761b9c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f761b9c.exe -
Processes:
f7619b8.exef761b9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761b9c.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f7619b8.exedescription ioc process File opened (read-only) \??\K: f7619b8.exe File opened (read-only) \??\S: f7619b8.exe File opened (read-only) \??\T: f7619b8.exe File opened (read-only) \??\P: f7619b8.exe File opened (read-only) \??\Q: f7619b8.exe File opened (read-only) \??\E: f7619b8.exe File opened (read-only) \??\M: f7619b8.exe File opened (read-only) \??\N: f7619b8.exe File opened (read-only) \??\O: f7619b8.exe File opened (read-only) \??\H: f7619b8.exe File opened (read-only) \??\R: f7619b8.exe File opened (read-only) \??\G: f7619b8.exe File opened (read-only) \??\I: f7619b8.exe File opened (read-only) \??\J: f7619b8.exe File opened (read-only) \??\L: f7619b8.exe -
Drops file in Windows directory 3 IoCs
Processes:
f7619b8.exef761b9c.exedescription ioc process File created C:\Windows\f761a35 f7619b8.exe File opened for modification C:\Windows\SYSTEM.INI f7619b8.exe File created C:\Windows\f766ac4 f761b9c.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f7619b8.exef761b9c.exepid process 2880 f7619b8.exe 2880 f7619b8.exe 2632 f761b9c.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
f7619b8.exef761b9c.exedescription pid process Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2880 f7619b8.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe Token: SeDebugPrivilege 2632 f761b9c.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
rundll32.exerundll32.exef7619b8.exef761b9c.exedescription pid process target process PID 1720 wrote to memory of 2144 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2144 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2144 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2144 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2144 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2144 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2144 1720 rundll32.exe rundll32.exe PID 2144 wrote to memory of 2880 2144 rundll32.exe f7619b8.exe PID 2144 wrote to memory of 2880 2144 rundll32.exe f7619b8.exe PID 2144 wrote to memory of 2880 2144 rundll32.exe f7619b8.exe PID 2144 wrote to memory of 2880 2144 rundll32.exe f7619b8.exe PID 2880 wrote to memory of 1104 2880 f7619b8.exe taskhost.exe PID 2880 wrote to memory of 1168 2880 f7619b8.exe Dwm.exe PID 2880 wrote to memory of 1232 2880 f7619b8.exe Explorer.EXE PID 2880 wrote to memory of 2392 2880 f7619b8.exe DllHost.exe PID 2880 wrote to memory of 1720 2880 f7619b8.exe rundll32.exe PID 2880 wrote to memory of 2144 2880 f7619b8.exe rundll32.exe PID 2880 wrote to memory of 2144 2880 f7619b8.exe rundll32.exe PID 2144 wrote to memory of 2632 2144 rundll32.exe f761b9c.exe PID 2144 wrote to memory of 2632 2144 rundll32.exe f761b9c.exe PID 2144 wrote to memory of 2632 2144 rundll32.exe f761b9c.exe PID 2144 wrote to memory of 2632 2144 rundll32.exe f761b9c.exe PID 2144 wrote to memory of 1644 2144 rundll32.exe f7638ad.exe PID 2144 wrote to memory of 1644 2144 rundll32.exe f7638ad.exe PID 2144 wrote to memory of 1644 2144 rundll32.exe f7638ad.exe PID 2144 wrote to memory of 1644 2144 rundll32.exe f7638ad.exe PID 2880 wrote to memory of 1104 2880 f7619b8.exe taskhost.exe PID 2880 wrote to memory of 1168 2880 f7619b8.exe Dwm.exe PID 2880 wrote to memory of 1232 2880 f7619b8.exe Explorer.EXE PID 2880 wrote to memory of 2632 2880 f7619b8.exe f761b9c.exe PID 2880 wrote to memory of 2632 2880 f7619b8.exe f761b9c.exe PID 2880 wrote to memory of 1644 2880 f7619b8.exe f7638ad.exe PID 2880 wrote to memory of 1644 2880 f7619b8.exe f7638ad.exe PID 2632 wrote to memory of 1104 2632 f761b9c.exe taskhost.exe PID 2632 wrote to memory of 1168 2632 f761b9c.exe Dwm.exe PID 2632 wrote to memory of 1232 2632 f761b9c.exe Explorer.EXE -
System policy modification 1 TTPs 2 IoCs
Processes:
f7619b8.exef761b9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7619b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761b9c.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1232
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\f7619b8.exeC:\Users\Admin\AppData\Local\Temp\f7619b8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\f761b9c.exeC:\Users\Admin\AppData\Local\Temp\f761b9c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\f7638ad.exeC:\Users\Admin\AppData\Local\Temp\f7638ad.exe4⤵
- Executes dropped EXE
PID:1644
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2392
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5fec4f783bd68280cc60aedb74e1a4481
SHA105a05fc98323e28d5bb5a2a194a05698911faaea
SHA256d2927b19d9a11f5998311d9a6a98c169dbed017cc197b5180f1cb6de99c2a526
SHA512f582543b4a3151b352e2f4fe300b69db0dd1329f5cf87e512edb8a6178cedb6cc85700eb29043bfe0c5d7673d177ca07513b73a5c1f2238c76162b8c523e3b72
-
Filesize
257B
MD59ac1c2919d5c3574e61b3f1685c1feb6
SHA1733207541c9a86d52b39c6b1cbd7550133769af6
SHA2563f238f07872b857bec77664589649c25ff1449646de317603a216e53dbe30e05
SHA512181bf2023e0e545ec4bfc392582128d637e72234e2036237747af266a992463d04aca30d1fc8912a4172ea41149f7656c003fe19769f4770802d4a9ce3a4616d