Analysis
-
max time kernel
26s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
19-05-2024 01:43
General
-
Target
48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll
-
Size
120KB
-
MD5
48de47b466d13b494716389ed860ec30
-
SHA1
958fd877c96843efaef3e6881eb18f63411a2ae0
-
SHA256
610eb98abec78e784ec1d07aac77af7438ba6c290c1f09d256c3f360e20aed3a
-
SHA512
e8f71e4d21bac9ddd038f5c9e7ea6fcba6f0b8839b203f79763679f57049f2a3fe831d7cb30daa17912bd8c156ee2f5bd3a3bc47d8a2ea7302f87e1ea3870846
-
SSDEEP
3072:3ve1fZjr7BeZ55IsQ+9FMm5RDbXlBeU5:3vsRjr7B8b6a1BeU5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f75fe4c.exeC:\Users\Admin\AppData\Local\Temp\f75fe4c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f75ffb3.exeC:\Users\Admin\AppData\Local\Temp\f75ffb3.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f761a06.exeC:\Users\Admin\AppData\Local\Temp\f761a06.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f75fe4c.exeFilesize
97KB
MD5bb23844c21aff9e48c2ae2a11fd325c5
SHA1972724c994d7e3750f57fa0cb8b93e038aba08e8
SHA256b384c4b405a31e72385c056e0491f40a1d4daf28cc4b5cb7a9a53f2a5174c9bd
SHA512d2c77708614cdfd617e041e396d9572a6d9a10e1ac2b21224f03aa6f26a6eedd4fcfc3a39cfb18bdad036996129c3faece741f2fa929d5e4176e3fd414fabac1
-
C:\Windows\SYSTEM.INIFilesize
257B
MD57770c930a58df7ef4f3defb65050cefa
SHA1363fe85c5da9c17fb620f362a6fdb1bdd36cea1f
SHA2565a59cfec182000c551f581412420c5f9702a41558fedb70630225857c5eee028
SHA5121215493d34588ecd2652ab68cfcea220423be44b009fd49066b5bf7415f6b6b73864b84ab5987266342ce305c68ef12d24920d76f682d83597d6dd6e74376167
-
memory/1056-29-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1272-176-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/1272-213-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/1272-84-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1272-108-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1272-214-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1272-106-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1272-105-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1636-58-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/1636-39-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/1636-83-0x0000000000140000-0x0000000000142000-memory.dmpFilesize
8KB
-
memory/1636-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1636-62-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/1636-40-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/1636-10-0x0000000000140000-0x0000000000152000-memory.dmpFilesize
72KB
-
memory/1636-9-0x0000000000140000-0x0000000000152000-memory.dmpFilesize
72KB
-
memory/1636-48-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/1636-61-0x00000000002A0000-0x00000000002B2000-memory.dmpFilesize
72KB
-
memory/2424-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2424-99-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2424-98-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2424-107-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2424-163-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2600-50-0x0000000002F00000-0x0000000002F02000-memory.dmpFilesize
8KB
-
memory/2600-14-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-64-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-66-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-68-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-67-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-70-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-71-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-16-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-17-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-85-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-88-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-89-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-65-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-19-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-49-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/2600-21-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-23-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-15-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-115-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-159-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-18-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-20-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-157-0x0000000002F00000-0x0000000002F02000-memory.dmpFilesize
8KB
-
memory/2600-60-0x0000000002F00000-0x0000000002F02000-memory.dmpFilesize
8KB
-
memory/2600-158-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2600-22-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2600-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB