Analysis
-
max time kernel
137s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
19-05-2024 03:09
General
-
Target
5f27dba2c62db27fa47a0c2689d85d10_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5f27dba2c62db27fa47a0c2689d85d10
-
SHA1
6b0dc4f2c5b35708e624252bc6df81f57e31fab0
-
SHA256
8a17714c0f54562ee6c3a45c6aaf15849b85e811b3013ecbed151a7d3f853bf5
-
SHA512
43674c2ccbceb70b66371b5f102eaf757a56f23b43588b42900e28e525505a858bcb087885ab2579a1c81620e9c190b82a5568e2596894ecefdcce95a5565da0
-
SSDEEP
1536:4Qyf7gV5kFNHRth7fU0xrz3BHQM7HRRjF6/NDjkGqntJ9EM2cquQ/T3nQm:4QyseF1/ZU0B35rw5kGqtJW3n
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f27dba2c62db27fa47a0c2689d85d10_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f27dba2c62db27fa47a0c2689d85d10_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574c3b.exeC:\Users\Admin\AppData\Local\Temp\e574c3b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574d84.exeC:\Users\Admin\AppData\Local\Temp\e574d84.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576dbe.exeC:\Users\Admin\AppData\Local\Temp\e576dbe.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574c3b.exeFilesize
97KB
MD52019212b50ba882c33915d1c10b1f0c5
SHA114bf539e38409f0acc70ab10a3eb8c35c3a44a70
SHA256591bc827ba3f42c33ec2782a421a2999043a5324d49b1c191ba890dafdad047e
SHA5125651267aa35be64dc946460bedcf5ce0f4b736b08259623a6c2f38984cd69a370c3efa48998e8945dcf6ad3fa86ba7a1a8d1dcb768f499c4b6f41e9ee9ce48b2
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5afefd834007495107242fe6cb742061d
SHA1d99e9f5e4378cd9e8db35b41141b967e0f9acd47
SHA2568e6f091fba44ced40e614726f422867f0806071b999473d362e973426ccad1f3
SHA51295636ac4db38500e04bcea6d26a10a432b1a87c166b57dec3cb976fb9c4c9ba02667f9413b2d04792413b3ed3fd979975a7520cc1b7b9ee7f4a1aa13e254f086
-
memory/576-20-0x0000000001040000-0x0000000001042000-memory.dmpFilesize
8KB
-
memory/576-45-0x0000000001040000-0x0000000001042000-memory.dmpFilesize
8KB
-
memory/576-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/576-13-0x0000000001040000-0x0000000001042000-memory.dmpFilesize
8KB
-
memory/576-14-0x0000000001240000-0x0000000001241000-memory.dmpFilesize
4KB
-
memory/576-17-0x0000000001040000-0x0000000001042000-memory.dmpFilesize
8KB
-
memory/4376-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4376-54-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4376-147-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/4376-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4376-118-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/4376-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4376-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4824-10-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-50-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-12-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-23-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/4824-34-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-35-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-36-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-37-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-38-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-40-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-39-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-11-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-8-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-16-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/4824-33-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-22-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-19-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-30-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/4824-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4824-9-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-59-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-60-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-62-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-63-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-65-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-67-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-69-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-71-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-73-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-87-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/4824-81-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4824-97-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4980-101-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4980-52-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4980-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4980-31-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4980-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB