Analysis
-
max time kernel
21s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
19-05-2024 11:57
Errors
General
-
Target
b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe
-
Size
152KB
-
MD5
b6d204cf96e004b32efbeaae6852962b
-
SHA1
549abe4a13e5aa2c6f78b2e5dce3408641568c96
-
SHA256
6b4f87b48c72cb08688413039bed57be6882933ead00949e7d85f582a504f1e8
-
SHA512
ed7293f46e23297876d176cfe97a9db4715f2328b5a505b129a39ff991ad9e6e9923453531c698cedc19db0aaf765c3510df2e074db0a42ea7191c22887b46f8
-
SSDEEP
3072:321sD4b3JiD3GWguwp07jyAKR9G6yx9zwxqpoSEQYynmL:kcKWt75oqLY8mL
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 10 IoCs
-
Drops file in Windows directory 35 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b6d204cf96e004b32efbeaae6852962b_NeikiAnalytics.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system\Fun.exeC:\Windows\system\Fun.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SVIQ.EXEC:\Windows\SVIQ.EXE4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\dc.exeC:\Windows\dc.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\INF\Other.exeFilesize
152KB
MD5b6d204cf96e004b32efbeaae6852962b
SHA1549abe4a13e5aa2c6f78b2e5dce3408641568c96
SHA2566b4f87b48c72cb08688413039bed57be6882933ead00949e7d85f582a504f1e8
SHA512ed7293f46e23297876d176cfe97a9db4715f2328b5a505b129a39ff991ad9e6e9923453531c698cedc19db0aaf765c3510df2e074db0a42ea7191c22887b46f8
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d45f374ad2864e147cda9746ecec7411
SHA1bc52d781d3d75a24a408e2241e5fefccd67b833f
SHA2565f3c4553782153771f5ab4da20b392ba8a5877c27a01283f3cff2e34e34b4870
SHA512542ffea3a21405f26dee18d48ce2e9feab61823eb6482b2169e8d3c0c4711bdc40352701716490855a3d74e40c52f6ee67559def8112a82090eb637d535654b0
-
C:\Windows\wininit.iniFilesize
41B
MD5e839977c0d22c9aa497b0b1d90d8a372
SHA1b5048e501399138796b38f3d3666e1a88c397e83
SHA256478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2
SHA5124c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d
-
C:\bkif.exeFilesize
100KB
MD5b5620c37c74c5169ff50b6f8e3be6414
SHA1215f44a10af373a581220521175661b4e13d79c8
SHA256e37776934bb6e126694877f13c311f3d7c1ad2720acdf4a5a9c902d51855b2c9
SHA512d003c01d12747dbc2b03de504a8586b6190eab292e7bbac1959374fde5a4f0731c7adb165981ba2aeb909f303278bc64f13a64dc853ac0bf3ffbcf49fefc4d2d
-
memory/1092-146-0x0000000001FD0000-0x0000000001FD2000-memory.dmpFilesize
8KB
-
memory/1092-141-0x0000000002C30000-0x0000000002C31000-memory.dmpFilesize
4KB
-
memory/1092-68-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1824-1-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-36-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-7-0x00000000006C0000-0x00000000006C2000-memory.dmpFilesize
8KB
-
memory/1824-15-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-10-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-13-0x00000000006C0000-0x00000000006C2000-memory.dmpFilesize
8KB
-
memory/1824-12-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-11-0x00000000006C0000-0x00000000006C2000-memory.dmpFilesize
8KB
-
memory/1824-14-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-8-0x00000000006D0000-0x00000000006D1000-memory.dmpFilesize
4KB
-
memory/1824-37-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-9-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-3-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-4-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-6-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-110-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-111-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-112-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-118-0x00000000006C0000-0x00000000006C2000-memory.dmpFilesize
8KB
-
memory/1824-127-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1824-5-0x0000000002B00000-0x0000000003B8E000-memory.dmpFilesize
16.6MB
-
memory/1824-0-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3404-134-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-151-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-41-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3404-135-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-145-0x0000000005780000-0x0000000005782000-memory.dmpFilesize
8KB
-
memory/3404-197-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-133-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-139-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/3404-131-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-128-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-132-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-130-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-137-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-161-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-136-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-148-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-149-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-150-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-152-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-144-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-154-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-155-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-156-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-157-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3404-159-0x0000000003CD0000-0x0000000004D5E000-memory.dmpFilesize
16.6MB
-
memory/3916-92-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3916-143-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/3916-147-0x00000000005D0000-0x00000000005D2000-memory.dmpFilesize
8KB