Analysis
-
max time kernel
125s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
19-05-2024 13:24
General
-
Target
c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe
-
Size
307KB
-
MD5
c91f40258886d933218397b1ffda1150
-
SHA1
07768258b71eaa59976f8aa732a0a0cdcbd376f2
-
SHA256
910a6350a191dc05080476edd8865f07a99eda54f33e58dad0e3ef8109414942
-
SHA512
bac43cec38fe8bafc6cd88055ccd350e6790c241a3ad1dc15e2a4d421ffb4bb703b5bd5eb5e2ff9f1c998b4ba3a97914f6a9876e9a53e05ece49cf5c50c18e4a
-
SSDEEP
6144:+vEN2U+T6i5LirrllHy4HUcMQY6i16h1Zfw5Rgsz6vkhEb:AENN+T5xYrllrU7QY6Rh1q5Rgbxb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exec:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 13:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\SysWOW64\at.exeat 13:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\SysWOW64\at.exeat 13:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
206KB
MD582befad1f17f6c34bc6d738d3fc5ae71
SHA151e247fb6d2d83de18273f9e82aedcc793f73e07
SHA256d5ecdc7221adefda9a3beaf93b116b9d78c626d7b124a7fc16cb7f509f7a1564
SHA5129840b5f2d30a10d132d1ebfae415a9a7d05c8390034396a8864b04a396d996c3f2e52e92eb6b9396407e00b8f3ab6e1b5265ef7e7f2972c304e8b107788e3195
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
206KB
MD5464d2b0dca7ef24ffc8fa000c0c97482
SHA1b8ecd94a17a98555a6b9314489cafdb056469173
SHA256bbd8e1651ade0b5b137c0be4f4c4565262d5829b2be958391c92f8a3356b0d35
SHA51282334094aafc4d8279520376ea4850b0da30f3caac5ec60e40b42ace3a6399c38ad45aff63d362d69f08ae5c437dce528471a68545a2b5d75328162693caa056
-
C:\Windows\system\svchost.exeFilesize
206KB
MD59246acc0df2d7432a674af9e1c45d091
SHA15af67686b781ef446b4ab43bc7e10b94f25f633c
SHA256cc3fe2dcb5de9a737f1479959d453eeba79447b5ea222e30322549f6c1ad160c
SHA5123911d072ea741311040d7a7eac01fd755924c4d9e9ad39e45605bfc6fcaf23490df105518020bcd9f6b26761614a339c83754d2811c32990ed3760c10f9eeebc
-
F:\pviqx.exeFilesize
100KB
MD5e8bb932dc35d6cde8e5b6cc3619181b8
SHA15e253ad173635af5e83e4b86f25de9807c8021dc
SHA25612398deb13421f5bc58ab00e4b184eae27856465ec0d432e6d1d1e6cbf3fc42c
SHA512f6091417b64c5575d5baff19b08ee6d709f87b908272df94a8939cf3dbb5dfb502473697f96abfecd17d10d7f58d922e7cc7c7f7415a6b4c4002331611540549
-
\??\PIPE\atsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_neikianalytics.exeFilesize
100KB
MD58c1cfd45c4ea90d8b274145c5340aac4
SHA14e8d7e7948475372db67266c4caa4516c55841bf
SHA2565646c13f0599eb99334de2475d19bdbb78f2629b7701112a54671487d49b124a
SHA512ebe5ca88aff4e8d12583001215a4d784c173f928fd8eee0132226d5b31fedfc02622e92bd8faf78a95157fad7f482cf32d6824633ba0114d41f576a3bcfaad8f
-
\Windows\system\explorer.exeFilesize
206KB
MD5ac340104413028b75e9d55a3ad0b9284
SHA15510f7522896bbd075ebc92e27d1a1b1e9edcdcb
SHA256c075f86b8786bdbe0a00d088f17e40a31434866f7d57f90b64ed0a34348e9d60
SHA5123c7ae904d758618f0cd3779927062dbdc0a9731262860360f2e96d0164957b169cd7f5b18051b78ce2c7ea31dd8792e3cb3942905701ddff45cfb2cd4093eb1f
-
\Windows\system\spoolsv.exeFilesize
206KB
MD58fa8c8ad2888d553814200cd13f9ce68
SHA18fa351251318062fd1b671cf85b18f4c227d3b8b
SHA256d0d5a815cbe931945310ee109288f1673a3b6972a3a6f223fbaa25e40f10af75
SHA512e9c9d6a612fef1f4c43e0a3916bd597e92803511919311ca3df77603827f9ad4a17548780a7b767e02f1bfd7e48e315570055d088e0ad9ae05f45760bde38371
-
memory/1104-35-0x00000000003A0000-0x00000000003A2000-memory.dmpFilesize
8KB
-
memory/1436-121-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1636-127-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/1636-0-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1636-8-0x00000000003E0000-0x00000000003F5000-memory.dmpFilesize
84KB
-
memory/1636-33-0x0000000002620000-0x0000000002661000-memory.dmpFilesize
260KB
-
memory/1636-32-0x0000000002620000-0x0000000002661000-memory.dmpFilesize
260KB
-
memory/1636-60-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1636-43-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/1636-44-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1636-66-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/1636-63-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/1636-129-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1804-116-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1804-118-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2284-18-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-134-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-16-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-27-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-30-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-59-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-19-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-163-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/2284-138-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-57-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/2284-28-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-137-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-52-0x00000000040A0000-0x00000000040A1000-memory.dmpFilesize
4KB
-
memory/2284-135-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-29-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-61-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/2284-22-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-14-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2284-133-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-131-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2284-132-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/2720-62-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2720-34-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2720-58-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2720-56-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2720-78-0x00000000034B0000-0x00000000034F1000-memory.dmpFilesize
260KB
-
memory/2720-79-0x00000000034B0000-0x00000000034F1000-memory.dmpFilesize
260KB
-
memory/2720-125-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2924-151-0x0000000002570000-0x0000000002572000-memory.dmpFilesize
8KB
-
memory/2924-150-0x00000000025A0000-0x00000000025A1000-memory.dmpFilesize
4KB
-
memory/2924-93-0x0000000002D30000-0x0000000002D71000-memory.dmpFilesize
260KB