Analysis
-
max time kernel
122s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
19-05-2024 13:24
General
-
Target
c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe
-
Size
307KB
-
MD5
c91f40258886d933218397b1ffda1150
-
SHA1
07768258b71eaa59976f8aa732a0a0cdcbd376f2
-
SHA256
910a6350a191dc05080476edd8865f07a99eda54f33e58dad0e3ef8109414942
-
SHA512
bac43cec38fe8bafc6cd88055ccd350e6790c241a3ad1dc15e2a4d421ffb4bb703b5bd5eb5e2ff9f1c998b4ba3a97914f6a9876e9a53e05ece49cf5c50c18e4a
-
SSDEEP
6144:+vEN2U+T6i5LirrllHy4HUcMQY6i16h1Zfw5Rgsz6vkhEb:AENN+T5xYrllrU7QY6Rh1q5Rgbxb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_NeikiAnalytics.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exec:\users\admin\appdata\local\temp\c91f40258886d933218397b1ffda1150_neikianalytics.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 13:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\SysWOW64\at.exeat 13:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\SysWOW64\at.exeat 13:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c91f40258886d933218397b1ffda1150_neikianalytics.exeFilesize
100KB
MD58c1cfd45c4ea90d8b274145c5340aac4
SHA14e8d7e7948475372db67266c4caa4516c55841bf
SHA2565646c13f0599eb99334de2475d19bdbb78f2629b7701112a54671487d49b124a
SHA512ebe5ca88aff4e8d12583001215a4d784c173f928fd8eee0132226d5b31fedfc02622e92bd8faf78a95157fad7f482cf32d6824633ba0114d41f576a3bcfaad8f
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
206KB
MD582befad1f17f6c34bc6d738d3fc5ae71
SHA151e247fb6d2d83de18273f9e82aedcc793f73e07
SHA256d5ecdc7221adefda9a3beaf93b116b9d78c626d7b124a7fc16cb7f509f7a1564
SHA5129840b5f2d30a10d132d1ebfae415a9a7d05c8390034396a8864b04a396d996c3f2e52e92eb6b9396407e00b8f3ab6e1b5265ef7e7f2972c304e8b107788e3195
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
206KB
MD560d13eaa08ea5d3ae85c3e3074ac635d
SHA1a3d0a5850c0c56ebaa7754dbeb8481fe2aaa9c5d
SHA256491ac2cd119646bc2abd5cc676723ef8bae0d838fd8d484b940640feb3d66e18
SHA51293d68a31461f68e768d211980455d2188f0a58cdf56072b1643fd85de322e61cc001121829c19058a7c48784620977f836d0755fb1974005b0c5d7ced5643eae
-
C:\Windows\System\explorer.exeFilesize
206KB
MD55f07d74c4ff6da8ed8d02c084482df18
SHA121d04f6b4272cf964366d01af13e62b4c3bd3e2f
SHA256fd69590930135ead282a515f5bb3f581737bed1844ff722fb1382449d29d32c4
SHA5125e9291034754838d5442fe6c98df8c22c3da786047697be5d88c8c56984cfd84b559ff95286377b9debf1219dbf9037639814c6de9fdb6a7f1c2e0e819f3c5ca
-
C:\Windows\System\spoolsv.exeFilesize
206KB
MD5bfe997abb31f2f1ce1e3b09fc40a9f90
SHA1ee6050c4a8cd2b37e0bf3998a442fc7074db66a4
SHA25640664af62820e34d47569a91a96080292ce42139e01a6d8fa9bfd6f8d9c2cb58
SHA51212956dbb7a61c8ece06f1b53b67071de1b0e09ebf2e27715ddbadb2fecbc3a9c4a51abaadcef9b6111ac4c93e1d152a156bcff26938d58f40b03a8affc53d913
-
C:\Windows\System\svchost.exeFilesize
206KB
MD5c469cbfbf54358a9c98d0434c33f1de3
SHA1afbedb53737f0033b998b9dc28f7e5654f1fe0a7
SHA25651de08afdfdd95ae967a6df67d26d68f4b7dedcf8f6aa4257023436c9281801d
SHA5121103c11f6842df3a12a67cbc537c7f8b3445115a2d22877d1b516185118a4769b55a7b95b1f5c31f5d9a509c22485344e4e24a575c8872e8973118d8f5a000b7
-
C:\qymst.pifFilesize
100KB
MD59914d1f67fc4bd5e676ae09ee2185567
SHA1735260f0a7bf16d7fd25d0aa103f1ed5312208d9
SHA256186b5d504d821e62c013c423993fad6d120e41a23b9a6dad18872127ab8f731f
SHA512a2856cdafc5f47fdabdb4d9b96ed337eb1558fc525884211e60a5c8118adff2ddfb44792139117789c65b7b20744d54656c2c854c1a7becf3f7af351fc59031c
-
memory/64-67-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/532-71-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/532-55-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1160-77-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1160-32-0x00000000029C0000-0x00000000029C2000-memory.dmpFilesize
8KB
-
memory/1160-27-0x00000000029C0000-0x00000000029C2000-memory.dmpFilesize
8KB
-
memory/1160-0-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1160-22-0x0000000002B90000-0x0000000002B91000-memory.dmpFilesize
4KB
-
memory/1160-21-0x00000000029C0000-0x00000000029C2000-memory.dmpFilesize
8KB
-
memory/1348-85-0x00000000021A0000-0x00000000021A2000-memory.dmpFilesize
8KB
-
memory/1348-82-0x0000000002AC0000-0x0000000002AC1000-memory.dmpFilesize
4KB
-
memory/1516-73-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1516-19-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4232-25-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-12-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-42-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-44-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-13-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-15-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-24-0x0000000003E00000-0x0000000003E01000-memory.dmpFilesize
4KB
-
memory/4232-65-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-33-0x0000000003DF0000-0x0000000003DF2000-memory.dmpFilesize
8KB
-
memory/4232-70-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-29-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-26-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-28-0x0000000003DF0000-0x0000000003DF2000-memory.dmpFilesize
8KB
-
memory/4232-72-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-17-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-80-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-8-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4232-14-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-124-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-10-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-87-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-88-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-89-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-91-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-92-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-94-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-99-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-100-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-102-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-103-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-109-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-110-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-113-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-116-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-117-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-118-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-122-0x0000000002230000-0x00000000032BE000-memory.dmpFilesize
16.6MB
-
memory/4232-123-0x0000000003DF0000-0x0000000003DF2000-memory.dmpFilesize
8KB
-
memory/4700-84-0x00000000035F0000-0x00000000035F1000-memory.dmpFilesize
4KB
-
memory/4700-86-0x0000000002DD0000-0x0000000002DD2000-memory.dmpFilesize
8KB