Analysis
-
max time kernel
148s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
19-05-2024 17:08
General
-
Target
fc765bcc82fe5404cb1eb1c77fca01d0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
fc765bcc82fe5404cb1eb1c77fca01d0
-
SHA1
4787adb9df31db9e232123c113e53928a1dd078b
-
SHA256
4fd169508e018f6421c4ac11d8a3f79ea819557b54e9016ce69d38eb403b5a7c
-
SHA512
6bce75e9ea53a0cfcce59f378ce1caa1d9968b6f7eba22f7a7149091025fce99253e5a0b99b3d52672bdf11756a2d215bddc8462224dc24f4208bf3d1300e280
-
SSDEEP
3072:6E0PdUU2aGsd/xBAJ7c8ZC2l/VJe/Lag2vnESz4wX4:sSUcsdAiWC2lq/LagqDz4U4
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc765bcc82fe5404cb1eb1c77fca01d0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc765bcc82fe5404cb1eb1c77fca01d0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574b03.exeC:\Users\Admin\AppData\Local\Temp\e574b03.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574c2c.exeC:\Users\Admin\AppData\Local\Temp\e574c2c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57739a.exeC:\Users\Admin\AppData\Local\Temp\e57739a.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574b03.exeFilesize
97KB
MD5e4e54105dd80c3f84e5a0d50201954b0
SHA1a940f826814323765dd86a9459e974859c01f8f8
SHA256c31913e3c23b975f337db7625809f9a3dc8f41eb6878824bca93bc93e269dbe2
SHA51245074831e5cd25c7025855f1dc9d06225fc8a9cba47d4d06697696b213e435d3b43e67ad11ab05aeac8c8f42a3397437d82f54494cc9758ce618653669eb9e0b
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5bac39904398cc2eff026d2730d8356e9
SHA13cca4826681aee8417a71bb0a791affe33f32a4e
SHA256e475b0bd8c2b0093132d22e562bbb1b1d59138e31740219b647c7128f14f4b05
SHA51290854680d7a0d037ab20bb99494d29e9f173bfc72da520dd47931bd8ab4f67be8fa35775eaaaeb94b6b779c54b45d83dc50d70a4fdab64a78d038a92954d54e5
-
memory/876-104-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/876-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/876-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/876-54-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/876-47-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3336-40-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-14-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3336-36-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-30-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3336-11-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-22-0x0000000003C30000-0x0000000003C31000-memory.dmpFilesize
4KB
-
memory/3336-6-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-93-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3336-83-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-18-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-9-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-8-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-31-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-37-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-38-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-39-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-33-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3336-41-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-82-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3336-29-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-72-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-26-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-70-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-67-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-66-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-65-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-10-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-60-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-62-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-63-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3516-27-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/3516-28-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/3516-23-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/3516-19-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/3516-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3516-48-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/4532-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4532-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4532-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4532-100-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4532-99-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4532-52-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4532-105-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB