Analysis
-
max time kernel
144s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 23:36
General
-
Target
5931a5637c4e44b77332c50559eae270_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5931a5637c4e44b77332c50559eae270
-
SHA1
80abc5d7c8780ee1e34493b5d54c15f00e5f6227
-
SHA256
e282d0b240abcd4abb3cef839a309ce5be986c4116177515fa123ee535768dac
-
SHA512
a1a44afc96427129a5fb1902924fadf64c730acc3b69c0a99d5511de86412fa54967ac1bf3ab8e2014e866f0d44fbcc8641fd32832134ca0efddc3df4ef394bf
-
SSDEEP
3072:sEbgy6qShOSXUaZi241dKOe3MxAX+9e4:dbgqSkiv2zYMxQ+e4
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5931a5637c4e44b77332c50559eae270_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5931a5637c4e44b77332c50559eae270_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e575360.exeC:\Users\Admin\AppData\Local\Temp\e575360.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575479.exeC:\Users\Admin\AppData\Local\Temp\e575479.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57781e.exeC:\Users\Admin\AppData\Local\Temp\e57781e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575360.exeFilesize
97KB
MD574f0d426a5026f5639e16476d6a80aa8
SHA1f22fa909fee6eb81be345508271a98e62b227bcc
SHA25626f7a780f4581c3187b28bb165e83c132f47e7557c1a8299acf439aa500cfba1
SHA512caae7e0054306860bd90674a9e1ed5d38d7eae12e739209dcaf45522ee247819457dd3cb7fd0bee056cf0fc45d4642d7c28a2058d908ca7adc53e7e24cbccb00
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5ad091412b5702c3c180db47737fa3ee0
SHA144a6ce1f47c8ea83c49bb1f12beda1f21db4b32f
SHA2562c129ab248b057223a764ebd025bf4800baa7f2546e947a4525f3b55b0048141
SHA5125718fafa00cf881aea9122afc6397a5ae01ac6dba1bc2361276c1def61025ce45f1166126e845152011bfa4dcffda4a2aa613eca685863967442fccc8e47dc2e
-
memory/1516-33-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1516-94-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1516-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1516-50-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1516-53-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2288-38-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-37-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-30-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-34-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-35-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-32-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/2288-11-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-27-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/2288-10-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-15-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/2288-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2288-6-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-90-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2288-81-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/2288-71-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-63-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-36-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-24-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-69-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-47-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-48-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-25-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-9-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-67-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-8-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-65-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-26-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-58-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-59-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-60-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2288-62-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2636-54-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2636-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2636-52-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2636-46-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2636-106-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/2636-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2636-142-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4728-12-0x0000000000D20000-0x0000000000D22000-memory.dmpFilesize
8KB
-
memory/4728-13-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/4728-18-0x0000000000D20000-0x0000000000D22000-memory.dmpFilesize
8KB
-
memory/4728-31-0x0000000000D20000-0x0000000000D22000-memory.dmpFilesize
8KB
-
memory/4728-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB