Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 00:19
General
-
Target
607e933de863079ad4951af3f23bcfd0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
607e933de863079ad4951af3f23bcfd0
-
SHA1
6f36e33c472f58cfb65f0385e13bb25c9ad32219
-
SHA256
493a3d28030bc5b394d23d1b2b19bbeb0888f9c814b548e4285acb12c778bd0e
-
SHA512
50265b1ff0d0647df4b77831d3e853025ee5bbd043f536749c489eba8f4686803e395acbd6d0fd765b57c849a41e0c0d5f11f08d29083e0948030a0f093b0a90
-
SSDEEP
3072:/9RrsfT5yvRJ3IJh+frQUq3BxGmTiuK23:/9RrsfT5ypAh+Up3xiux3
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\607e933de863079ad4951af3f23bcfd0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\607e933de863079ad4951af3f23bcfd0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e575311.exeC:\Users\Admin\AppData\Local\Temp\e575311.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575479.exeC:\Users\Admin\AppData\Local\Temp\e575479.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57856c.exeC:\Users\Admin\AppData\Local\Temp\e57856c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57859b.exeC:\Users\Admin\AppData\Local\Temp\e57859b.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575311.exeFilesize
97KB
MD57d4b861907f59a252b24fe18c2d0c582
SHA159e592a11f4dfd0bbff872704f8acb24a3d21335
SHA2563bafa9c177c5ef402544dc2cefce670d7620a8f5151798c32adde84aa3da5102
SHA512548b3a817155ab59a5adfebbdbc3b500e850756c87acab527d28a5e5bc3a111a0dbd40b105841d8d5caff74df468a579aa82e46a54d1300390fbced9fe630e99
-
C:\Windows\SYSTEM.INIFilesize
257B
MD576e9075bb2a53ddcc6a65391b646dcaf
SHA1fbc1e1e92dd590abf9ec2c4104c4408919ef34cc
SHA256b9927050dabcf2eb7f59843cd8fdb0d29a6c8a88232c3ce248e3e7590308e48d
SHA5127f5f0c62fdfd02a1e5c039e2597073b80c47271b6907c48f3cea501329c93b0fbb1fc11a4c437349cb650ca27361ff1d4608778109ba1b0b67991f60e7e8dcf1
-
memory/2128-150-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2128-59-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2388-42-0x0000000000420000-0x0000000000421000-memory.dmpFilesize
4KB
-
memory/2388-43-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2388-45-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2388-31-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3792-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3792-93-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3792-96-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3792-104-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3792-95-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3792-146-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3792-151-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3872-13-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/3872-12-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/3872-21-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/3872-16-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/3872-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4992-38-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-62-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-36-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-37-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-34-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-39-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-40-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-33-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-32-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-30-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-46-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-19-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-20-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/4992-60-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-61-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-35-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-64-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-66-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-68-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-70-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-82-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/4992-89-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4992-22-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/4992-11-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-15-0x0000000001AC0000-0x0000000001AC1000-memory.dmpFilesize
4KB
-
memory/4992-9-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-6-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-8-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-10-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4992-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB