Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
23-05-2024 02:51
General
-
Target
7c335c0e32b47268cdf7933ef8b93bf0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
7c335c0e32b47268cdf7933ef8b93bf0
-
SHA1
3f81a3845f642aeeadef94feb619fc13654b35c5
-
SHA256
78b8a239970cfa4e753c13020b798258b0419251ee4f6c60b1b2d3b6aa692301
-
SHA512
ffe7378b75c2c4d456941d399914bcb3eb903d0abe2d77859b3775796f8420b6c3767cd7b480d8ff490ff634acdc6cbbd6c90d373c3239b9e092188544243144
-
SSDEEP
1536:jARp6UhkVaRQAVSA+W2pltLzIOPRow04+JYShTWxJHvYol5+DSOiPLIMTr:juSk6AV1+PrzIYYaxJPloDLid3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c335c0e32b47268cdf7933ef8b93bf0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c335c0e32b47268cdf7933ef8b93bf0_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76233a.exeC:\Users\Admin\AppData\Local\Temp\f76233a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762923.exeC:\Users\Admin\AppData\Local\Temp\f762923.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763ec5.exeC:\Users\Admin\AppData\Local\Temp\f763ec5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD577fc56096f79cbdf74fef06f25ee6474
SHA1fb14ea841704a8d7b211265072740e988600629b
SHA25654ce29626d0956fe7e969170b158301a32e79a300bee8236a4e5867810867551
SHA51297d553b419b20f12cb1a75328a91d81a20b9ca8e552266da747a48a2041eae06cb17740f20f8037541e78cc574c7a7a1bfcd3dd64c43a4300931f08f30ffec41
-
\Users\Admin\AppData\Local\Temp\f76233a.exeFilesize
97KB
MD54e1be87f9156884542c51e62e6f169ca
SHA1b6c01eafe246f1e9578a7b1441259e5b416162ae
SHA256066bad4e09fd19c58a0aa050d3b3e226509b9175f829d38f92d09489614547cc
SHA512084050a8cbb5419cf413272324e90d629282fd31a1535e5a2bc0f4292192d10cda5a6321b17e1d0e5efa7159fc4364c2be099522796612df05c0dfa418d3a6f7
-
memory/1068-29-0x0000000000450000-0x0000000000452000-memory.dmpFilesize
8KB
-
memory/1144-76-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1144-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1144-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1144-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1144-38-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1144-56-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1144-48-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1144-59-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/1144-60-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1144-37-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1572-97-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1572-79-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1572-193-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1572-192-0x0000000000900000-0x00000000019BA000-memory.dmpFilesize
16.7MB
-
memory/1572-157-0x0000000000900000-0x00000000019BA000-memory.dmpFilesize
16.7MB
-
memory/1572-99-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/1572-98-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2484-144-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2484-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2484-92-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2484-93-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2484-90-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2988-82-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-63-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-15-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-65-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-66-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-67-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-14-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-17-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-81-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-18-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-20-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-49-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/2988-22-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-23-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-16-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-64-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-100-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-102-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-106-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-110-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-111-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-118-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/2988-139-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2988-140-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-62-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/2988-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2988-19-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-21-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2988-58-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB