Analysis
-
max time kernel
22s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
25-05-2024 01:56
General
-
Target
a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
-
Size
287KB
-
MD5
a2a935649fbc3eb38195bcb7f218b280
-
SHA1
7ec45138f71822932423c3a012acff793c681a7b
-
SHA256
3cd43564b5be851aa99978593a1be701004072a51112efbee18d9bac9cfb2d6e
-
SHA512
c1bb2562809b28faaf7bfce008d8884da16ac84d06d079ee116640ff27eee24d32e105cab6a3bb18931b7534bedf9963d49c35acb6ed3f8b76ffca04dcd95173
-
SSDEEP
6144:TvEa2U+T6i5LirrllHy4HUcMQY6Z27Ox0+Meyb:TEaN+T5xYrllrU7QY6Q7ObMV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 01:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD56e637c41f1b14d9efde06ce7118afe2e
SHA1adee3cccc6dfed0720d6ae5246fbace353483fb4
SHA2566b9b2d4a50baee40ef029a0c1331bc646b01b66a46a684aedce88f4da99d26f7
SHA512bc3c71bc59cdf5f2c5a9399e823568c1044c0ca3fa7a79adbca3160af3d4d004ad2e3c48738f717a1e9fe44909985457db31644f587e34fe7e39379587e95359
-
Filesize
257B
MD5ab606dfd8aa9d999da14235250df4a5b
SHA100cdb14ac077fddc34d169f4e45012e4b5654d6b
SHA256de1eeb1c264f7fa357dd407151996850dc1f9d1ea9b2cc1cca633cf54650e3c1
SHA5121b7d6b821d33060676506f662811490f3aeb4b5f848ed9becde3d76b01355d689f6ca068c937629d03dc3dd37fcea99bb1b35bbd4ec66e2adffbd79366c3af2e
-
Filesize
100KB
MD53362538e86ea186e965ffc7900b174f3
SHA1c92e486bb54382487ddee8cf6b70f0469a43a7c9
SHA2560a76ba7e1dadbdb6db66a9f0eb0eeda71cc3f2b1f521e8ee417df23c8739a267
SHA512152bbc3472de42fad72a9b99236d322f9ebb8effc4ebf832454cd818fc55cdcd726e6ec73a7faea29a68f1ff026fcbdd45ae32efabb71614a0b2adceb12af93d
-
Filesize
287KB
MD5c83c472ba1a9f3a0cdc59a7ad39f2b45
SHA122e004e3514da75c4d63768d69ac339b3c1873ba
SHA2564d84abc5f55c4cc202d0aee26b8271a14af1d72c711761a8712d5e1495b4f4b4
SHA5127f3dc7d8487455387df54ccd5f07ededf4a57465b9f2cc6803f43482d0bf55bb26fecd3cc7206e7ea0bf4dde6ecfd9fdc63c088e13e6e4d1b20a37f75e6c5e81
-
Filesize
287KB
MD594d80a91349ae8deb3c2e8da4979c68a
SHA1c06413c8f9d0aa7d0d0b720677dcdebdff6dac7b
SHA256640cb99e1f7f0e9c6f82dfe5282c866732d4b828bee5e1eee961632eb674d739
SHA512cf2e09e64748a8f322e415e01319c661251576a99a879236d552b484375c18ff1672852bf35efd610b92941d7b4b2a9170cf766dd4d5e66e98751c3cd4a41c23
-
Filesize
288KB
MD55538c256faffb22720d8badfa82bd856
SHA13380df0600d3e7ea5f02d4793a5455cd824b358c
SHA256f27cd130f1ae6f00eda321f955ddba126df9d0e497564f1072c3569e8d57952c
SHA512dfeb3a8a582916b62d43fa9efd558c153650f12f6f90d1f274413175269dae76d664e17751d5defcf2c9459f9b63239b6379b488856271cf9fbd878d03a4fd57
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
260KB