Analysis
-
max time kernel
19s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
25-05-2024 05:20
General
-
Target
8c28df00bc5be2e468008b9bb3cb3b10_NeikiAnalytics.exe
-
Size
10.0MB
-
MD5
8c28df00bc5be2e468008b9bb3cb3b10
-
SHA1
9e5623c1a12a43f3f4731415700760527b97449a
-
SHA256
328924f8134897fee4c360b1fb1d05728cc0613261e32cc6577424716ab089a1
-
SHA512
c258aa56f7f3291e3ce9c016ec7deef75d82cf6dcc85bb9683505cc3dafa5ec1815630d7f5e8a3e457f8475c85e200f1bec149d63371f918b3ab71db43437f61
-
SSDEEP
196608:YwyWzqX4fIvXxJyAzkC4BNcjl76MJhsHWlUdMFfmbt8JIMz:YwymfaX2AzJ4U1hJlUmK8JIY
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\8c28df00bc5be2e468008b9bb3cb3b10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8c28df00bc5be2e468008b9bb3cb3b10_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\users\admin\appdata\local\temp\8c28df00bc5be2e468008b9bb3cb3b10_neikianalytics.exec:\users\admin\appdata\local\temp\8c28df00bc5be2e468008b9bb3cb3b10_neikianalytics.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 05:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD57472afd6a7ba4a5f988ff85970897ba2
SHA11539c2385562e6edfa769eb9ae69b3e9fff54db3
SHA256f806b24d72f1c443d3015547fa4683cf29f66c8eb4438c75e91956cdc643d35a
SHA51299d072660d2ea7a0b86bdb8a2a6476d0261b4fdb63ce05d853666699ca1317c8b83b0fb3033b06acbe467efb6eaabe519d99555f2c1b15afe43176c7a0e2bafe
-
Filesize
287KB
MD58e70352497d2bd883b35b886caa8f926
SHA1eda2bb586069d5b6f9b5b07e9eaf25a6d8b6026e
SHA2566ac5d181b9f56bdebfb7b62939f7e76c12909aeca0580b564ae808bd716991e0
SHA512bd5da359d00a150f944b434d886c05394132beb7719289ae4619bb84621bc1acf24adc32d57129ff1624ee437902c59757a77f7453fd49dc8d8d091678fbf403
-
Filesize
256B
MD58e39114c88878288fde873c6740f0b46
SHA1ee4dae5f3748533bf595d3161b6e8a8a0b46a741
SHA2563ca43924cfbcdcafc3aefe70b9d5f2457ef8fba00fa39bba0eeed3a49fbf279e
SHA512dab7bc64129ac006ff5f34598ebf4291ca31aa0f101b82ffe8713e00f89b7f9656c43833dcf0f98fbd159fd21919ced68117e26f3e9ac42e9264d757ff637c0e
-
Filesize
287KB
MD5225c504b0c9b5530becfcf3170800125
SHA11d4a40a59a0a0b7cf1c226e9f6e89d2b89b938ec
SHA2567d7f250cc66fcee2ee5dd1a4ecdac24faa291ec6d9dc2117125ebe6d6fdcb63c
SHA5124e4dd8e39e19460e375197c93ccdb95036db4665282bb2889c95f78f8b6bd12cd274f17c3d29480ab66dee9f64d5d108ec5d171104c960d3b6740a73ea28de29
-
Filesize
287KB
MD58b60fdd89e4a2b08f1a3a4a1aeab95ef
SHA145731ffd10342d33394d6632dd9f7ec1e22a600b
SHA2566b8db2599c3bb133537cf5e008cba181c2c0899580ebc2957638783786ef73e9
SHA512c5680fd33bdb108fc4106a230177f5b046519c77ff95d702586f9e1e89ed34636ec2067c06e582a540c8186327304e01e2590040cd5ab1ebafcb0695c0b61354
-
Filesize
288KB
MD5dea75e6a41fe896e26166b93b0b70fd6
SHA1b363c49de5ec37ce55c33eb1d8616ed0ca8979c1
SHA2560730bcd201301a3fc866d5db2b931dfb83c16edb4bc6849faf1417ca8bcb28b3
SHA51279c82ce33bcf8d70cf28ac373759ecb830169f967e991bcc65813f278be70db226954873ec075fa9b7a30b9049f1c7b2e3ab28a256ed0ac1dfc06bf14b556a12
-
Filesize
287KB
MD57ee209439b5d6fe471200aacf3f3ecdc
SHA19e3d2f4cf12ad6e9b29e81c13c22837aa67d6475
SHA256d013b66fd9d0be1ecd8554b3ec6907c35a838dd84a96fedadcf6255050cc4cb7
SHA512c464c58ee29b1c17b88f79403811b64d5cde58c59aa387a5e07afeec7fbf43c83389401a57f22afc30db95224f8116357ee53ff8e7f1720c7c816f18a437fbc3
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.3MB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.3MB
-
Filesize
392KB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
260KB