Analysis
-
max time kernel
26s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
25-05-2024 05:20
General
-
Target
8c28df00bc5be2e468008b9bb3cb3b10_NeikiAnalytics.exe
-
Size
10.0MB
-
MD5
8c28df00bc5be2e468008b9bb3cb3b10
-
SHA1
9e5623c1a12a43f3f4731415700760527b97449a
-
SHA256
328924f8134897fee4c360b1fb1d05728cc0613261e32cc6577424716ab089a1
-
SHA512
c258aa56f7f3291e3ce9c016ec7deef75d82cf6dcc85bb9683505cc3dafa5ec1815630d7f5e8a3e457f8475c85e200f1bec149d63371f918b3ab71db43437f61
-
SSDEEP
196608:YwyWzqX4fIvXxJyAzkC4BNcjl76MJhsHWlUdMFfmbt8JIMz:YwymfaX2AzJ4U1hJlUmK8JIY
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\8c28df00bc5be2e468008b9bb3cb3b10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8c28df00bc5be2e468008b9bb3cb3b10_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\users\admin\appdata\local\temp\8c28df00bc5be2e468008b9bb3cb3b10_neikianalytics.exec:\users\admin\appdata\local\temp\8c28df00bc5be2e468008b9bb3cb3b10_neikianalytics.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 05:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
-
C:\Windows\SysWOW64\at.exeat 05:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD57472afd6a7ba4a5f988ff85970897ba2
SHA11539c2385562e6edfa769eb9ae69b3e9fff54db3
SHA256f806b24d72f1c443d3015547fa4683cf29f66c8eb4438c75e91956cdc643d35a
SHA51299d072660d2ea7a0b86bdb8a2a6476d0261b4fdb63ce05d853666699ca1317c8b83b0fb3033b06acbe467efb6eaabe519d99555f2c1b15afe43176c7a0e2bafe
-
Filesize
288KB
MD5dea75e6a41fe896e26166b93b0b70fd6
SHA1b363c49de5ec37ce55c33eb1d8616ed0ca8979c1
SHA2560730bcd201301a3fc866d5db2b931dfb83c16edb4bc6849faf1417ca8bcb28b3
SHA51279c82ce33bcf8d70cf28ac373759ecb830169f967e991bcc65813f278be70db226954873ec075fa9b7a30b9049f1c7b2e3ab28a256ed0ac1dfc06bf14b556a12
-
Filesize
287KB
MD52d84ed60b60e216974cd5a1ff7e6d5c8
SHA1ce1198ba9ffbc5561d055c6308cb01b958aec798
SHA2563ab70e66570e2207cebfbe6db9c2c992bd9d2a2269ee95fcbe3082ebf2134579
SHA5123f52bd8f1b0183823449be6b83840f214caf141072453deeccc859cace47f619fe48107b1da31384deafe801e2c5a6d4bc294cadfc51b3a185dd0ea8b5a84c5e
-
Filesize
257B
MD51cadbb17b0e34be08e168e9350c6108b
SHA18306a06f7efea32710cec3699bcaef5d7ebc663e
SHA2562ff5d54d478b86dd40a9a9c131f041571f978699239f729762a7895629e8529d
SHA512313bfc488cd5a93cf801d22490c4eed300c18ebaa1c104a09766f95ede13ed0ea666fee138dc7555cfcfb035a77c7dcde0b17b11574cac4d988ee88a899bb541
-
Filesize
100KB
MD5b5c31002b1f8d3d2a01d2fa30dac8519
SHA1464e3848715af11ae74cea2877b93fcb3ca8bc27
SHA256471401c966f9216252375ab9e387076108e921609d360c8c325651b127403af0
SHA5125dcf5a2c561a3bcd71bb968365a5813dc46448ac861a4ef976be126c6096099b23d36784e7038b77ef6c6d4d3d5f1f299045882bac063413d31b6f04b8dcfd26
-
Filesize
288KB
MD56d815f50e5aae16f8460384e84757cdb
SHA1764b30f023f8fa6f370afb3ea10c21f3d815d1aa
SHA256fc6b3c30c35b4a9c8d76ab1b01470b68b7de6a17b5f6a148f77c3cca7e2d1cba
SHA512cab0aa26f85f55db00c6c780297cbe842699545ad2fddb7c05ce9b7aa946fde886979905d208ab640ac6ec3a0b98ebd03a4f986c6d0ac46cc813b42db5d8ef15
-
Filesize
287KB
MD5f07782e1cbf4965fdc357b94645107c1
SHA1d2441d84a0abd88233772143cdd126de08b23f7b
SHA256ac7187537270926cd56c8e0a88d0873c4ecd2c27e405efd5401c04190674c25a
SHA512744f0f51629fef5cf9bc72cfa42c67b7fc19c951a0c2ce29d210e271b096fef5542e8f2b76f9113a0330039e923058eb9aab5c89efd7c37840c63d59ef708d5a
-
Filesize
287KB
MD5049cfd52d3845e37c284c8657b5d2da3
SHA1bf91ea0193753abf1025b503ecf8d9b873fb5adc
SHA256a7991011574552c78f1a0f4286714aebbc309fdf99ff36bb17d20c7057c0b755
SHA512a90896d07406964111062180ff95b36487a63d4cbad9f4c70edee32ef1d4f6977f5fabdf25ef27ecb7eb9ffe6c92561570c57fd7f9500304682b3e43dc401b5b
-
Filesize
260KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
392KB
-
Filesize
8KB
-
Filesize
1.3MB
-
Filesize
392KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB