Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
25-05-2024 11:43
General
-
Target
ef4818117a0a1fcf4eb92c0487dd2140_NeikiAnalytics.dll
-
Size
200KB
-
MD5
ef4818117a0a1fcf4eb92c0487dd2140
-
SHA1
221cb972f1771ffb8da5a91f006feb170623bd46
-
SHA256
546e6609ae734a7d8ea67b440a67aaa37c6347a8e6b8ed17e250771adbc54b0c
-
SHA512
c72fce1eefaf73605406a882e1449936ea7e54f36626e8229537b700416c5dc491ed0bb4043e7d4799bb651b970353d8501ace76715c535d97455ccd8725ba1b
-
SSDEEP
6144:wMqWfdNANa/AjNggWEv9XCrrupJywxS9KLFf:vqWfdNA0/uNKmSmfx6KV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef4818117a0a1fcf4eb92c0487dd2140_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef4818117a0a1fcf4eb92c0487dd2140_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342KB
MD50426690b5ec2170e21c451ea2a3ca744
SHA157e1eca5043824bfea02338d56528db42332b0b8
SHA2564970926b6158242b5c61e06795837e212e17c4b83ebb315896fbc3294ab364d0
SHA5129ff9971a6e29d1bc4383a95f7bdf591951acf957a462612b015d0ca9213b6a5f579fd427674c79f2ca844eab75d9af62531d5482480824c7acd606bb21b684e2
-
Filesize
338KB
MD5f66a6fda6e4ad88d9fd317020c0b9218
SHA1226668f6e2b0e4fa512e97660cf5651d10339de7
SHA256452d362d170387c30b80476dd1fe33735d84570d40b60048c7ecfe86aa59d726
SHA51282fa5cd9754f3e53a16ce611b60e9d44af03f619d1cf75c2cb02172d32ca20afc782cb3feef4fdcb39cabbeb1972232ef81de2234a7cf51e9a3c0ead15b4c35e
-
Filesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
208KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
208KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
212KB
-
Filesize
8KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB