Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
25-05-2024 15:35
General
-
Target
64548fead889deb186a50063950eb570_NeikiAnalytics.dll
-
Size
120KB
-
MD5
64548fead889deb186a50063950eb570
-
SHA1
00014330a9752b0db9fc211304ab87db09ffae1a
-
SHA256
975896c1dd08536b4787c3034af071a66d191601e69ed0e4a8d0d6d552723866
-
SHA512
177e6897bd9f0b87c5cd141548122af3238661ef00008adc1756925a62f94f1f8280bcaad48da275b995626ecb7240f6c3ad5756e9f39218f1a9e809ce5b69e9
-
SSDEEP
1536:rBjWPXhjJi+zAQ/bQCBNkAiqj4FE2dxxYQOMwLnTWIqWebEwg:rBCvhjY+p/cCnkAt4tElxjTxe4b
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\64548fead889deb186a50063950eb570_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\64548fead889deb186a50063950eb570_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7616fa.exeC:\Users\Admin\AppData\Local\Temp\f7616fa.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f761880.exeC:\Users\Admin\AppData\Local\Temp\f761880.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7632a4.exeC:\Users\Admin\AppData\Local\Temp\f7632a4.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5cbd58c94f7eb06186557cda1a4f00a32
SHA1b526b6487ab6879cc670b6f488d5ed983af91005
SHA2565c7ed16bf83fccb642301163dcc2d3f4cd9d85a9ce44d1da0fc27b24ff9cbbfd
SHA5123ba71a0315313f88ee636027217693b109098235047cd185f9f901c56b4d2b555046c4dc12a7f2e7e2b8a03a64675538abb64abb40351df7a3115f8acc826dbb
-
Filesize
97KB
MD5f52f3e4082a954d6cf619293b7fe619c
SHA1045a64dc2d78c5da04d1b7cfec977cec4c3eb26b
SHA2567061d789350ed55a7032b0b9a82f25f299b5263b1bf4e975e7edced99c3b1703
SHA5127a3d7b92c08dfed70ed14608e4c25fb98d51594b28aa2d3c137eb101cbf9639aa64a67b8dc443002940b5a85b0f600c3737aced84a02c2a37f2db8a1159707f7
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB