Analysis
-
max time kernel
19s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
26-05-2024 01:34
General
-
Target
4a11f152922f2e209f5ca06ef741ef60_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
4a11f152922f2e209f5ca06ef741ef60
-
SHA1
216a2ffbd516a5604718497a185343981f3c4a01
-
SHA256
d64afa2c4338bfd2c4215193bde86d13e8736d1a77f2193e565e8f1876dfa9fe
-
SHA512
7dc13d3e601ac75ef9d58e01c910c1a5c0e30892e3fbb4049a9d6b34ce62e19afbfa45d0ac628a277d56c8c8690a3198630703ad1037c4b5568f75aa1affe175
-
SSDEEP
24576:k5xolYQY6EOb7YU0uestsWNthL8qUym53WJN5y3Mk1XXRw6+sBkZGsiH6W:nYW0ueBWjBy53WJN5y3Mi+6l9F
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4a11f152922f2e209f5ca06ef741ef60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4a11f152922f2e209f5ca06ef741ef60_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\users\admin\appdata\local\temp\4a11f152922f2e209f5ca06ef741ef60_neikianalytics.exec:\users\admin\appdata\local\temp\4a11f152922f2e209f5ca06ef741ef60_neikianalytics.exe3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 01:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
287KB
MD506e234bb4b0f6993676461775dbf8b72
SHA11215c25e5cf88185f8ce56ef4fec277a23407061
SHA25665653644bde4b12405aca9843e21c167318972ebf7495301af3134a3ac7760a8
SHA51256fdd1533628e4c17d662e7d09198b4c384b5c437d506103fb91b120cee53144fd74c202f3d57890a5084b9b84a5687daf7aec9f28a336d3af0eb7ccc0b32b76
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5c2eb8055bfa69023957c18aa5e04429a
SHA1abc9ec8625fd86bca42d451bc68fdafee3fad20a
SHA256deb1b29cce534456dacbe6fd3b66228d6bc3bc35afcd3e4ae5b815b5608f13f2
SHA51298368aacc66d0aa607f00e20b29f1e4e8c176b2a2d3e32f1b3874cea3499d071072ad8ab77763f2bc4f2802170c7d129f92e1f0b69302e9f77722eb6801b291d
-
C:\Windows\system\spoolsv.exeFilesize
287KB
MD57b2270cbb8c0d7d9525b7569f3d207fa
SHA1ac9858de7422eff1c4b79846065f4786a8de3269
SHA256b98794add75b063249f6f123c50c11bb4736d44bbf40bcab649d3f6d37e82cea
SHA512187bcf4d95132a3ca4c90263496d14b37d9f0aa7ece0077bd9744905c1511703998c2d2edce145dadda43954dd44ef0145052dc5114dadb4ea2e7dfcde4ec90e
-
\??\c:\windows\system\svchost.exeFilesize
287KB
MD5e68191415510df11ea2fe9b5d4660b11
SHA12a70002d9c203c5ebf66b32d3549f8447a0e58d9
SHA256084794f933f8c79a29b9cf13cdbc36b5fb0f0f4707b7eab3a5d8c36e7a873738
SHA512becbc779643619d88c659191a9ad6c63d7b3519579a68bef772a8218b51497c3d7d6b49d52bf27bb745ab62f9664254a75f09219a3933da34a78bd15b286102e
-
\Users\Admin\AppData\Local\Temp\4a11f152922f2e209f5ca06ef741ef60_neikianalytics.exeFilesize
1.1MB
MD5503004f1cf5c6785346e975a4e583cb7
SHA1074adca5b5260d05f31d948ed9c001bca0b64218
SHA25652d50091fb9fdd697130aa261009e7cba56e3f0bae4771d791f3cf9e97cb3e22
SHA51263bf68577e4c4cd6c5e688e66ec14a08a1e95c25e5a2c2ace35a6792b171b43025d59ca933c4ff12266b254995eca16c79a58043ceefdd747dc5004767104644
-
\Users\Admin\AppData\Local\icsys.icn.exeFilesize
287KB
MD54da835ed86a177928d6b289460782971
SHA1e15216b8987c45bb79cfaaa320e2beba6b00fa5f
SHA2560f8b3c197b1526d4cf5dd77ac63749b4543e07b03d0b2decc66c9fb7128ccbaf
SHA512c53ea9711409ae617fcb9dbf7a7543621128c4944771cdedb6d1b5604244f05adfd56ed29ba9f75ef6ad732cc8e33909242b726c184c70f5fd2ffab0f8f75543
-
\Windows\system\explorer.exeFilesize
287KB
MD51e0529504c048c05144a6ae14ec3e208
SHA1f573e3d92867bc395259dfc761bd39c04b908a27
SHA2560835dcb147554b66f591e37dd8347878a019cea55014bc854cf77adbbb0bedaa
SHA51243bad7fa7f5142f696af025ef3a2d27e7b2b1c0f4c6fe7e4fb146b5a4775ba6de4cd8cc90f6ebc1391f230bded7959ed39a6503956d09f43d129c332e0fb22d4
-
memory/1116-17-0x0000000000410000-0x0000000000412000-memory.dmpFilesize
8KB
-
memory/1744-109-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2276-49-0x00000000054D0000-0x0000000005511000-memory.dmpFilesize
260KB
-
memory/2276-9-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-27-0x0000000003810000-0x0000000003811000-memory.dmpFilesize
4KB
-
memory/2276-8-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-26-0x0000000003700000-0x0000000003702000-memory.dmpFilesize
8KB
-
memory/2276-15-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-14-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-12-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-85-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-31-0x0000000003700000-0x0000000003702000-memory.dmpFilesize
8KB
-
memory/2276-30-0x0000000003700000-0x0000000003702000-memory.dmpFilesize
8KB
-
memory/2276-51-0x00000000054D0000-0x0000000005511000-memory.dmpFilesize
260KB
-
memory/2276-127-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2276-0-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2276-10-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-13-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-4-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-113-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-108-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-29-0x0000000003810000-0x0000000003811000-memory.dmpFilesize
4KB
-
memory/2276-89-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2276-11-0x0000000002590000-0x000000000361E000-memory.dmpFilesize
16.6MB
-
memory/2460-129-0x0000000003380000-0x000000000440E000-memory.dmpFilesize
16.6MB
-
memory/2460-134-0x0000000003380000-0x000000000440E000-memory.dmpFilesize
16.6MB
-
memory/2460-153-0x0000000002D40000-0x0000000002D41000-memory.dmpFilesize
4KB
-
memory/2460-133-0x0000000003380000-0x000000000440E000-memory.dmpFilesize
16.6MB
-
memory/2460-131-0x0000000003380000-0x000000000440E000-memory.dmpFilesize
16.6MB
-
memory/2460-67-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2496-66-0x0000000002720000-0x0000000002761000-memory.dmpFilesize
260KB
-
memory/2496-50-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2496-60-0x0000000002720000-0x0000000002761000-memory.dmpFilesize
260KB
-
memory/2496-126-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2592-41-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2592-39-0x0000000000400000-0x0000000000684000-memory.dmpFilesize
2.5MB
-
memory/2592-147-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/2840-107-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2968-112-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2968-81-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB