Analysis
-
max time kernel
38s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-05-2024 01:34
General
-
Target
4a11f152922f2e209f5ca06ef741ef60_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
4a11f152922f2e209f5ca06ef741ef60
-
SHA1
216a2ffbd516a5604718497a185343981f3c4a01
-
SHA256
d64afa2c4338bfd2c4215193bde86d13e8736d1a77f2193e565e8f1876dfa9fe
-
SHA512
7dc13d3e601ac75ef9d58e01c910c1a5c0e30892e3fbb4049a9d6b34ce62e19afbfa45d0ac628a277d56c8c8690a3198630703ad1037c4b5568f75aa1affe175
-
SSDEEP
24576:k5xolYQY6EOb7YU0uestsWNthL8qUym53WJN5y3Mk1XXRw6+sBkZGsiH6W:nYW0ueBWjBy53WJN5y3Mi+6l9F
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4a11f152922f2e209f5ca06ef741ef60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4a11f152922f2e209f5ca06ef741ef60_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\users\admin\appdata\local\temp\4a11f152922f2e209f5ca06ef741ef60_neikianalytics.exec:\users\admin\appdata\local\temp\4a11f152922f2e209f5ca06ef741ef60_neikianalytics.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System policy modification
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 01:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
-
C:\Windows\SysWOW64\at.exeat 01:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
-
C:\Windows\SysWOW64\at.exeat 01:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD54da835ed86a177928d6b289460782971
SHA1e15216b8987c45bb79cfaaa320e2beba6b00fa5f
SHA2560f8b3c197b1526d4cf5dd77ac63749b4543e07b03d0b2decc66c9fb7128ccbaf
SHA512c53ea9711409ae617fcb9dbf7a7543621128c4944771cdedb6d1b5604244f05adfd56ed29ba9f75ef6ad732cc8e33909242b726c184c70f5fd2ffab0f8f75543
-
Filesize
288KB
MD56b5c20af1557d271751f2654f200d74b
SHA1fa5ed5bd483a9d52aef56cc07b14b18339971d69
SHA256cc2d9e98e7781669e297d9e1b7cf55ecc6211c18c3158bfbdf497f758b18340f
SHA512936e7a359506a30c7f717ba45d31cae2496ff4c3e5205a6acb864dd4c3c7b4184bdb135130e71dd949399bb6cb1a8587a544ff6119be4a507e583ad78f045836
-
Filesize
256B
MD55290394fa06b034842ec6376a90adfd4
SHA11d7e3d666aa48a13b236ec38fe67cca77d2c814e
SHA256cab5e5838b4a90a67520cbecb6cf1c57a77561fb03362013ceb0ccb6be815d8c
SHA512e43d7842e6fdbe2211d7c42dd20d355429e355b62ddc60583e3ad59e59a036e225f556388e7c591c31c9c2235618c5646392ac21a315c31054c7a5ef8e3aefd1
-
Filesize
288KB
MD5bb61cdd096f040900b6e4ccc5d93d2e6
SHA14eeeb4d608283a92a9405395dc72af26ea59ee41
SHA256757cd35d15759e62c511b3c372860f036c6106fc41fee471bb118316ed883efc
SHA512d29b2e1c4f700a3ba4323b52051e9811b446dcf40b31e26db87e65f5cada70be6ace997e94712f0c170de1ced64bc7288ad35ff615b05ffa2f7f73f2bc613f06
-
Filesize
100KB
MD5822c0fca78ba5a7a794f559c8017d84e
SHA1c110c51445965fa00994d5a7dc0d250235117941
SHA256f3caa9474af474db0d057723e184f2ceeeb78b1bcb10af6ae5faa0aae56c39c0
SHA512849e1f530b2705a60eba9e7f453bb4594db499dfe08c14d318626bcd10ba7f903be164cabb4d4ac835f9c6c2cf836f5c568b64be08b2c85f6d6af03d2d1506d9
-
Filesize
1.1MB
MD5503004f1cf5c6785346e975a4e583cb7
SHA1074adca5b5260d05f31d948ed9c001bca0b64218
SHA25652d50091fb9fdd697130aa261009e7cba56e3f0bae4771d791f3cf9e97cb3e22
SHA51263bf68577e4c4cd6c5e688e66ec14a08a1e95c25e5a2c2ace35a6792b171b43025d59ca933c4ff12266b254995eca16c79a58043ceefdd747dc5004767104644
-
Filesize
287KB
MD51d026797b77ff9dd7128889978451de6
SHA1540fdb46c28e0b67bdfa2a65eb07dd9432ca8350
SHA2560bf7350d88cb28fd8feb93d78a337e53fc6eab3a7a9a7af8b3d82a7cb5705d6f
SHA512614d81cffc1a07c10d1813e45cacd44ccd7711ffcfab1ec37ec9cbff2a79bf8c2b9446cdd7368ca24fac3e62f05166ccaf352ec906e5cd97d535b63e5972dde0
-
Filesize
287KB
MD515bb68ea1051b57e1f29c0ddecb47283
SHA1ed933171f8af166a4bd0dcff11091507c7b3dc18
SHA256f68c9f3a315e8f12e35dbfaf8233063ab5a355428bafab16902e9c9039390ac5
SHA5120fca886b74f5f83b7e04ba2cb65b4a5587a2e541c9f16514ed387dc3045433018ba279614b3015039fe507702548f0d45ed35d6e8c357148947083c7c51d74aa
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
260KB