Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-05-2024 06:30
General
-
Target
7d21e32835df8445925316f22442a7f0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
7d21e32835df8445925316f22442a7f0
-
SHA1
a563138606071e50b221c4418b45ad2d7ca69a34
-
SHA256
b504a76ed5fd5588510626f7d4f18224a1b748d0c182be88fe210c9117fafec0
-
SHA512
715166c871e1e64805f24bb495a17ce1a13fe1077dd72f543821d2e52deb07e5b871ca237deb9ca64cb4535db96763d98ecca92347fe003801764eaae832993e
-
SSDEEP
1536:wEYp1ejKxOzedDfIbtny716uuCx56uE43n/xWLLXQV+L4Ktez61WzA90hAIdSJAg:aKmxeUDfI5SLb5AXVL4R+b6dyQ
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7d21e32835df8445925316f22442a7f0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7d21e32835df8445925316f22442a7f0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e575748.exeC:\Users\Admin\AppData\Local\Temp\e575748.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575861.exeC:\Users\Admin\AppData\Local\Temp\e575861.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e577e67.exeC:\Users\Admin\AppData\Local\Temp\e577e67.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575748.exeFilesize
97KB
MD56677770d194e4bd0383435809eaf045c
SHA17cdd1b7bb2e925a2c42b1e7de02a4958be0e1669
SHA25601075ffa25b37a279c6fb8a655d1ad3d17c9f358e2823c84603bfed88824c020
SHA512afaf620c935060269a944d363b8fc7bd0454b635cf9d8d806902e728eba7aa0c34cfe8fba616f942fff3791d2cc606731cb789027e6ff6aa957f7b7c000ab6ad
-
C:\Windows\SYSTEM.INIFilesize
257B
MD522b0a2fd1d08aba345e9da54b53d7e00
SHA1bf091f37785b3b307dfdc9f15ecd68fc4a086a93
SHA25672b578bcddf98a7e86d273bb1ee4a62848ce7c9e111cef974e6bb6efad55a976
SHA512fc73496f3a2385a8ff0a484ef3accdb35740de7ebf4d78f60a495ef37ac297779e1431c9a80530c5e18b54372f437de38fdcf986fcccb2b79eb2e390ad749400
-
memory/1936-43-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-68-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1936-11-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-91-0x0000000003BE0000-0x0000000003BE2000-memory.dmpFilesize
8KB
-
memory/1936-20-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-30-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-33-0x0000000003BE0000-0x0000000003BE2000-memory.dmpFilesize
8KB
-
memory/1936-35-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-100-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1936-81-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-21-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-9-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-24-0x0000000003BE0000-0x0000000003BE2000-memory.dmpFilesize
8KB
-
memory/1936-10-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-80-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-15-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/1936-73-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-36-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-37-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-38-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-39-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-40-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-41-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-19-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-72-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-70-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-8-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-65-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-64-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-63-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-62-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/1936-60-0x0000000000730000-0x00000000017EA000-memory.dmpFilesize
16.7MB
-
memory/3748-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3748-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3748-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3748-153-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3748-152-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3748-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3748-116-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3996-22-0x0000000004100000-0x0000000004101000-memory.dmpFilesize
4KB
-
memory/3996-12-0x00000000040F0000-0x00000000040F2000-memory.dmpFilesize
8KB
-
memory/3996-16-0x00000000040F0000-0x00000000040F2000-memory.dmpFilesize
8KB
-
memory/3996-23-0x00000000040F0000-0x00000000040F2000-memory.dmpFilesize
8KB
-
memory/3996-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4400-53-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4400-104-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4400-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4400-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4400-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB