Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
26-05-2024 09:56
General
-
Target
b9da3db6b37550752b7559868ae415b0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
b9da3db6b37550752b7559868ae415b0
-
SHA1
a11bfceb0596c9d51ceb07b8e1620a03825ea16f
-
SHA256
994f932b02627ec5ffe751c0e47dc0c22857d96189b73ad091e2f22e53126598
-
SHA512
bda74620b8693db5522093da591f88875c39f6bf0be587edeef0cec19fff7c956b3254d837d334ac752add4b08bd49abe40d5be4dc7157d3194d6757b2fb6b72
-
SSDEEP
1536:GzkcqNzjeKRfoPkhBFrg99V9yk/hPInBpyzr3KzlHr6k+8N1o79A3PR:GzkcqNzLRVhfg99j5PwcKzlL/+bA35
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9da3db6b37550752b7559868ae415b0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9da3db6b37550752b7559868ae415b0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57413f.exeC:\Users\Admin\AppData\Local\Temp\e57413f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57421a.exeC:\Users\Admin\AppData\Local\Temp\e57421a.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e575d14.exeC:\Users\Admin\AppData\Local\Temp\e575d14.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e575d33.exeC:\Users\Admin\AppData\Local\Temp\e575d33.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57413f.exeFilesize
97KB
MD5ff9bc198c8c7a84ec8800f8f709d61ad
SHA19939621228f7df3b161d898d530da93b61e1c011
SHA256ea4fcaeef8854f74c309ac13f35101dfaa37de2ff44c04d668c490bfc91224ba
SHA512ae68e5132ecb58a5b247c1ef923b13314843371038a8a8bfda9590b25435d63df0a9dfd361cc52d08846da024dd686c1acd19cd37a1e5b1b18be11bc8b5c2bc0
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5a9b035b04eb09b8764a1603805848c0c
SHA14738490ec6941c8f04ab6904d1e818962de72994
SHA2568d4c25c57cd277e0a7bbb5500adb3825fa5c69b992300140169b28c453ec2ae7
SHA51271abd08975f6cb332ce4c93bde06d95b0b62d4858b7721c47394d71e1047f177b349411a4d893a2fc7501cdd76b3ddf0fc9498badafa28ef0392c8d0a0d89efe
-
memory/1300-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1300-68-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1300-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1300-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1300-149-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/1300-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1392-122-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1392-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1392-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1392-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2684-66-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2684-69-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2684-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2684-126-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2684-50-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3356-57-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-27-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-8-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-35-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-37-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-36-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-38-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-39-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-40-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-42-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-43-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-6-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-18-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/3356-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3356-59-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-60-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-9-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-14-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-30-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3356-11-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-74-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-33-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3356-13-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-12-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-28-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-10-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-76-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-78-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-80-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-82-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-83-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-84-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-86-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-88-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-90-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-91-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-92-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-98-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-101-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3356-118-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4052-19-0x0000000000B20000-0x0000000000B22000-memory.dmpFilesize
8KB
-
memory/4052-32-0x0000000000B20000-0x0000000000B22000-memory.dmpFilesize
8KB
-
memory/4052-29-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/4052-15-0x0000000000B20000-0x0000000000B22000-memory.dmpFilesize
8KB
-
memory/4052-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB