Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
26-05-2024 12:51
General
-
Target
371f616e17bf30be29808b8b56f26150_NeikiAnalytics.dll
-
Size
120KB
-
MD5
371f616e17bf30be29808b8b56f26150
-
SHA1
acbb011453716edeb8dcf6e0bb4cf79ec52bc407
-
SHA256
32a4a895e7f24e687bc66c57c8ccfef4804bcc94aaf7482c1baf1931a6f87e06
-
SHA512
feabb6ab2970a1aeec04777b356ed6a44cbda9098b49a07f61985ac713a0be619bf78157923566e6ceee84f61772a6c784978fd6256653123c84676398962690
-
SSDEEP
1536:lLziPdMO+kVyB6niDktIQM0a02tqjCBv2mL0nKHc2uf/SVMN51PARLmaLUAQMu6Z:pkSZkVyB6nWhoyvRO2u6qNU1maIAXuo
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\371f616e17bf30be29808b8b56f26150_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\371f616e17bf30be29808b8b56f26150_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7607ae.exeC:\Users\Admin\AppData\Local\Temp\f7607ae.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7609e0.exeC:\Users\Admin\AppData\Local\Temp\f7609e0.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f76231a.exeC:\Users\Admin\AppData\Local\Temp\f76231a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5ad931aecbb59037b0110c0493c403653
SHA1dcceaa5918f8d9cbf573b51ddeeb7e0589061980
SHA256d8fdc80c88681c09d449a5a3efce881597596d91720d8ef3347648a6e4bd5a47
SHA512ebac19889d1ed48fec4f4f4dc67f4741091b1b7f42a3ef1336597f21f0fa4ceb56dc4c8f978e21871e3abff70c588c19278db62e7784fde02a4864be57b88834
-
\Users\Admin\AppData\Local\Temp\f7607ae.exeFilesize
97KB
MD5ed47593d070ba387495e2c4c25e7a97f
SHA159c359300426f0c1fab6629ecd901046c6ab58d5
SHA25671074ee3b31673237190b5d2b8bd1444f03210580f570492b190de149f418adf
SHA5129f09cd2ea95a7c95faf2fbcc97200b13d46e6d69413a5be12469abfee39873258aece41a0e8c5b3b515e1eb0ec8344f29da26fc8bdb0edddc1df02396344d457
-
memory/1260-27-0x0000000000190000-0x0000000000192000-memory.dmpFilesize
8KB
-
memory/1296-36-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1296-78-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1296-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1296-46-0x00000000005E0000-0x00000000005EE000-memory.dmpFilesize
56KB
-
memory/1296-37-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1296-39-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1296-57-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1296-58-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1296-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1296-59-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/2340-62-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-69-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-47-0x00000000017A0000-0x00000000017A1000-memory.dmpFilesize
4KB
-
memory/2340-20-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-17-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-19-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-52-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2340-49-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2340-15-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-16-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-14-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-18-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-21-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-13-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-63-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-64-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-65-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-66-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-68-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2340-11-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-149-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-82-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-84-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-86-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2340-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2340-123-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2340-105-0x00000000005E0000-0x000000000169A000-memory.dmpFilesize
16.7MB
-
memory/2484-96-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2484-95-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2484-103-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2484-153-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2484-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3016-101-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/3016-104-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/3016-102-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/3016-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3016-159-0x00000000009C0000-0x0000000001A7A000-memory.dmpFilesize
16.7MB
-
memory/3016-202-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3016-201-0x00000000009C0000-0x0000000001A7A000-memory.dmpFilesize
16.7MB