Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-05-2024 12:51
General
-
Target
371f616e17bf30be29808b8b56f26150_NeikiAnalytics.dll
-
Size
120KB
-
MD5
371f616e17bf30be29808b8b56f26150
-
SHA1
acbb011453716edeb8dcf6e0bb4cf79ec52bc407
-
SHA256
32a4a895e7f24e687bc66c57c8ccfef4804bcc94aaf7482c1baf1931a6f87e06
-
SHA512
feabb6ab2970a1aeec04777b356ed6a44cbda9098b49a07f61985ac713a0be619bf78157923566e6ceee84f61772a6c784978fd6256653123c84676398962690
-
SSDEEP
1536:lLziPdMO+kVyB6niDktIQM0a02tqjCBv2mL0nKHc2uf/SVMN51PARLmaLUAQMu6Z:pkSZkVyB6nWhoyvRO2u6qNU1maIAXuo
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\371f616e17bf30be29808b8b56f26150_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\371f616e17bf30be29808b8b56f26150_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57e4d2.exeC:\Users\Admin\AppData\Local\Temp\e57e4d2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57e7b0.exeC:\Users\Admin\AppData\Local\Temp\e57e7b0.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e581364.exeC:\Users\Admin\AppData\Local\Temp\e581364.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ff94206ceb8,0x7ff94206cec4,0x7ff94206ced02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2272,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=2344 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1944,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:82⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57e4d2.exeFilesize
97KB
MD5ed47593d070ba387495e2c4c25e7a97f
SHA159c359300426f0c1fab6629ecd901046c6ab58d5
SHA25671074ee3b31673237190b5d2b8bd1444f03210580f570492b190de149f418adf
SHA5129f09cd2ea95a7c95faf2fbcc97200b13d46e6d69413a5be12469abfee39873258aece41a0e8c5b3b515e1eb0ec8344f29da26fc8bdb0edddc1df02396344d457
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5f4706f649b3691b762a64a51e4adb719
SHA1c74c11d0fcc76e3e2563933992c904b82542d988
SHA2560db28a48725732abaec3a4fb72d3436b0fa3aaf471040466ea59686e0f2fddd3
SHA5125ffc0283b5a949881ff244f47b8ac4a75034f0575d06e5f326d52229289a219dcf47f003ab5bb8e32d9ae2d797207299e7839304fdfcdda9bb9179fed7f5485d
-
memory/1028-42-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1028-43-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1028-44-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1028-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1028-86-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3048-92-0x00000000008B0000-0x000000000196A000-memory.dmpFilesize
16.7MB
-
memory/3048-90-0x00000000008B0000-0x000000000196A000-memory.dmpFilesize
16.7MB
-
memory/3048-105-0x00000000008B0000-0x000000000196A000-memory.dmpFilesize
16.7MB
-
memory/3048-136-0x00000000008B0000-0x000000000196A000-memory.dmpFilesize
16.7MB
-
memory/3048-89-0x00000000008B0000-0x000000000196A000-memory.dmpFilesize
16.7MB
-
memory/3048-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3048-91-0x00000000008B0000-0x000000000196A000-memory.dmpFilesize
16.7MB
-
memory/3048-87-0x00000000008B0000-0x000000000196A000-memory.dmpFilesize
16.7MB
-
memory/3048-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3368-47-0x0000000000B80000-0x0000000000B82000-memory.dmpFilesize
8KB
-
memory/3368-21-0x0000000000B80000-0x0000000000B82000-memory.dmpFilesize
8KB
-
memory/3368-27-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/3368-26-0x0000000000B80000-0x0000000000B82000-memory.dmpFilesize
8KB
-
memory/3368-23-0x0000000000B80000-0x0000000000B82000-memory.dmpFilesize
8KB
-
memory/3368-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4256-38-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-60-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-36-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-40-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-39-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-20-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-19-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-31-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/4256-34-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/4256-54-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-55-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-56-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-57-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-37-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-61-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-64-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-69-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/4256-82-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4256-30-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-29-0x0000000001AC0000-0x0000000001AC1000-memory.dmpFilesize
4KB
-
memory/4256-10-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-17-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-18-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-11-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-8-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-9-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-6-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/4256-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB