Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
26-05-2024 16:34
General
-
Target
13e8a5c7015d52086508387c81c1dc20_NeikiAnalytics.dll
-
Size
120KB
-
MD5
13e8a5c7015d52086508387c81c1dc20
-
SHA1
8f5324419d366a45d8b5b899e2fc9dc3113974b9
-
SHA256
70e62d18bbb1b21c83d238f7a793d6a5f191ea95a642d113a90faf14e075cbeb
-
SHA512
1fa85e69f3d7752f81bb1c1c649953c44475d51c06a898b79b82170554cee5a359b9dfa353654405dcfecbe118c5fad19e8339d4e1db6af0262e23e2f0cebb82
-
SSDEEP
1536:lMOaqZOZCWIl11FCKYC3Z8muIMeE6f3jZF8hY1yySx74SKAy8cTEHmN:lFZACWI58Kh3SmnMer338ryC46VXHm
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13e8a5c7015d52086508387c81c1dc20_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13e8a5c7015d52086508387c81c1dc20_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5737f8.exeC:\Users\Admin\AppData\Local\Temp\e5737f8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5739cd.exeC:\Users\Admin\AppData\Local\Temp\e5739cd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5753ae.exeC:\Users\Admin\AppData\Local\Temp\e5753ae.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5737f8.exeFilesize
97KB
MD50febc7714f40e567f5b784e152701d47
SHA1b8bac3a49ab444ef75d7351bac08b209b8b93c3f
SHA2568a2e34f96b263840a0b8d5c480555a03bd3122a4d867a8c3a7dee488f67d7968
SHA512262c7695fbfa0bcc92ecc14f27d6eaff65eb54a83cfd37f8b129da411024aeeb660dab630673b30d969ec9166c136fdfef40da193f7fe01b99f28d9802db4da6
-
C:\Windows\SYSTEM.INIFilesize
257B
MD54ba97cd0a759b2b61b9bb6ebc9ead2c7
SHA1e4abe7d67131baea7e9cbdf2176b0412c7d03f48
SHA256c869881088254b3098e7054208bd2d11a365ecc36caf969afb69fdc057223ca5
SHA512f7f419de1f115c69f98b2d699b0b53401512552dfc6683588cfb9fa2dd98f92c69454e295145154048c15fe7f05d7378630c09b794be979d8f1a53fd037c77bb
-
memory/2808-75-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-76-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-11-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-15-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-10-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-6-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-26-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2808-31-0x00000000005E0000-0x00000000005E2000-memory.dmpFilesize
8KB
-
memory/2808-54-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-22-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-33-0x00000000005E0000-0x00000000005E2000-memory.dmpFilesize
8KB
-
memory/2808-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2808-14-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-108-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2808-96-0x00000000005E0000-0x00000000005E2000-memory.dmpFilesize
8KB
-
memory/2808-13-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-21-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-89-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-12-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-38-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-37-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-39-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-52-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-41-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-43-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-88-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-40-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-82-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-67-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-56-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-81-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-80-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-79-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-8-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-72-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-70-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-66-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/2808-55-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3684-142-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/3684-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3684-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3684-59-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3684-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3684-36-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3684-120-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/3768-32-0x0000000004920000-0x0000000004922000-memory.dmpFilesize
8KB
-
memory/3768-30-0x0000000004920000-0x0000000004922000-memory.dmpFilesize
8KB
-
memory/3768-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3768-23-0x0000000004920000-0x0000000004922000-memory.dmpFilesize
8KB
-
memory/3768-27-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/3964-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3964-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3964-147-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3964-62-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3964-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB