Analysis
-
max time kernel
146s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
28-05-2024 22:44
General
-
Target
11c193469217ff54092e14cd0e641380_NeikiAnalytics.dll
-
Size
120KB
-
MD5
11c193469217ff54092e14cd0e641380
-
SHA1
bbcac625a0e9bebeedb0e83d3852edd8440a65b7
-
SHA256
069a33c68bba0aa179acc93e0346f3ca9d7e51d3920114c5d078c4bc98d2fc5d
-
SHA512
8ef991993fe471b08af273b8a73ef72785e3165fc797b0df6addf9019a040bee07cea6889de69056a697655cabd7178a58d08fba19fd2e7d31d023f0201c0cfb
-
SSDEEP
1536:oIuIZwvehOu9gY9vHCLpbZH4kEVhvBH0UZCzF5Y75lGrB52pXQp4K+5WGFCj:oIjwvej9N9PqivvpEZ5Y73Grayp4KJX
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11c193469217ff54092e14cd0e641380_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11c193469217ff54092e14cd0e641380_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57e762.exeC:\Users\Admin\AppData\Local\Temp\e57e762.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57e89b.exeC:\Users\Admin\AppData\Local\Temp\e57e89b.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e581279.exeC:\Users\Admin\AppData\Local\Temp\e581279.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffcb30dceb8,0x7ffcb30dcec4,0x7ffcb30dced02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2464,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3596,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3972 /prefetch:82⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57e762.exeFilesize
97KB
MD5bcb54cdd5fa96d544332a1cf357ef693
SHA1938a7fbfdc7374216e05218a2bddc58157572126
SHA256c112478ee7800f95c274eb4d010b8262dbf62524e2a7b8615f32df1620071a06
SHA512e6d6073ce387173d18e7f22739a665b0d9f0353f689d17341197cd03eb48a55b84b1ce186447a6bf7aefab786472c8253801adfbd9059ee9938ddf2c5de0a62b
-
C:\Windows\SYSTEM.INIFilesize
257B
MD598f55f25e97e7bd9698f193c6ea508ba
SHA1540a9f32f5ee70bedb4328d5830c0d0044f8272a
SHA25604093b06645ed29ebdaed3967c7cf66adf1b2e4216ee1e05ba09f92017a37875
SHA51270075a0f8801af3ed1c5867271d11d25937f8a138329fe0d145f0debdfd3ee8a4e90293bb7ba0afe66c0cc68b79b3fbf049f6656cce7ccc5b8a48c60140d9752
-
memory/2276-49-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2276-86-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2276-89-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2276-44-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/2276-48-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2348-45-0x0000000003D60000-0x0000000003D62000-memory.dmpFilesize
8KB
-
memory/2348-11-0x0000000003D60000-0x0000000003D62000-memory.dmpFilesize
8KB
-
memory/2348-23-0x0000000003D60000-0x0000000003D62000-memory.dmpFilesize
8KB
-
memory/2348-15-0x0000000003D60000-0x0000000003D62000-memory.dmpFilesize
8KB
-
memory/2348-12-0x0000000003D70000-0x0000000003D71000-memory.dmpFilesize
4KB
-
memory/2348-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2888-38-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-54-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-31-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-18-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-14-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/2888-33-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-36-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-34-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-35-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-32-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-37-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-19-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-39-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-10-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-22-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2888-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2888-20-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2888-9-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-53-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-26-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-55-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-56-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-58-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-60-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-63-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-64-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-69-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-78-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2888-85-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2888-8-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/2888-6-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4184-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4184-90-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4184-101-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4184-111-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/4184-110-0x0000000001B70000-0x0000000001B72000-memory.dmpFilesize
8KB
-
memory/4184-144-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4184-145-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB