Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
28-05-2024 04:58
General
-
Target
338e1dfc2b07ff5f5c0c130cd2bfb670_NeikiAnalytics.dll
-
Size
120KB
-
MD5
338e1dfc2b07ff5f5c0c130cd2bfb670
-
SHA1
4c3dfec49b6e626a88621d1d8a6e56fb7e1d7f76
-
SHA256
b77c535a4a6c5b9799e0d9b0e123a990acd45be1d59ded0d62550aead8cdd853
-
SHA512
3c2c8165398ef237edae7bc4990b06f78cad39092b8a720dde5d0a30f6c145fd531622390903764474826753e4c2153772c6f10c469b0df49a25c837130c937f
-
SSDEEP
1536:0q/yJ2X7NBe7vj0gFDMYhxmPHur6QDUyS/Gis0mYJ8cU7g:0q/yj7ARYhY+705JA
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\338e1dfc2b07ff5f5c0c130cd2bfb670_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\338e1dfc2b07ff5f5c0c130cd2bfb670_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7613bf.exeC:\Users\Admin\AppData\Local\Temp\f7613bf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761536.exeC:\Users\Admin\AppData\Local\Temp\f761536.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7631e9.exeC:\Users\Admin\AppData\Local\Temp\f7631e9.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD54f9aa1f4829f53f1e7aa81e6f02a9226
SHA143d7c8d31440191c842ae63605797cfbbb243805
SHA25660deaf6d479b9a3b9bce4890be40ed6f445989c4d2e34d674849d12ca5e8c7fd
SHA512d144dff6a407a95e22601750e549301d8f20187982033ac58329fcc20f920ddb2325367083fb772524a5d56149b062c4fa4b979d522b94e157246029f7ea3c7d
-
\Users\Admin\AppData\Local\Temp\f7613bf.exeFilesize
97KB
MD5bfd51dcc85ad07c0a47a8b96e38b9166
SHA13f25b865734b34b0fa27976af98cee316399c033
SHA256d0793f9f5a9ff0b4d85f4a62eabaa59a0f8fd492e29901a77181576341832103
SHA512bdce50650204c6751374fa8aac9e250014709b6cf8708ca06e43ce429a90a1a8bf740b82608fbf4cf383ecef3c2fbbec511f3469b18f150ff653d359002ccf94
-
memory/1072-29-0x00000000002A0000-0x00000000002A2000-memory.dmpFilesize
8KB
-
memory/2164-185-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2164-101-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2164-98-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2164-99-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2164-80-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2312-63-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-19-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2312-144-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2312-143-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-16-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-20-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-22-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-18-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-23-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-50-0x0000000000490000-0x0000000000492000-memory.dmpFilesize
8KB
-
memory/2312-49-0x0000000000490000-0x0000000000492000-memory.dmpFilesize
8KB
-
memory/2312-48-0x0000000001760000-0x0000000001761000-memory.dmpFilesize
4KB
-
memory/2312-21-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-112-0x0000000000490000-0x0000000000492000-memory.dmpFilesize
8KB
-
memory/2312-107-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-106-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-62-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-104-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-103-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-64-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-66-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-65-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-14-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-15-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-17-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-81-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-82-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2312-83-0x00000000005A0000-0x000000000165A000-memory.dmpFilesize
16.7MB
-
memory/2516-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2516-180-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2516-94-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2516-93-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2516-100-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2516-181-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/2516-153-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/3028-59-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/3028-76-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/3028-60-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/3028-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3028-37-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/3028-38-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3028-57-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/3028-10-0x0000000000190000-0x00000000001A2000-memory.dmpFilesize
72KB
-
memory/3028-9-0x0000000000190000-0x00000000001A2000-memory.dmpFilesize
72KB
-
memory/3028-78-0x0000000000190000-0x0000000000192000-memory.dmpFilesize
8KB
-
memory/3028-40-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB