Analysis
-
max time kernel
146s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
28-05-2024 06:37
General
-
Target
36f591c547a20a185e65eeec19a081b0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
36f591c547a20a185e65eeec19a081b0
-
SHA1
4b5c1e931295e990314798b35c8a5bfd6e09e73c
-
SHA256
427f90368ac1359c7a111ece12d24123ced88dde1332453a46d268d308c8655e
-
SHA512
09f22831787f2552e4f71746ebfb9368163796714da8e83757dda31e43711e394f6397c3883a39191f7e5d51d5ce7f2568f49e3bef4c5bbbef2dfa6285062447
-
SSDEEP
1536:eaxR3NRSOhb3WN9hskfbCk3/XcQVR2f5CtdOq2lBB8zXCFjm5qB7Ah4:eyRLj69hN5kQyf8tdOq2/gmjmHh4
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36f591c547a20a185e65eeec19a081b0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36f591c547a20a185e65eeec19a081b0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573ad6.exeC:\Users\Admin\AppData\Local\Temp\e573ad6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573bff.exeC:\Users\Admin\AppData\Local\Temp\e573bff.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5764a5.exeC:\Users\Admin\AppData\Local\Temp\e5764a5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573ad6.exeFilesize
97KB
MD5aeaea93a42ca59c7cf9ff997284d1a37
SHA1b892a10e285c936b080be525dd42bdb7ddaabeeb
SHA256bb8723c7b8e11b1767a3b26526ddf1cefa9a750e135b7b48384e4030dd79d142
SHA5125102885cab9db639c7cf7794221e43470c828a4875383f9ede3fa97a6a5f4d73a9c9168c998ee1ed2370821658dff84cf92034770da092331589f541a81675fc
-
C:\Windows\SYSTEM.INIFilesize
257B
MD577008971919be9f0a9abb49ebe3d7652
SHA122ffa1433134decc910a735efe6692fbb7158eeb
SHA25699919a11c6adbd1bd20e10937dc56e2c022b965f7456f0c31062ffcf94c9a8ed
SHA512d5fb66333948ec4c009dddc2553b0217e6b94d579e18ee192988fe529259e75e52af3b174c8e463f4900bfe9985f2114026caeb7719ffd08aa1663f03a132421
-
memory/1404-44-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/1404-47-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1404-46-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1404-94-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1404-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1404-97-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1616-17-0x0000000004430000-0x0000000004432000-memory.dmpFilesize
8KB
-
memory/1616-31-0x0000000004430000-0x0000000004432000-memory.dmpFilesize
8KB
-
memory/1616-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1616-14-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/1616-50-0x0000000004430000-0x0000000004432000-memory.dmpFilesize
8KB
-
memory/1616-13-0x0000000004430000-0x0000000004432000-memory.dmpFilesize
8KB
-
memory/3040-109-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/3040-119-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/3040-118-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/3040-150-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/3040-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3040-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3208-25-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-59-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-37-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-38-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-39-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-40-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-6-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-27-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-16-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/3208-9-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-30-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3208-54-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-55-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-57-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-58-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-36-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-60-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-62-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-69-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-70-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-73-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-74-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-83-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3208-93-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3208-28-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3208-12-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-34-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-29-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-26-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-11-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-10-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB