Analysis
-
max time kernel
18s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
28-05-2024 20:22
General
-
Target
013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe
-
Size
292KB
-
MD5
013fa06d9f9a9034dd6fdacf49802060
-
SHA1
c581bd0c0d661a2bf468598b31363dadd93066a3
-
SHA256
e9f2e9ba0c5c8958e550481e1f2f850204d7882f04bd7414c254775c26271877
-
SHA512
ae2fffc218c202052aff5bc7643fd92bd6dfac14c71169d05eefa82121d262ef854bf5aab5d7b87d21c58371f13bb0ac248ade75a67baada6767c08628c63ae1
-
SSDEEP
6144:FvEI2U+T6i5LirrllHy4HUcMQY6s5oG7vdzYbXe:lEIN+T5xYrllrU7QY6a9zYq
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 20:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD56607fd16c1bfa7db9b3884bf821fa8cf
SHA1ea764742fbff92afb3fc5f4eea6726f226309286
SHA2567831084af2dcf2e61697d048fb8855b9bba83002fb35b0dec3fd4af3337feb9c
SHA512ee610c0e2b3c336b96db204b36a37f1f11b86f5077dd7d9fcf84a4f7501a8c0f0de8b4a88b6719b4e59d3c46fb96a71238825b2a92456a2b58a4086c663e4165
-
Filesize
257B
MD593a7f050dba411230298e53cebb311da
SHA1f37c4707e0e0adbf9659c9754a821f41ef978490
SHA2566c0bbb3d33e7b0809c9f333ac685e5e850db8e68bc659976bb1fc4c2d86fe382
SHA512e9def3225ac82aa295a83c69113c38219d560b95f3c8a11b8fb4437c8d952c96de1b471afdb85e065295981ce5defa930f46b2334bf7a39b59fc7e42d1584199
-
Filesize
292KB
MD50c4790b6385ed29029d5dc5ba85c3923
SHA119d85311da8d62776f571f91727f8cea6234496e
SHA2567cc4ab49403f1a9f72de8bdb289011b0496ab1ab938059fd233b4f3e0d9688dd
SHA5124c77e8bc0a5746791d14ebc344a46bba0453071e6827cb79b9ac0159956178d027ce34aaf9582999d275be2d9383c13c264820e09af6c1fafaec9ded90668e5d
-
Filesize
292KB
MD5f049b233be4f13843e2f9eb49cb2ad40
SHA1177cfe9d76460636e983b3de5c281044e6ba3000
SHA256b9661fa565463db4c2a21e7f692408d5618e631e2af7a96df2092518219fcb65
SHA51251083d9dfa38e47ad19d6742fac755ab47c0d1c5c3e721df0d822d4a8fb7cd3cce35febd46f7834f65bc100d6c5c50d34df80dc06db51791b5e127aa75bfeb05
-
Filesize
292KB
MD5d605e3ca4ae3a67b2a112b6fbcb16234
SHA1aa76f777cf86f4999f4be6dd371b857da70ff9d7
SHA2560cdf7f57ae236c189665668a5e1f8ed0d47ce4e9ce533d08dc9bc066a3654bae
SHA512ba825f9ecbaf0dba9467eea4aa30cf5bf5c110109647f5b16ab6dbc68a6d645721fc5dea276266ea9082cff105d4b855e1898fdab6d0fd802596a88d0f1a82de
-
Filesize
8KB
-
Filesize
264KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
264KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
264KB
-
Filesize
4KB