Analysis
-
max time kernel
20s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
29-05-2024 09:56
General
-
Target
502245fea9ce9736de775c587cfc2eb0_NeikiAnalytics.exe
-
Size
292KB
-
MD5
502245fea9ce9736de775c587cfc2eb0
-
SHA1
bd5fceb952019c1ab15e90e2c0d6294eada8011f
-
SHA256
bac724d6a090749660d5ed5b5694f9d989ec1d32fb9988d1f0798b6b38b50afe
-
SHA512
0dd3afcb478f53ae24879418ab28b424e014b37ffc6f8e544fe62564189249e37f5514a98dff73c39f3100803a06a6cf54c3e8e36334990c9ac47ce7ec4f1245
-
SSDEEP
6144:0vEF2U+T6i5LirrllHy4HUcMQY6wdgykIduVr/GASXETt:mEFN+T5xYrllrU7QY6wLkIo6A9t
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\502245fea9ce9736de775c587cfc2eb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\502245fea9ce9736de775c587cfc2eb0_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 09:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
C:\Windows\SysWOW64\at.exeat 09:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD5e9e3dbac552469735656950f71aadf1d
SHA1c615b8c1fa3143ce7665b32a1a0a1e9a018e99a5
SHA256e16cc7a0a4d806e6895d514bddbca8d96b991c5e43478f9e9706a223868be013
SHA51256906f67a352b2b433864e9850f4344d39aad05ee2f5f11c41e8a4f88d52f6bfda5b2412afc41f9e165adb8a58a83e4ca83b63d50d8391f8e7dabefcc4d321d4
-
Filesize
256B
MD554ae09ca39be4dcc30ac17689b737618
SHA1ef2380e499d5e23b482c15aa2b5c45a79b549f32
SHA256be5dac8b813031446070e38691486608c05bd5f59348c8dd063db112e0656ea5
SHA5123896c1c1ed2208c89d9254b2e220b111bbee503fea500f90211926e32fc367bf927aa549c89deae0160b2d61ed18d20f76867276741243cb32fe7ea0c306870c
-
Filesize
292KB
MD541c569729003ce4049cce9d13e637941
SHA10d2f7cac23ba9c36444355e61bdd8b662c9e9aaf
SHA256f9c69351708a1190c0a68802856cca4a513871bf6f32084f0f05ea68e205c726
SHA512b21ef0e52548dcafd29fab14f76394dc9f2c6c43ed451e75e8b8e949c38383042aba3266090850077827209d9c0353f7de29c6a36c56289f1881616b9b2458fb
-
Filesize
100KB
MD506e206f72f680dd26610ddd3ae5e8b6c
SHA14149437de7a229bfd08d720c9a92a55e84fac19d
SHA2569ab52a119d5a67b558d6fd58fa99f7b4bb192a4996cb67c255e29d21195bed28
SHA512b252d0c25e0242ef254bf9228d5576a0bf2d0b2b22875f6fdde0a4fce50d4fb301bf8daf12211e4f177042a02556316111e9c1d426efb7e857cf25bcbe3d7d51
-
Filesize
292KB
MD5e97445c3d7c0f64a672e1eba4c0c11a7
SHA1f7cf7edf4571744da1aca28cfcbc80cb3591aa77
SHA256f0a4825efdf360f62dab0a9622ee2adf17ae85d4c95b86e84fa02da77715d3ff
SHA512b3a6edc3f858ff926fd284c9eababa0a9caeca5b6b71977dfa93d2cdcaca1ce3f4f880b053337862671d6277f6bee17f21c6169d664f72323493d3a15949b8ba
-
Filesize
292KB
MD55d89f65bfca1605165089a1af82552c4
SHA1fcb77e8b7e788f6efcdb5f77bdb2777921098b24
SHA256778c22d0a90b1b215f7dc95011e76c04bfbe81f1ffc22d6d57b4f52932739534
SHA512481ad573cff61989474bfff58692e43d166ab8a2275b782b127051f7f9c5e07a9f7e244ac022ccd38fee0482a083e2ec8ee86e42621e0deae439ed15c778a249
-
Filesize
264KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
264KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
264KB
-
Filesize
16.6MB
-
Filesize
264KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB