Analysis
-
max time kernel
23s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
29-05-2024 21:14
General
-
Target
ad124f0b9c39bcf3186b883c638f9070_NeikiAnalytics.exe
-
Size
287KB
-
MD5
ad124f0b9c39bcf3186b883c638f9070
-
SHA1
1fa73d7be2d9054927ee76aec214cc776ddeec81
-
SHA256
ae225a3191bb49dfe617670c06ad9e18a9f0c2cbc60749ac920318593c87dc9c
-
SHA512
ac381d6ac0614aea86fd1e534542373816fd76b59e6323736e1cf9f4346958d5e3fd35443bb0f3fda0a88c20d78c806af8dbe5ae813875773fc51d1ee498dc53
-
SSDEEP
6144:IvED2U+T6i5LirrllHy4HUcMQY6XzPqyemGYD181i:CEDN+T5xYrllrU7QY6rqDYD2i
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ad124f0b9c39bcf3186b883c638f9070_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ad124f0b9c39bcf3186b883c638f9070_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 21:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD558c2dcc868c4501a7ac8eaed8f00dced
SHA161ced94cdb10c2df1d7f81161fe34d9d7eb1a88e
SHA256601a963840bc9d8a5d442903c66451ba62f705e61556c66d7082d14e942de40d
SHA5126302242cf68ad0b792bafd89c31d359bd9c5fc3f3d1525eba72087071eb64b2d58ca947b016feb38c99d81b8800953966dc1967f9396f52e37896cc452b335fa
-
Filesize
257B
MD5cf4cf8f4823ded30fdda39966ad79784
SHA174d1284dca579084695543d3aca02e58b78f3f2d
SHA256c9ddd74322da89bf9722612b6c07ee71dd8d459270cae581784fc48faa021591
SHA51261eea24fe52ab1aabecb2911f0d0a8422bf6bd6323f4e15c4e48b5c62a55119d5cbda37a65ca4c38fec647a5640af40725c4870555463d2348b273f67cbb5a8d
-
Filesize
287KB
MD5966aefddf6441d27a50413d2aef378f0
SHA1258f1ee4d7706d93cea6713560aee1c74de4b854
SHA25607520cf34b78cc8a9acd54cc31e3d79cadbeff5f26f63b2644de82f38f4f7dcb
SHA512eac997feaf2dcd4e326d3fc7ebfa679e393e87fb287c631d0853797d2532b6d24e01d22efe6e3c85f7a599fb438ade2f65cbc20b689b9ff0a780c1a6cf37f575
-
Filesize
287KB
MD5e5f205211067e532e64a453309348a77
SHA10c6b60345695cfd246551a8571c6cf5a2a9d017c
SHA256f20f30dab0ccc556e94c2f4f6ca5c36c4c234ea8656067a8bd2ba77da29c6714
SHA512f03299ace2ff446a50c27bf72ecd018bb686699c72800457bbf9446b853c60bfa2740ccce81596fbdd5e3872befd0078a2db837e9eaf28efe929518652e60298
-
Filesize
287KB
MD5c6d8185416f49bd5d849384f9dc80edd
SHA18ddf6fdaebafea8c9e730b3c0b2d5d6b4a67611d
SHA2568195d134156696e0cbd657998a47d2e9e172160dfd889a2ca994dd75a269e175
SHA512b5f060d9d8029dc33f27f6ea5958d3a246434d89faa6a3511972e0af8921ba9ea5f488d8f6f29d02e76a7622074044e2659f049ec13d92b7f05cee91493f793b
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
4KB