Analysis
-
max time kernel
20s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
29-05-2024 21:14
General
-
Target
ad124f0b9c39bcf3186b883c638f9070_NeikiAnalytics.exe
-
Size
287KB
-
MD5
ad124f0b9c39bcf3186b883c638f9070
-
SHA1
1fa73d7be2d9054927ee76aec214cc776ddeec81
-
SHA256
ae225a3191bb49dfe617670c06ad9e18a9f0c2cbc60749ac920318593c87dc9c
-
SHA512
ac381d6ac0614aea86fd1e534542373816fd76b59e6323736e1cf9f4346958d5e3fd35443bb0f3fda0a88c20d78c806af8dbe5ae813875773fc51d1ee498dc53
-
SSDEEP
6144:IvED2U+T6i5LirrllHy4HUcMQY6XzPqyemGYD181i:CEDN+T5xYrllrU7QY6rqDYD2i
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ad124f0b9c39bcf3186b883c638f9070_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ad124f0b9c39bcf3186b883c638f9070_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 21:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 21:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 21:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
287KB
MD5f6a506cdfa0f36d6d9b9e9d46f821484
SHA1d7e21d72bac6e12e58b2e04c1de25b08ae57a839
SHA256be016cdae448dc8dacccf9d37f5f92c4bed463847f0f1b7d40eaebeac1b47450
SHA51234e03247ce5fb1d7b51ac4ecd6df26e46b705e48d466aab4c6ac90a6631b276d4461f36af7a928f56937a37499262ffba3be3b975ecb53006253336e27a6e34b
-
C:\Windows\SYSTEM.INIFilesize
257B
MD559ad09b2deb22ae8c17eaf51ec7760a4
SHA155fac866ef6cb1d29d8cff2779ed430908d72ea7
SHA256a0b4308974c18e82f08c6f1664c3d931df2a99a59dd4d37953c899e03fef506d
SHA5125c0bde0abfa6d382e8655ea0ba6467e5e9e886d7973a35acfa177297f89f4d25216fb075c8a33b759452ffb46a019c8d940c1ae57ddb93649b54a72cd4f57a9a
-
C:\Windows\System\spoolsv.exeFilesize
287KB
MD5f637076045877d3d713dd4f75cbb791b
SHA11509461fca966d4d1f7e736d6c6595e2fe844574
SHA256b51eecbd71f9e7445cc9abbf9064feaa8ce8616cb58b6c93a8da5ab157994a4e
SHA512d657d880430d0fd2c371565a2a306a88a2a6a239c9233c67e9763648f5f1aa54d1db5c60c598fe2e415a4b7ca4239aa9c45811722bd710229ddf6cd2daa5e633
-
C:\hdjy.pifFilesize
100KB
MD580d2f5c7c23a22f5efc2299e9c69f317
SHA1ce9fbf031776a1ee6dff544a2bf1f0bb00cf0dc2
SHA256eb3dff00ead3f690eeb0152cca9ee6673b0c3b60c46a4a1820b2e0c21ad4f864
SHA512af6e43fd69f2049095dc8ffdb2308b4fd5c8f577532a956e7c12933d9f46d24a281c075f34cd0623045359a71d5112d402d6134966bc05ef6992253ec4b3a3b7
-
\??\c:\windows\system\explorer.exeFilesize
287KB
MD57a9e752e3cadd18ffd8099b7d35063be
SHA18094b4f59fab8534b019b036de8ea3655f39ed17
SHA256ca642693a3db23d0761397681a82e4ff69d697149e4429437531bf794c1f21d9
SHA512773cffeed2365515ecbc2c0c5555d5344495aeb770646aa6445cd36d96c0c262bad047594878c24b7788cba1197fac8815cab71cbe662c6529ab9f9b847b1d27
-
\??\c:\windows\system\svchost.exeFilesize
287KB
MD5a1d5a0e2d11b6c9c34cb373870595aa5
SHA16a02ae83e0b0757c008ed90be2a70225d0708624
SHA2564d64f897e1c0876d238745f5d554b1c133512663eea3b819377abe795d12a2cf
SHA512520bd1b49c3a15317daf3e467483fbe25e74e496f5666934afabd52f82d2a9c3046afb6cc126813102d624a0fb97b59adb7ef86d062e05b3fb138e67c7dc854a
-
memory/2316-79-0x0000000002ED0000-0x0000000002ED2000-memory.dmpFilesize
8KB
-
memory/2316-76-0x0000000004030000-0x0000000004031000-memory.dmpFilesize
4KB
-
memory/2316-41-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2604-87-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-91-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-106-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-105-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-102-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-101-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-98-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-96-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-21-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2604-94-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-92-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-90-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-89-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-86-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-85-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-83-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-84-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-74-0x0000000002B80000-0x0000000002B81000-memory.dmpFilesize
4KB
-
memory/2604-69-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-72-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-78-0x0000000000640000-0x0000000000642000-memory.dmpFilesize
8KB
-
memory/2604-82-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-80-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-81-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-77-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-67-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-71-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2604-70-0x0000000003530000-0x00000000045BE000-memory.dmpFilesize
16.6MB
-
memory/2836-150-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3448-53-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3780-65-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-14-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-3-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-0-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3780-1-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-9-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-66-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3780-11-0x0000000002080000-0x0000000002082000-memory.dmpFilesize
8KB
-
memory/3780-5-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-4-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-15-0x0000000002080000-0x0000000002082000-memory.dmpFilesize
8KB
-
memory/3780-25-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-28-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-30-0x0000000002A60000-0x0000000003AEE000-memory.dmpFilesize
16.6MB
-
memory/3780-8-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/3780-7-0x0000000002080000-0x0000000002082000-memory.dmpFilesize
8KB
-
memory/5084-46-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/5084-52-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/5148-159-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB