Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
31-05-2024 04:59
General
-
Target
782b787877d133be824e3a80d4e76210_NeikiAnalytics.dll
-
Size
120KB
-
MD5
782b787877d133be824e3a80d4e76210
-
SHA1
91a4dd637bbef48a5f2c5aca71b23d62bb05ba5e
-
SHA256
2468eae60a3b7a03999387df4eb18685f105fa94cc0a6007e0df8b0afc01f456
-
SHA512
c6430532839ba6f5c39150b77daa7158ceb61c278c44f7d414c729def82941add7c7f966cf686d297188d43334619384fd80ad4655ed3a0098d6fce4280f2a47
-
SSDEEP
3072:2xPsW7wgzGZxb15mxRFsqdgJKZ6D+EZYlP:RW7w+gp5mx3OKZyRcP
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\782b787877d133be824e3a80d4e76210_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\782b787877d133be824e3a80d4e76210_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f760992.exeC:\Users\Admin\AppData\Local\Temp\f760992.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f760af9.exeC:\Users\Admin\AppData\Local\Temp\f760af9.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76254c.exeC:\Users\Admin\AppData\Local\Temp\f76254c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD57ee8a13d6b58fcbc2729bd3c7264371e
SHA16f4c53da702551e56e746dc07f622b7a6ac6dc96
SHA2566f10e805255b609d5b7b1ba1c94e93503aa502a56511f89a4a2b941bd1b383a9
SHA51222fc46386a6103dd88032defa35bf50e7cdc5c489aca414367bfb9e61b20c0bba7a7634c000fa9cb9d131e6ff15af7aa55ab335a5c53f93b686f77b01add23b3
-
Filesize
97KB
MD5fc5a54868f0a42e718bfcea570204cae
SHA1f45ffb614b19b58ba06e04c5176216134dda5234
SHA256152f0503de1c4d5cbf2812d9888bccf6cac0cfc14cce8676b35b261041cfdccd
SHA51237c25d3fd41cfcca8d32596d27258b1cb1096e5fdab82681feb5d95f94412f209bd7b8354656ac224c57e0b8766cda597917c95a89e60642f09b862159a4753a
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB