Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
31-05-2024 18:38
General
-
Target
72452644ee36bfba9e27d92b40b7ace0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
72452644ee36bfba9e27d92b40b7ace0
-
SHA1
7c7b0afeaf1ba8990701cdc858c720d9355b255d
-
SHA256
94e35176a62a72c4c6e554adf3c4780566fe613273a8751c7fca089ffa03242f
-
SHA512
238c6e4a790674b00c8a9edd770d405a99323444c9866bba0a2ca6578c894da49ca8a5283546f93c1255ea38a8ce3068e7777b2168f1110fe2f447c5faf3dde5
-
SSDEEP
3072:bpy82/uCpQ+gfyeMLYyw7ds5MA+aYxYHLPoL:4/7pNIyBQ725MA+vxYrP
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72452644ee36bfba9e27d92b40b7ace0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72452644ee36bfba9e27d92b40b7ace0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573911.exeC:\Users\Admin\AppData\Local\Temp\e573911.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5739ec.exeC:\Users\Admin\AppData\Local\Temp\e5739ec.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5754f6.exeC:\Users\Admin\AppData\Local\Temp\e5754f6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573911.exeFilesize
97KB
MD5587c59bd682e94cbd98e80e8d5616d7c
SHA1de1fe9c90e8942d681a534bca3e7dbf8f1e150da
SHA256a5916e86fe407770437f27267e42b3f011c26406b5a2f433f3573700ba5169b4
SHA51255a33d2de56389752a4f2be3bb64cec00d90a36382a88cb381cbea8775fc5c0fc6b46e97cd55389c491016647f04ea372b1615f8fc33d71e6530057df5cbbc62
-
C:\Windows\SYSTEM.INIFilesize
257B
MD57231abdbed72eae305258be104a67ad7
SHA185ae0bc6fbed3df3244100c0cd9a066b160bedb6
SHA25687b11981a44e640064ac61bd39a44f2788c0c6800c2450cd91d3433f17265c2b
SHA512657d5dfaf2ce7e679905016fd04d9f7f4b472938914716786b89b7ad5e5aaa88b61e1094d0115d2e94e68893ec1c4a42372bd9c54f6901860a8ef1b746cf8fd6
-
memory/456-23-0x0000000003F70000-0x0000000003F71000-memory.dmpFilesize
4KB
-
memory/456-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/456-24-0x0000000003EE0000-0x0000000003EE2000-memory.dmpFilesize
8KB
-
memory/456-14-0x0000000003EE0000-0x0000000003EE2000-memory.dmpFilesize
8KB
-
memory/456-18-0x0000000003EE0000-0x0000000003EE2000-memory.dmpFilesize
8KB
-
memory/1192-111-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1192-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1192-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1192-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1192-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3108-42-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-76-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-10-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-11-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-25-0x0000000001AF0000-0x0000000001AF2000-memory.dmpFilesize
8KB
-
memory/3108-32-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-22-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-8-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-9-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-37-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-36-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-38-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-39-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-40-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-34-0x0000000001AF0000-0x0000000001AF2000-memory.dmpFilesize
8KB
-
memory/3108-43-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3108-52-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-54-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-55-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-21-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-6-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-12-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-107-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3108-89-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-17-0x0000000001B00000-0x0000000001B01000-memory.dmpFilesize
4KB
-
memory/3108-65-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-67-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-70-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-72-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-74-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-13-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-78-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-80-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-82-0x0000000000770000-0x000000000182A000-memory.dmpFilesize
16.7MB
-
memory/3108-96-0x0000000001AF0000-0x0000000001AF2000-memory.dmpFilesize
8KB
-
memory/4660-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4660-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4660-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4660-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4660-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4660-136-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB