Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
17-06-2024 22:22
General
-
Target
095cf3cd034eec91029d74c716765290_NeikiAnalytics.dll
-
Size
120KB
-
MD5
095cf3cd034eec91029d74c716765290
-
SHA1
a47bcf2a95f2d7c53411e5f70048e31bae5f7e19
-
SHA256
9248023569fe57c0d5f08fdcd75acb3edb5d120d9698bd62ed4cf4f9f5a6a735
-
SHA512
0227b15fe95b37a1e3c66902ea238aeb30454045e48a5a0cc19f01fdef73f3b1c313f3a430744f527131a66c968c0028b920d175611c9c82ab0c3a4b2412a409
-
SSDEEP
1536:Ui0v+wj06slPPBkJXymJ/d/ctcjy+NQX/cc3luklKXtlfPq1MmjWs87tJBm/hIO:PsFsl3BkJiiY1+3c1ueylfP8Ws87B
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\095cf3cd034eec91029d74c716765290_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\095cf3cd034eec91029d74c716765290_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5800a7.exeC:\Users\Admin\AppData\Local\Temp\e5800a7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e580635.exeC:\Users\Admin\AppData\Local\Temp\e580635.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e584aef.exeC:\Users\Admin\AppData\Local\Temp\e584aef.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffd7c282e98,0x7ffd7c282ea4,0x7ffd7c282eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2276 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2340 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2520 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5312 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5568 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1504 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5800a7.exeFilesize
97KB
MD5559659987ef93298a03a3d2c487b3f3b
SHA1f578360b2ba87d3c4ea059ae8007d39b01dcd701
SHA25606a892905122c99e2327b0e568bfe5fea08860a39dad7410ddbd9e96cea06efa
SHA5128f5015dab440b5c82605a740d3e57d79930586d9c81633f1ab46968b9c59895a9649ad169027725e4fb9814c0f2336d1ecbf6cf4c7aba911c18b533d38dc6b8d
-
C:\Windows\SYSTEM.INIFilesize
257B
MD504650086522153612560bfa8b90261ea
SHA1c0ebc84ce5214c309b4da3b99f8f58693ca30e45
SHA256dc3995a535204582a938e4a42e88c5d601f776bfd73a14b775a224c773f31248
SHA51204eaf9eb0ac05d6e2c9654016c6c0ed0312c30ae9b15b29e80933756590c2ae22d22f71d1fa2ee7f1df0bfc0570d465843198ba11a58ce01128092735b320501
-
memory/656-26-0x0000000004160000-0x0000000004161000-memory.dmpFilesize
4KB
-
memory/656-49-0x0000000003A80000-0x0000000003A82000-memory.dmpFilesize
8KB
-
memory/656-23-0x0000000003A80000-0x0000000003A82000-memory.dmpFilesize
8KB
-
memory/656-31-0x0000000003A80000-0x0000000003A82000-memory.dmpFilesize
8KB
-
memory/656-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/656-24-0x0000000003A80000-0x0000000003A82000-memory.dmpFilesize
8KB
-
memory/3376-113-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3376-89-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3376-90-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3376-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4152-41-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-58-0x0000000001B70000-0x0000000001B72000-memory.dmpFilesize
8KB
-
memory/4152-30-0x0000000001B70000-0x0000000001B72000-memory.dmpFilesize
8KB
-
memory/4152-22-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-15-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-14-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-16-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-10-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-17-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-36-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-37-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4152-7-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-9-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-32-0x0000000001B70000-0x0000000001B72000-memory.dmpFilesize
8KB
-
memory/4152-11-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-43-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-12-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-44-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4152-28-0x0000000001B80000-0x0000000001B81000-memory.dmpFilesize
4KB
-
memory/4152-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4696-76-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-40-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/4696-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4696-79-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-86-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-87-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-42-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/4696-80-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-74-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-77-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-78-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-39-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/4696-73-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-91-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-92-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-106-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/4696-100-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4696-109-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4696-75-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB