Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
17-06-2024 03:46
General
-
Target
42e51f005efbcdf0f52f6170cd8634f0_NeikiAnalytics.exe
-
Size
964KB
-
MD5
42e51f005efbcdf0f52f6170cd8634f0
-
SHA1
187a8a05accfda1c2135586eb572f90ecbe87c92
-
SHA256
b4dac595849754e91e70d77b92db0341ff70bdaad199883394e393e88524abf2
-
SHA512
c0c140381eaa3bd4d350f6607e83073d88351d38b01d9c178c8a0dc49d08a735519be3d74923cfb67ac4de28a4d9951283e245f9b41d610ab15de47d4354a180
-
SSDEEP
12288:6ZxSMwmxvL/f3vCN1PMaLi6rAyIQjmpOElxIp:WxSMwADf3qN1PvipP8
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\42e51f005efbcdf0f52f6170cd8634f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\42e51f005efbcdf0f52f6170cd8634f0_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3880-0-0x0000000001000000-0x00000000010F3000-memory.dmpFilesize
972KB
-
memory/3880-1-0x0000000002510000-0x00000000035CA000-memory.dmpFilesize
16.7MB
-
memory/3880-10-0x0000000001000000-0x00000000010F3000-memory.dmpFilesize
972KB
-
memory/3880-4-0x0000000002510000-0x00000000035CA000-memory.dmpFilesize
16.7MB
-
memory/3880-5-0x0000000002510000-0x00000000035CA000-memory.dmpFilesize
16.7MB
-
memory/3880-7-0x0000000002510000-0x00000000035CA000-memory.dmpFilesize
16.7MB
-
memory/3880-11-0x0000000002510000-0x00000000035CA000-memory.dmpFilesize
16.7MB
-
memory/3880-3-0x0000000002510000-0x00000000035CA000-memory.dmpFilesize
16.7MB