Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
17-06-2024 03:51
General
-
Target
4375230c6f6af13f3b0354c762f85030_NeikiAnalytics.dll
-
Size
120KB
-
MD5
4375230c6f6af13f3b0354c762f85030
-
SHA1
d3c9751b12128c029d73ff4aaa0e3fc413f28679
-
SHA256
d617d8070e94aabd57e102f94a52e077efdd05d2c1a9071423ba98e345d47790
-
SHA512
2983515e865b09671ddb8590d493588384788c1b8fc94720d6e5ad953bf2fec6f0e86330ca22376c69dd3464225ca463bc7c8d990b19c1e96c3ed99ab659bd0a
-
SSDEEP
1536:aFTfLVa+xhZaVuBA1WpMOEcYf2WITslTzKszpr99ZcA6CEW3PlOIpv6h1:a6+x7lBAYp2OTslXD9ZCWfBpv6
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4375230c6f6af13f3b0354c762f85030_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4375230c6f6af13f3b0354c762f85030_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7670dc.exeC:\Users\Admin\AppData\Local\Temp\f7670dc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f767520.exeC:\Users\Admin\AppData\Local\Temp\f767520.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f7689f7.exeC:\Users\Admin\AppData\Local\Temp\f7689f7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f7670dc.exeFilesize
97KB
MD59ccc27d6bec5fc801e347fb2d1d4ea76
SHA159d75817d6c224866ab146896e2083a1031e8a12
SHA256c7f66ab97a524a1a6245a545655a37778f0a4a9638c676bfc45ffff974fe9d8d
SHA5127dabc240b21e7c3b25ab204210dc852c7d5b1689e7080ffd911b89fe19b35b1deea9e8430114a7b21b36ce2360903c0f9e721f6aee0b87b5ccc25e4cad71e47c
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5bc71622e603d8d68df2b466ddac90439
SHA181209117eb947d68861d647b0461420c586ef467
SHA2569060b09b7be241efffcbb667d422ba5375915ae621a3c53e8d2814b917601c3f
SHA512151272d5a900895c057e18e55fec16dd5e1ef657104a5abf9bc1cc73a0cb307f205f84451881dec06f9f7966b49f67b70e43174bc10301f962960f8c1926ec70
-
memory/264-102-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/264-101-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/264-197-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/264-153-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/264-196-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/264-104-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/264-80-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1096-26-0x0000000001BC0000-0x0000000001BC2000-memory.dmpFilesize
8KB
-
memory/2632-95-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2632-173-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2632-103-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2632-94-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2632-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3008-42-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3008-57-0x0000000000260000-0x0000000000272000-memory.dmpFilesize
72KB
-
memory/3008-56-0x0000000000260000-0x0000000000272000-memory.dmpFilesize
72KB
-
memory/3008-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3008-11-0x0000000000160000-0x0000000000172000-memory.dmpFilesize
72KB
-
memory/3008-35-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/3008-34-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/3008-33-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3008-12-0x0000000000160000-0x0000000000172000-memory.dmpFilesize
72KB
-
memory/3008-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3008-79-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/3008-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3020-20-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-87-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-62-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-63-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-65-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-64-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-23-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-67-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-21-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-81-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-82-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-84-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-86-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-61-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-18-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-41-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/3020-58-0x00000000003B0000-0x00000000003B2000-memory.dmpFilesize
8KB
-
memory/3020-50-0x00000000003B0000-0x00000000003B2000-memory.dmpFilesize
8KB
-
memory/3020-22-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-17-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-106-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-145-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3020-146-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-15-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-24-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-19-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-13-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/3020-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB