Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
17-06-2024 03:51
General
-
Target
4375230c6f6af13f3b0354c762f85030_NeikiAnalytics.dll
-
Size
120KB
-
MD5
4375230c6f6af13f3b0354c762f85030
-
SHA1
d3c9751b12128c029d73ff4aaa0e3fc413f28679
-
SHA256
d617d8070e94aabd57e102f94a52e077efdd05d2c1a9071423ba98e345d47790
-
SHA512
2983515e865b09671ddb8590d493588384788c1b8fc94720d6e5ad953bf2fec6f0e86330ca22376c69dd3464225ca463bc7c8d990b19c1e96c3ed99ab659bd0a
-
SSDEEP
1536:aFTfLVa+xhZaVuBA1WpMOEcYf2WITslTzKszpr99ZcA6CEW3PlOIpv6h1:a6+x7lBAYp2OTslXD9ZCWfBpv6
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4375230c6f6af13f3b0354c762f85030_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4375230c6f6af13f3b0354c762f85030_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e575d52.exeC:\Users\Admin\AppData\Local\Temp\e575d52.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575f08.exeC:\Users\Admin\AppData\Local\Temp\e575f08.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e578a5e.exeC:\Users\Admin\AppData\Local\Temp\e578a5e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575d52.exeFilesize
97KB
MD59ccc27d6bec5fc801e347fb2d1d4ea76
SHA159d75817d6c224866ab146896e2083a1031e8a12
SHA256c7f66ab97a524a1a6245a545655a37778f0a4a9638c676bfc45ffff974fe9d8d
SHA5127dabc240b21e7c3b25ab204210dc852c7d5b1689e7080ffd911b89fe19b35b1deea9e8430114a7b21b36ce2360903c0f9e721f6aee0b87b5ccc25e4cad71e47c
-
C:\Windows\SYSTEM.INIFilesize
256B
MD5657a179605b5a191cef055bae518dea0
SHA1feed77cd86d8b786248cae823dccc42ff15a1663
SHA256fe33202e4feee8d6ff90ac81ab014d2a566bd5e8840e00e4a111c71a833ef45f
SHA512336587417aea7eb6d442c1bd4a57f8e02da174018855b8d40c42a367b950a31eb655e1420eaff0301028e10cb8ca34781d98b18e033337bb07de45c890da701f
-
memory/1936-38-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-60-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-14-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-12-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-34-0x00000000005D0000-0x00000000005D2000-memory.dmpFilesize
8KB
-
memory/1936-13-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-32-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-26-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-29-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/1936-39-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-33-0x00000000005D0000-0x00000000005D2000-memory.dmpFilesize
8KB
-
memory/1936-25-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-11-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1936-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1936-8-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-71-0x00000000005D0000-0x00000000005D2000-memory.dmpFilesize
8KB
-
memory/1936-10-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-9-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-35-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-36-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-37-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-64-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-63-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-57-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-6-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-58-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-55-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-54-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/1936-53-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2280-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2280-142-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2280-108-0x0000000003DE0000-0x0000000003DE2000-memory.dmpFilesize
8KB
-
memory/2280-109-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/2280-99-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2280-93-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2280-94-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2280-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2736-41-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2736-87-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2736-43-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2736-42-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4972-15-0x0000000000B70000-0x0000000000B72000-memory.dmpFilesize
8KB
-
memory/4972-16-0x0000000003E80000-0x0000000003E81000-memory.dmpFilesize
4KB
-
memory/4972-27-0x0000000000B70000-0x0000000000B72000-memory.dmpFilesize
8KB
-
memory/4972-48-0x0000000000B70000-0x0000000000B72000-memory.dmpFilesize
8KB
-
memory/4972-17-0x0000000000B70000-0x0000000000B72000-memory.dmpFilesize
8KB
-
memory/4972-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB