Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
17-06-2024 04:16
General
-
Target
47282eca6d814c3808d4f5c113e22180_NeikiAnalytics.dll
-
Size
120KB
-
MD5
47282eca6d814c3808d4f5c113e22180
-
SHA1
4d1d77383f9cad8acfbf970733079cacb1a44677
-
SHA256
669e7700a0b7459b52a5add16a6773812792958f0cf6f77628a4f7e1195fc2c8
-
SHA512
01f7aa6c744ad14e927f9d0327522b5493e4b386b48f9e9f1fab0f439635627ba7d03ac7890cfc6842d57627c6409e546117b09fa49d1769405ebc0f28dacb4e
-
SSDEEP
1536:kG+KlIOCVPHcxphmtuPSYbCjwgOK3KQHqBZvDlEVHi2MAI0x7xyZWOFK7TzWhO:knKAHcxTr+jwgOrDUVCfZ0x7cZbO
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\47282eca6d814c3808d4f5c113e22180_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\47282eca6d814c3808d4f5c113e22180_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573ebe.exeC:\Users\Admin\AppData\Local\Temp\e573ebe.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574006.exeC:\Users\Admin\AppData\Local\Temp\e574006.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575e9b.exeC:\Users\Admin\AppData\Local\Temp\e575e9b.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573ebe.exeFilesize
97KB
MD562c2721038c58f9c947ea7bad3afe5d0
SHA114ab26722c293a0822507f377f04b2bb49d7b984
SHA256bf4aa0000a5d181ea9a5bfbab5af477027b5abc05e89b4b463005e17c4d4ec84
SHA512493e9bfe29b6c7e005f90c4040ddde2ce702403d735f85bbc67e55e78bc22d90f0f20c482172f383da7cbd1d96b0ec28e846e53593ea0d8c4ce083e4d75e03d2
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5bd2db8131d1807e69481d25f03424ec5
SHA16d72c52c0d0d477c2630f2db32436af9b81713d0
SHA25620bdc3adba2756f89501d714a1f71e723f9856262fa8daf55f1a80284e428f0b
SHA5126749df393ccbc4e30dd147b9c3c89933e1ec350fc185523648d4c809274b500cbdced197873b054ff01001e821209d8c6fbd30e19d286fdeb1cf16ebe2df5d3b
-
memory/1144-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1144-126-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/1144-127-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1144-114-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/1144-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1144-53-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1144-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1540-50-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-75-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1540-27-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/1540-23-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-12-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-10-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-11-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-17-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1540-6-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-9-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-26-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-36-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-37-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-38-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-39-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-40-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-86-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/1540-83-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-51-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-101-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1540-31-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/1540-25-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-80-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-24-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-60-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-62-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-63-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-65-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-68-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-69-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-13-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-77-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/1540-79-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/3144-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3144-28-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/3144-14-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/3144-15-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/3144-32-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/4352-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4352-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4352-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4352-131-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB