Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
17-06-2024 09:57
General
-
Target
776b10a023d300f6f129459cd84f08a0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
776b10a023d300f6f129459cd84f08a0
-
SHA1
a91fea3dc600b2058d97c1f14eb6ff1e1f1812bd
-
SHA256
4ab14a8c61755a132fdf1a913b06d38e58a5c8f37764d4a6faafe861d6471e0a
-
SHA512
22547c20ddbf927f8267eb55cbb72db8dd05a2b6e4dc860e42f1c8386953d28376816ec64cad33937fd0b984d227f9790c05596af10d607505ba5ab287760866
-
SSDEEP
3072:MqynuJTHe6nwN+AnvgC2VpamgPaJs4yb1p:Mqyc+q/XPpGevy
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\776b10a023d300f6f129459cd84f08a0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\776b10a023d300f6f129459cd84f08a0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57347d.exeC:\Users\Admin\AppData\Local\Temp\e57347d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573614.exeC:\Users\Admin\AppData\Local\Temp\e573614.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575b6e.exeC:\Users\Admin\AppData\Local\Temp\e575b6e.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57347d.exeFilesize
97KB
MD59ea8570363df5fcb6526430d26daefb2
SHA1f50e4a0f11f222a597952a3beff37dfc147687f9
SHA2565bdff8f11396093c9ed82c9d6d9a8f005385fa002b495dd458b9962e49019f20
SHA51239f05a20b7e645281e7df1df511a8bb063decb7e0fcdf725f45f7c539058c43f03b39baaed16f3258bf7ca70d207a2454ab0f61938b8cf27b733a39327a21533
-
C:\Windows\SYSTEM.INIFilesize
257B
MD59efe11c25a1fd2f58fa53dde77374997
SHA1ff2d67b34f0b04a16d46e695ea78852f88e1f02a
SHA2566b2e70399910f8653af7ad3dafa9ed0297b1dbc030ed1658b9df290eda8b24d4
SHA5124b2e52eb9e95df0279cdb28bfe928f99850509c3ad5f3c39baa2cec582142bcf20c47533f4c6b7ae0725efe69f74b2c09c53aa559cf74bb8072676807dd60a16
-
memory/1168-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1168-20-0x0000000000C70000-0x0000000000C72000-memory.dmpFilesize
8KB
-
memory/1168-32-0x0000000000C70000-0x0000000000C72000-memory.dmpFilesize
8KB
-
memory/1168-21-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/1168-26-0x0000000000C70000-0x0000000000C72000-memory.dmpFilesize
8KB
-
memory/1168-47-0x0000000000C70000-0x0000000000C72000-memory.dmpFilesize
8KB
-
memory/1540-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1540-118-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1540-132-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1540-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1540-52-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1540-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1540-131-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/2572-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2572-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2572-54-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2572-50-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2572-136-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4412-40-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-60-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-36-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-37-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-38-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-39-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-23-0x0000000001B40000-0x0000000001B41000-memory.dmpFilesize
4KB
-
memory/4412-42-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-11-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-18-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-27-0x0000000001B30000-0x0000000001B32000-memory.dmpFilesize
8KB
-
memory/4412-19-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-29-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-31-0x0000000001B30000-0x0000000001B32000-memory.dmpFilesize
8KB
-
memory/4412-24-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-17-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-59-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-25-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-62-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-64-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-65-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-67-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-69-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-75-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-76-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-79-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-80-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-88-0x0000000001B30000-0x0000000001B32000-memory.dmpFilesize
8KB
-
memory/4412-83-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-101-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4412-9-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-8-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-10-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-6-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/4412-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB