Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17-06-2024 11:40
General
-
Target
862c887e24b533c22fa126f1e9c3b400_NeikiAnalytics.dll
-
Size
120KB
-
MD5
862c887e24b533c22fa126f1e9c3b400
-
SHA1
5a296016452b31f643ec127b745253e35973759f
-
SHA256
21f43010db740c67226fd3200e0ab0f42dc7c00a3bc841fe799076acf443ad89
-
SHA512
7b43c326bdd38c02ca734cc70a5d671f5d0b4b966b7d4f164d5e10e303387367459ebd855ed1de2dc77cfcdfe57eaf3c12b247203892b4f672172e4e02467f5d
-
SSDEEP
3072:kOD+x/dlsq+hy1xQH2CH3NYmZghzlqe6/tERJhz:kODidlL9QW88lbRT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\862c887e24b533c22fa126f1e9c3b400_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\862c887e24b533c22fa126f1e9c3b400_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7623f5.exeC:\Users\Admin\AppData\Local\Temp\f7623f5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7625d8.exeC:\Users\Admin\AppData\Local\Temp\f7625d8.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f764846.exeC:\Users\Admin\AppData\Local\Temp\f764846.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f7623f5.exeFilesize
97KB
MD5901b9c139880852fa647ba07ca29e913
SHA10af1cf802875f64944964533fca60fc4ce452953
SHA256a63487925ac935443e113a4d42d3bee9a62ff22afa7ed66cd8867398e05648f5
SHA51283ffdc3cff2373a10212990cfd215900fa46d5965a7808343d13c27f845fa87961a3a64123a7be44619f486b3809256ad29bc32526743fdef16f748deb402bbe
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d6b56c0d08e9a565e76f36f49fe950dd
SHA16faafa557cde4d041ec2338ddef2aa4c361b705f
SHA256bded5927579a7128634f8961b9ae1adb0d833af2e3aa960da54ab9aba90a6c9f
SHA51296309941b4fd893c8fe58319b228ad133c806f11990b22bc202e5f7d0559783cbdff0642bd589bb90522993d76e901ee3dfd46511bbfb0860b579a643ea33c8a
-
memory/1116-32-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2336-63-0x0000000000230000-0x0000000000242000-memory.dmpFilesize
72KB
-
memory/2336-40-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2336-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2336-13-0x0000000000180000-0x0000000000192000-memory.dmpFilesize
72KB
-
memory/2336-12-0x0000000000180000-0x0000000000192000-memory.dmpFilesize
72KB
-
memory/2336-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2336-62-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2336-87-0x0000000000180000-0x0000000000182000-memory.dmpFilesize
8KB
-
memory/2336-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2336-64-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2336-55-0x0000000000230000-0x0000000000242000-memory.dmpFilesize
72KB
-
memory/2336-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2336-43-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2336-41-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2404-100-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-71-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-26-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-24-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-23-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-21-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-20-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-18-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-17-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-25-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-57-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-51-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2404-14-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2404-19-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-49-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/2404-66-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-67-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-68-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-70-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-52-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2404-72-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-73-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-75-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-15-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-22-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-90-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-162-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2404-163-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-139-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2404-127-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2404-56-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2584-113-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2584-103-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2584-192-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2776-112-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2776-114-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2776-88-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2776-175-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/2776-222-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/2776-221-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB