Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
17-06-2024 12:54
General
-
Target
91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll
-
Size
120KB
-
MD5
91e0a3e73a08a7abdf6d07ff19b15c90
-
SHA1
8835ec190ba1b7f8e1dde792c0e97b10f2e522fe
-
SHA256
eb2eb503009e42a50816d7c298fb0a03149d9d366b46dbeec1955872d0f39cc2
-
SHA512
2c943f25813f6a3661d282bc8d7c5b6fe9dca0c41b3e7c5ee725b8c4174c078a9166ce88a547146b2eb98af9fe04f04963f38c70422fdc790f3378444a9c6cc8
-
SSDEEP
3072:rQu1gdzwReU0PRSwJC5VIHW9q5VxUKtDKR+j:rQu6mg3EyvcGVx1J
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761e98.exeC:\Users\Admin\AppData\Local\Temp\f761e98.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76200e.exeC:\Users\Admin\AppData\Local\Temp\f76200e.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763a14.exeC:\Users\Admin\AppData\Local\Temp\f763a14.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f761e98.exeFilesize
97KB
MD5f082e5fcb275607f93b1d0e192ab0c4c
SHA105b5ed58fba2a94fed2c5ff5a7d7e3af70607c39
SHA25684eb852278eb0ba3b21d08a5381b6e1d1008ac48157e15eb0d3d9c60527f801d
SHA512e0b161c7f5fd69061fe9c925373a435ba94263aeff32a36ab4a753946914cdd09540cdfcc1c813fd757a2120f9545a86c803236ca81b11709ce00035cca83972
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5ab606dfd8aa9d999da14235250df4a5b
SHA100cdb14ac077fddc34d169f4e45012e4b5654d6b
SHA256de1eeb1c264f7fa357dd407151996850dc1f9d1ea9b2cc1cca633cf54650e3c1
SHA5121b7d6b821d33060676506f662811490f3aeb4b5f848ed9becde3d76b01355d689f6ca068c937629d03dc3dd37fcea99bb1b35bbd4ec66e2adffbd79366c3af2e
-
memory/1056-23-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2616-94-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2616-157-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2616-102-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2616-95-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2616-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2732-172-0x00000000009A0000-0x0000000001A5A000-memory.dmpFilesize
16.7MB
-
memory/2732-208-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2732-103-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2732-207-0x00000000009A0000-0x0000000001A5A000-memory.dmpFilesize
16.7MB
-
memory/2732-100-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2732-101-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2732-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3020-56-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/3020-19-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3020-55-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/3020-20-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-13-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-14-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-153-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-16-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-18-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-61-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-62-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-63-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-64-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-65-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-67-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-68-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-152-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3020-22-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-118-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-83-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-84-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-86-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-107-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-15-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-17-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-21-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-41-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/3020-105-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3020-104-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/3024-31-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/3024-40-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/3024-77-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB
-
memory/3024-80-0x0000000000660000-0x0000000000672000-memory.dmpFilesize
72KB
-
memory/3024-49-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB
-
memory/3024-51-0x0000000000890000-0x00000000008A2000-memory.dmpFilesize
72KB
-
memory/3024-52-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB
-
memory/3024-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3024-9-0x0000000000660000-0x0000000000672000-memory.dmpFilesize
72KB
-
memory/3024-30-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB