Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
17-06-2024 12:54
General
-
Target
91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll
-
Size
120KB
-
MD5
91e0a3e73a08a7abdf6d07ff19b15c90
-
SHA1
8835ec190ba1b7f8e1dde792c0e97b10f2e522fe
-
SHA256
eb2eb503009e42a50816d7c298fb0a03149d9d366b46dbeec1955872d0f39cc2
-
SHA512
2c943f25813f6a3661d282bc8d7c5b6fe9dca0c41b3e7c5ee725b8c4174c078a9166ce88a547146b2eb98af9fe04f04963f38c70422fdc790f3378444a9c6cc8
-
SSDEEP
3072:rQu1gdzwReU0PRSwJC5VIHW9q5VxUKtDKR+j:rQu6mg3EyvcGVx1J
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5741eb.exeC:\Users\Admin\AppData\Local\Temp\e5741eb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5743ee.exeC:\Users\Admin\AppData\Local\Temp\e5743ee.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5760fc.exeC:\Users\Admin\AppData\Local\Temp\e5760fc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5741eb.exeFilesize
97KB
MD5f082e5fcb275607f93b1d0e192ab0c4c
SHA105b5ed58fba2a94fed2c5ff5a7d7e3af70607c39
SHA25684eb852278eb0ba3b21d08a5381b6e1d1008ac48157e15eb0d3d9c60527f801d
SHA512e0b161c7f5fd69061fe9c925373a435ba94263aeff32a36ab4a753946914cdd09540cdfcc1c813fd757a2120f9545a86c803236ca81b11709ce00035cca83972
-
C:\Windows\SYSTEM.INIFilesize
257B
MD50440bb8781f3cfae32d9aed91c1c1efb
SHA1b37ebd48c047e35394aafce6071d0ccfa135c517
SHA2569ff4b1c87a4400fc94b5a76202299e2c80a4dc1f7d29006566406910af1e0a3f
SHA51261229de7014952c05e5db33737ce0b49355255a0c596dc42f7e409c7046d27f8d2ed6f8b6168e84c09229ba8a4893e9f9ba2aa8c4c4fb0dfb7fe2792553edc78
-
memory/1748-31-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/1748-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1748-23-0x0000000000D80000-0x0000000000D82000-memory.dmpFilesize
8KB
-
memory/1748-30-0x0000000000D80000-0x0000000000D82000-memory.dmpFilesize
8KB
-
memory/1748-27-0x0000000000D80000-0x0000000000D82000-memory.dmpFilesize
8KB
-
memory/3152-41-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-70-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-35-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3152-32-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3152-21-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-15-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-26-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/3152-9-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-14-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-12-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-11-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-10-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-16-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-6-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-22-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-37-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-38-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-39-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-40-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-8-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3152-51-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-52-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-97-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3152-80-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-85-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3152-76-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-75-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-72-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-61-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-63-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-65-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-66-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3152-67-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4624-36-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4624-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4624-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4624-54-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4624-101-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5020-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5020-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5020-56-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5020-50-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5020-113-0x0000000000B90000-0x0000000001C4A000-memory.dmpFilesize
16.7MB
-
memory/5020-146-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5020-145-0x0000000000B90000-0x0000000001C4A000-memory.dmpFilesize
16.7MB