Analysis
-
max time kernel
51s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-06-2024 13:32
General
-
Target
973f9a1722c276701690dfb5e64a9d50_NeikiAnalytics.dll
-
Size
120KB
-
MD5
973f9a1722c276701690dfb5e64a9d50
-
SHA1
8970a94ed060b6a2de2e6fd04dcaffaac63cb968
-
SHA256
96ff5ebeadf9a22028e99b8feef45df17e89c677a0109ca8e520c42f7d5f85e4
-
SHA512
2170f0822074ee206219149fb0f12a66772d76d3f7ff5aca468d9557574760e48bb324cf50465afe01eb8115587b2b1b76fd7f1f0ca0e29e3b5cd9b4f94f6a07
-
SSDEEP
1536:1lnUD7SdPdh5SjyqUd6Y7B0snDV1JrTMfFlT2vgoxxtEeBN2AN6T3:15C7O35onUd6QBbfNMfFlKIYD9UAY
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\973f9a1722c276701690dfb5e64a9d50_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\973f9a1722c276701690dfb5e64a9d50_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574d93.exeC:\Users\Admin\AppData\Local\Temp\e574d93.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574ebc.exeC:\Users\Admin\AppData\Local\Temp\e574ebc.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576978.exeC:\Users\Admin\AppData\Local\Temp\e576978.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574d93.exeFilesize
97KB
MD550db462086ef134b5ec4cd159e5baac3
SHA148484a18d2b67fd0958a7ef6230e4c2eeaab1a58
SHA256951c326fb0c7c0fe4386d1a7d8e9468320ec3a851e098be26cf16a156791dfa2
SHA51246e98e863311deff2246997e4ec03499b74675bb9a562d65dcfaa569b5ea547f99b4317a4737677ca76bfb4fe004e305c5617a4393953265ad286632f5f361b5
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5f00515c6b84b59d10cf8ad1f19c09b35
SHA17bd3c95900d64533e29063c303133b6bc8868761
SHA25673142df8a1ac1dc36928a4e01d32794a07a3d13abfc6f2d706d34fa60760e8f9
SHA512a08c308ad3e9eae7dd805c6f970bb15e2f4da029e20e0172dcc2b4318bf68bb6c5e7ce3897476cde5e9f4e776d67c0607e8aaa1a66c3fc8254595eab762c7828
-
memory/900-28-0x00000000038B0000-0x00000000038B2000-memory.dmpFilesize
8KB
-
memory/900-15-0x00000000038B0000-0x00000000038B2000-memory.dmpFilesize
8KB
-
memory/900-14-0x00000000038B0000-0x00000000038B2000-memory.dmpFilesize
8KB
-
memory/900-16-0x0000000003F10000-0x0000000003F11000-memory.dmpFilesize
4KB
-
memory/900-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3932-131-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3932-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3932-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3932-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3932-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3932-118-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/3932-132-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/4636-42-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-13-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-9-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-34-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4636-32-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-35-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-26-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-36-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-37-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-38-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-39-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-40-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-19-0x0000000001A00000-0x0000000001A01000-memory.dmpFilesize
4KB
-
memory/4636-43-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-27-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/4636-52-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-54-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-55-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-29-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/4636-6-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-8-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-10-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-12-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-11-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-65-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-67-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-70-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-72-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-74-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-76-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-78-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-80-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-82-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-83-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4636-102-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4636-93-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/4820-106-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4820-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4820-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4820-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4820-33-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB