Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
17-06-2024 15:36
General
-
Target
aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe
-
Size
690KB
-
MD5
aaaf561e6929980b5dd9263b940f55b0
-
SHA1
0ecf1efff41fa45aab2c794a025e0abf5e8b38fc
-
SHA256
71913f4406474f1c89fd6dc25aa56c747bed809bd347e84ed205313e616136cb
-
SHA512
bacd7dc349a2ec09c23b72808a9b2e4470e8b585f1d68339e94145b45707e495287501273eb715bacaca9875b2eda2a1c1ae9a47b4a490e086743b6568a6f454
-
SSDEEP
12288:edmH3hRCjQuv0IUttVMSX98r/LbfjI6tuIoSRBEbCZQqXNr:edmH36cY0IstVMSNC/Lb7I2uSROCvXNr
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.ini"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.ini4⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E5772A0_Rar\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.exeFilesize
622KB
MD5ef89f650aa5f28cd5d9a4c98444bf799
SHA162c5b30ca858b667e6a85ef40d0840aea62e8ddd
SHA256ceda224c28ecbdf23a5ea2180e62701fcf73a6d31dd1eccd37f6fbdd9fa99d20
SHA51287b73666bd042154a544ec9e1d1fa690ca3fdbe5e00d2b6c92210df8a9f7fe5375a5545b14ef3c3b09b59ba5a197235253955a2ed7d6d8f41fd5f7aa56657c88
-
C:\Users\Admin\AppData\Local\Temp\aaaf561e6929980b5dd9263b940f55b0_NeikiAnalytics.iniFilesize
5KB
MD50141a67c35dbf34ac8a146bb08a1a101
SHA16243844912ee2005ca05d7aa3f1a8ba0c263aac5
SHA256ed618f7a78c089b0234a4c538dd2c260d66705e1ed071ca05dd2fad2f0680fc4
SHA5123189d7278fa78d3265fb2e514cdcf6a058c855b13ee187eedab666536faf454dfac57c008a54786454de6bba57004e47bd041663325c848f3d3f82ee9112afee
-
memory/1372-35-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-73-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-9-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/1372-14-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1372-13-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-12-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1372-6-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-7-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-8-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1372-10-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-11-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-18-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-19-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-20-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-21-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-22-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-23-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-26-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-27-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-28-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-30-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-32-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-84-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-5-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-49-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-45-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-1-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-36-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-50-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-53-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-55-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-56-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-92-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1372-0-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/1372-83-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-76-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-65-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-66-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-68-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-69-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-72-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-4-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/1372-74-0x0000000003220000-0x00000000042AE000-memory.dmpFilesize
16.6MB
-
memory/3624-64-0x0000000002DE0000-0x0000000002DE2000-memory.dmpFilesize
8KB
-
memory/3624-63-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/3764-61-0x0000000000910000-0x0000000000912000-memory.dmpFilesize
8KB
-
memory/3764-60-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB