Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-06-2024 23:59
General
-
Target
692b312211712c12f1fa86f0cc9e1180_NeikiAnalytics.dll
-
Size
120KB
-
MD5
692b312211712c12f1fa86f0cc9e1180
-
SHA1
a4e26fcfe87bffe4a416f4916eb4a09b03575b4b
-
SHA256
a75603c55bef5b14f106402e04b8a1cf1e3a9daa8e5e392422714c45fc0fa851
-
SHA512
0391b195e31ab663eee392210274b5b705149615cc64b481a08d8c8b603f54b1432d3d97244899c383ecb421bafd2faa6adf179b9bd55c6358cb139d59f4591e
-
SSDEEP
3072:LfHf2ihVc/AoxCXKh4b9Y88dKVt40JKBTNU76:LfZ8/AceKh/Q9sBTNUu
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\692b312211712c12f1fa86f0cc9e1180_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\692b312211712c12f1fa86f0cc9e1180_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f762185.exeC:\Users\Admin\AppData\Local\Temp\f762185.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762349.exeC:\Users\Admin\AppData\Local\Temp\f762349.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763d5e.exeC:\Users\Admin\AppData\Local\Temp\f763d5e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD560a7f6b855e2fb9e372d646c6bdd0777
SHA1b9f31c11c2a34ea267527f533fbcd11a11140cae
SHA25679d2519882d6f73a1f85443dbd7c0e920e8d64df8a87a2f29f43c60573b88a4b
SHA512c61e1c25b0340dba7409f1be42f858c1ac3255f0089570fe3298d106844955bdb76dcc171ec5010de5b0dacfb9ac049cfbe33df8fb5746c82dbf09a1c3a8ceb3
-
\Users\Admin\AppData\Local\Temp\f762185.exeFilesize
97KB
MD549f7e8c57758d2e5b6d6a7bcb5e338e8
SHA1dbb6efafcec8f8cfe9376f2d3a73ad1175f25a41
SHA256b0ea39da7096d987f4362d6932840b1b1bd05182f9524c27fa7312d85015f06f
SHA5128f9354d5d402bab89b2dfadae034d7d7e40730a7e5c55a63398078fabfc2fb0f81731426e88875f753c27c360e305d1a195ca9dcd92eadf4f809895eebed56a2
-
memory/632-210-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/632-211-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/632-172-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/632-110-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/632-105-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/632-106-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/632-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1072-31-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/1752-21-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-17-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-14-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1752-15-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-19-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-22-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-154-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1752-51-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/1752-50-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/1752-48-0x00000000016A0000-0x00000000016A1000-memory.dmpFilesize
4KB
-
memory/1752-153-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-120-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/1752-87-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-84-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-24-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-23-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-25-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-18-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-63-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-65-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-64-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-68-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-66-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-70-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-71-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-85-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1752-20-0x0000000000560000-0x000000000161A000-memory.dmpFilesize
16.7MB
-
memory/1896-38-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/1896-39-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1896-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1896-13-0x0000000000160000-0x0000000000172000-memory.dmpFilesize
72KB
-
memory/1896-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1896-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1896-12-0x0000000000160000-0x0000000000172000-memory.dmpFilesize
72KB
-
memory/1896-61-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/1896-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1896-79-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/1896-47-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1896-60-0x0000000000250000-0x0000000000262000-memory.dmpFilesize
72KB
-
memory/2276-160-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2276-159-0x0000000000A10000-0x0000000001ACA000-memory.dmpFilesize
16.7MB
-
memory/2276-111-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2276-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2276-99-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2276-107-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB