Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
18-06-2024 23:59
General
-
Target
692b312211712c12f1fa86f0cc9e1180_NeikiAnalytics.dll
-
Size
120KB
-
MD5
692b312211712c12f1fa86f0cc9e1180
-
SHA1
a4e26fcfe87bffe4a416f4916eb4a09b03575b4b
-
SHA256
a75603c55bef5b14f106402e04b8a1cf1e3a9daa8e5e392422714c45fc0fa851
-
SHA512
0391b195e31ab663eee392210274b5b705149615cc64b481a08d8c8b603f54b1432d3d97244899c383ecb421bafd2faa6adf179b9bd55c6358cb139d59f4591e
-
SSDEEP
3072:LfHf2ihVc/AoxCXKh4b9Y88dKVt40JKBTNU76:LfZ8/AceKh/Q9sBTNUu
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\692b312211712c12f1fa86f0cc9e1180_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\692b312211712c12f1fa86f0cc9e1180_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573ae6.exeC:\Users\Admin\AppData\Local\Temp\e573ae6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573c5d.exeC:\Users\Admin\AppData\Local\Temp\e573c5d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5761c7.exeC:\Users\Admin\AppData\Local\Temp\e5761c7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573ae6.exeFilesize
97KB
MD549f7e8c57758d2e5b6d6a7bcb5e338e8
SHA1dbb6efafcec8f8cfe9376f2d3a73ad1175f25a41
SHA256b0ea39da7096d987f4362d6932840b1b1bd05182f9524c27fa7312d85015f06f
SHA5128f9354d5d402bab89b2dfadae034d7d7e40730a7e5c55a63398078fabfc2fb0f81731426e88875f753c27c360e305d1a195ca9dcd92eadf4f809895eebed56a2
-
C:\Windows\SYSTEM.INIFilesize
257B
MD526581b6cf36d935252209d52afd51ddf
SHA152c17a8db7345f4e6fc6d8bcae83360213e1efa4
SHA2561ab18a54b90ebf7496bf9f9022a0d509c04499fc083caf31f83e92520c75c6d9
SHA512d0811065648cdd86521082cdb4e80e6557947b84b8ed9db2449ab68330c6065ef1912b74767ad7b4b0347a2474d0b95a7df2cf8558021d2ccb871689f8cdc0f2
-
memory/796-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/796-111-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/796-103-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/796-102-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/796-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/796-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/796-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1272-52-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-77-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-14-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-26-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/1272-13-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-12-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-6-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-18-0x00000000040F0000-0x00000000040F1000-memory.dmpFilesize
4KB
-
memory/1272-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1272-9-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-8-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-30-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-37-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-36-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-38-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-39-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-40-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-11-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-24-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-97-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1272-25-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-86-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/1272-78-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-32-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/1272-76-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-62-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-63-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-65-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-67-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-68-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-70-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-72-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/1272-74-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/3832-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3832-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3832-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3832-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3832-109-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3832-110-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/3832-112-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/3908-27-0x00000000013B0000-0x00000000013B2000-memory.dmpFilesize
8KB
-
memory/3908-33-0x00000000013B0000-0x00000000013B2000-memory.dmpFilesize
8KB
-
memory/3908-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3908-15-0x00000000013B0000-0x00000000013B2000-memory.dmpFilesize
8KB
-
memory/3908-16-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB