Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
19-06-2024 05:38
General
-
Target
9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
9278f7e4298d6e46b1b5c12cc66d9bd0
-
SHA1
53f96e01207ab8827a2e60b34eeaa543e6f2241a
-
SHA256
0b9e26e1c94d4506b254d1a99717fc0b037370fe7fba7ba0aff509e150231732
-
SHA512
7abeff7631a2c984cd17de2b4f27aa5cf568fd7e590e44329fa2299b052b2ac4dece1fc0e53cc1d67812d82b9a4607c86a99d55854011c6a740c13bae5bd25aa
-
SSDEEP
1536:RNC4Kd9hL4cKlsuZ5MBDT/8AIoJactXkCuO7K0jw5CodtetfizMKbYH:mRUlXfM+zeactXkyqeti0
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 61 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7617f4.exeC:\Users\Admin\AppData\Local\Temp\f7617f4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7619a8.exeC:\Users\Admin\AppData\Local\Temp\f7619a8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7633bd.exeC:\Users\Admin\AppData\Local\Temp\f7633bd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD54e990df44f62667dfbf0dafd1236a37b
SHA148a119a46ea7b51145f2bf6e377c50055cb6f04f
SHA256d41a5ddb0098f08b82fbaf219ada2fcfdbdd6d733f3e404695a5843b6bbd1ce9
SHA512f80a9245619a48a80438fe7376e03e1ced45ddb5df694b50ecd1351047e6eba88b0addbe2e688c75be8c8f3350d9245716457b87ec6a6669708bf05207f97998
-
\Users\Admin\AppData\Local\Temp\f7617f4.exeFilesize
97KB
MD535d6c814d11fe50533ce6b64ac522302
SHA115750ed485678b400f7507f14a77c98bc79ff26f
SHA256e99bd1752ec86b9c651ec9f58274dd1a58615e0f58051b9c028900280fc60f88
SHA5123337c761ff4097c3b184a0af429a05ee7d1247578381194f019bfed0d364233e6be00e9b92c28ff7c234ef4a1a15f9348272ebd741fd0cadc2fba2599cb7d03c
-
memory/1116-29-0x0000000001F90000-0x0000000001F92000-memory.dmpFilesize
8KB
-
memory/2616-89-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2616-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2616-90-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2616-172-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2616-173-0x00000000009C0000-0x0000000001A7A000-memory.dmpFilesize
16.7MB
-
memory/2616-151-0x00000000009C0000-0x0000000001A7A000-memory.dmpFilesize
16.7MB
-
memory/2616-96-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2732-94-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2732-207-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2732-95-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2732-77-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2732-97-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2848-45-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2848-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2848-58-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/2848-37-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2848-36-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2848-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2848-74-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2848-56-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2848-6-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2848-59-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2864-19-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-21-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-62-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-63-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-64-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-65-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-23-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-46-0x0000000004230000-0x0000000004231000-memory.dmpFilesize
4KB
-
memory/2864-79-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-80-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-49-0x0000000003CD0000-0x0000000003CD2000-memory.dmpFilesize
8KB
-
memory/2864-48-0x0000000003CD0000-0x0000000003CD2000-memory.dmpFilesize
8KB
-
memory/2864-14-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-61-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-22-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-17-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-98-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-99-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-102-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-104-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-107-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-138-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2864-139-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-18-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-16-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-20-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-15-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2864-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB