Analysis
-
max time kernel
146s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
19-06-2024 05:38
General
-
Target
9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
9278f7e4298d6e46b1b5c12cc66d9bd0
-
SHA1
53f96e01207ab8827a2e60b34eeaa543e6f2241a
-
SHA256
0b9e26e1c94d4506b254d1a99717fc0b037370fe7fba7ba0aff509e150231732
-
SHA512
7abeff7631a2c984cd17de2b4f27aa5cf568fd7e590e44329fa2299b052b2ac4dece1fc0e53cc1d67812d82b9a4607c86a99d55854011c6a740c13bae5bd25aa
-
SSDEEP
1536:RNC4Kd9hL4cKlsuZ5MBDT/8AIoJactXkCuO7K0jw5CodtetfizMKbYH:mRUlXfM+zeactXkyqeti0
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57d4a5.exeC:\Users\Admin\AppData\Local\Temp\e57d4a5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57db3d.exeC:\Users\Admin\AppData\Local\Temp\e57db3d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57f77f.exeC:\Users\Admin\AppData\Local\Temp\e57f77f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x250,0x7ff95ed54ef8,0x7ff95ed54f04,0x7ff95ed54f102⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1712,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1884,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2392,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:82⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57d4a5.exeFilesize
97KB
MD535d6c814d11fe50533ce6b64ac522302
SHA115750ed485678b400f7507f14a77c98bc79ff26f
SHA256e99bd1752ec86b9c651ec9f58274dd1a58615e0f58051b9c028900280fc60f88
SHA5123337c761ff4097c3b184a0af429a05ee7d1247578381194f019bfed0d364233e6be00e9b92c28ff7c234ef4a1a15f9348272ebd741fd0cadc2fba2599cb7d03c
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5bd8f399fcc1385a983a0850c33f9eda3
SHA1998b8ecb10a35f988ba440c0be36590cfb16440c
SHA256588a5e2067d668df01ad090972e0f4c18e25b839eb0d96a4b8cd539314daa831
SHA5124f0402f825f4f7e40b441fa707c1863c85ea85d692d3bc6eb814a142da61120ae856d4db03ac44a45f6b9246f7100a4199b9a0b7859349d060accde17839f108
-
memory/512-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/512-24-0x0000000004900000-0x0000000004902000-memory.dmpFilesize
8KB
-
memory/512-33-0x0000000004900000-0x0000000004902000-memory.dmpFilesize
8KB
-
memory/512-25-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/512-28-0x0000000004900000-0x0000000004902000-memory.dmpFilesize
8KB
-
memory/840-119-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/840-106-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/840-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/840-120-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/840-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/840-37-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/840-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3276-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3276-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3276-57-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3276-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3276-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3276-144-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3276-145-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3636-39-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-64-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-32-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3636-38-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-34-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3636-40-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-23-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-50-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-51-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-53-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-30-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-20-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-22-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-21-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-19-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-12-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-62-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-27-0x0000000001B40000-0x0000000001B41000-memory.dmpFilesize
4KB
-
memory/3636-65-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-66-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-69-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-71-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-72-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-74-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-75-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-80-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3636-94-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3636-9-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-13-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-11-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-10-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-8-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-6-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB