Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
19-06-2024 06:03
General
-
Target
9660d8bc70a39a8263485abfab420350_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
9660d8bc70a39a8263485abfab420350
-
SHA1
90d3a7ebef9645611c8d415e4ab99d7bd564e45b
-
SHA256
e2eaac4381353a11e866a104da19cf988a64d2d3c0e1bac998c68acc39612998
-
SHA512
f1f1e869564a45787ba5c5641d0dd5e25214375b3a622a6dd62be503a915b68c8c3ea444118cb9e7d42eb0cd35e90743273e4f4ef4796cfccb06005087a7ca84
-
SSDEEP
12288:UEMa8hlFY/zcK41sWytpmRYTklM/vbpqwVeEIwIm6iLQW+TLz:UEf8hlF0zcd2tpMM1qyefnmwW+D
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
UPX packed file 41 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\9660d8bc70a39a8263485abfab420350_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9660d8bc70a39a8263485abfab420350_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2244 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2468 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5204 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1516 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
6Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\ARM\ArmReport.iniFilesize
634B
MD54600ea83e72c40d5b6d25248895c4d66
SHA1666d119fa0398adce7093f434fc15437ca6913c5
SHA2564f9b2f699943dc7a42321fde879d884202e9b3bd8391519cc69bd83d8d485aae
SHA51208c1e1315bd3be50f47cce09a7b9c36aa38572495cdcbaa1053f6cc14af921437f3972c25d2d5c8df70a5b2e239a62d4cec6b3039de5b99e43b173eab4cb0bc9
-
C:\ProgramData\Adobe\ARM\ArmReport.iniFilesize
746B
MD55757246b0746f04f7c6c7685c433d80f
SHA1910a75876285c35fe0fa03c11f36257aeba8a2b3
SHA256d33f7174ff6e717d72bfb38cf92e25135823d3d02273bf3f575f95d2afdc12dc
SHA5128f2f3642154d4f016f7679567cc5879e8d4a794a07b62b9663905406a77aebb111b04032353588719a631d9e5223acf543499ef7f7b36e0e15ec966c638219f4
-
C:\Users\Admin\AppData\Local\Temp\ArmUI.iniFilesize
251KB
MD5877c3e51957ef4f666d1d0e48d3e5427
SHA1050ed353f1deb41bca4a4b0937c0f0a32cbfcc9d
SHA2563c0c26c4f5738959ee1bb4bb75098d3515dbc8b7a06ea3d361acbcea3502b371
SHA512e8286dad87ac30d413662344c23b3d833556572974aefa5b15305ea7d76c8c437c40d7a7f985deebd9b76f3a86ca42298b6e45ee2d6f7b8bcf35e2ae4f3583b7
-
C:\Users\Admin\AppData\Local\Temp\TmpB38C.tmpFilesize
3KB
MD5bbb796dd2b53f7fb7ce855bb39535e2f
SHA1dfb022a179775c82893fe8c4f59df8f6d19bd2fd
SHA256ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b
SHA5120d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b
-
C:\Users\Admin\AppData\Local\Temp\TmpCA52.tmpFilesize
3KB
MD5ec946860cff4f4a6d325a8de7d6254d2
SHA17c909f646d9b2d23c58f73ec2bb603cd59dc11fd
SHA25619fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe
SHA51238a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e
-
C:\Users\Admin\AppData\Local\Temp\TmpCA91.tmpFilesize
3KB
MD5fc2430057cb1be74c788f10c2d4540c8
SHA1cab67ee8d5191fbf9f25545825e06c1a822af2f2
SHA256dcc9d2695125406282ba990fec39403c44b12964acf51b5e0dc7f2080d714398
SHA5124e2b9709a9e3ca5173abb35816e5a0aebbf2a7aaf971d7f75f3ae66e4a812cbade103baa5016525f5ab83a60c18f8d3c278c90ff83e4afdae419f81673cb5aee
-
C:\Users\Admin\AppData\Local\Temp\TmpD11A.tmpFilesize
3KB
MD5a58599260c64cb41ed7d156db8ac13ef
SHA1fb9396eb1270e9331456a646ebf1419fc283dc06
SHA256aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2
SHA5126970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71
-
C:\jxeyc.exeFilesize
97KB
MD5b47d54820a5d13cc569d97481d7e0ec7
SHA1f1139510fcf7ff04ab9879479d0678f6da23121e
SHA2568d31a85676cd2249f6c29d44a705f8e8905e0ca9d1cfde66eb4a737a23049eed
SHA512623f01f9ea62492f32b35b1c94f3379cab0ee8d87e372a6094c219e2802092d699b7fd5d8b5dca92b6b74c53aa5237987ad97d4462aeca41739f66368e19371f
-
memory/1652-116-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-123-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-7-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-8-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-103-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/1652-104-0x0000000004650000-0x0000000004652000-memory.dmpFilesize
8KB
-
memory/1652-102-0x0000000004650000-0x0000000004652000-memory.dmpFilesize
8KB
-
memory/1652-10-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-6-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-9-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-12-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-106-0x0000000004650000-0x0000000004652000-memory.dmpFilesize
8KB
-
memory/1652-107-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-105-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-108-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-109-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-110-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-112-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-113-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-114-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-3-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-119-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-121-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-5-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-129-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-134-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-135-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-138-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-140-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-142-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-141-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-143-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-147-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-146-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-148-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-149-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-151-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-155-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-157-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-4-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-1-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-0-0x0000000000400000-0x0000000000530000-memory.dmpFilesize
1.2MB
-
memory/1652-158-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-159-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-168-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB
-
memory/1652-352-0x0000000004650000-0x0000000004652000-memory.dmpFilesize
8KB
-
memory/1652-364-0x0000000000400000-0x0000000000530000-memory.dmpFilesize
1.2MB
-
memory/1652-365-0x0000000002420000-0x00000000034DA000-memory.dmpFilesize
16.7MB