Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f_NeikiAnalytics.dll
-
Size
120KB
-
MD5
05ab5b3fd4333b13941ee07d68c580e0
-
SHA1
f9cbdd44eb5c76b72af55e02692b2bc0fd6c4427
-
SHA256
1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f
-
SHA512
5201acb57387422a3a92c82be227a2dde1519d07f31061814e8a423072d52e4c11d917c5c97f4044b067e7d5bfeaaee58e8cc7d04c27a2fce281e4abce768f6e
-
SSDEEP
1536:8KhHwlmKQCG86mMcDmr+OULW6Dmau6aZJn1Ge4vRbb1U22wW3BpCFL0S7:kfJDmrWJ7u6aXn1ivRbb+qFQS7
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
f767c70.exef7697dc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f767c70.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f767c70.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7697dc.exe -
Processes:
f767c70.exef7697dc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7697dc.exe -
Processes:
f767c70.exef7697dc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7697dc.exe -
Executes dropped EXE 3 IoCs
Processes:
f767c70.exef768160.exef7697dc.exepid process 3068 f767c70.exe 2400 f768160.exe 1848 f7697dc.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exepid process 2336 rundll32.exe 2336 rundll32.exe 2336 rundll32.exe 2336 rundll32.exe 2336 rundll32.exe 2336 rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/3068-24-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-15-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-18-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-21-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-23-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-20-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-22-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-17-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-16-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-19-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-63-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-64-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-65-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-67-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-66-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-84-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-85-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-86-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-88-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/3068-153-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/1848-164-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/1848-206-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Processes:
f7697dc.exef767c70.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7697dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767c70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f767c70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7697dc.exe -
Processes:
f767c70.exef7697dc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7697dc.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f767c70.exef7697dc.exedescription ioc process File opened (read-only) \??\H: f767c70.exe File opened (read-only) \??\I: f767c70.exe File opened (read-only) \??\M: f767c70.exe File opened (read-only) \??\O: f767c70.exe File opened (read-only) \??\E: f767c70.exe File opened (read-only) \??\Q: f767c70.exe File opened (read-only) \??\G: f767c70.exe File opened (read-only) \??\L: f767c70.exe File opened (read-only) \??\J: f767c70.exe File opened (read-only) \??\K: f767c70.exe File opened (read-only) \??\N: f767c70.exe File opened (read-only) \??\P: f767c70.exe File opened (read-only) \??\E: f7697dc.exe -
Drops file in Windows directory 3 IoCs
Processes:
f767c70.exef7697dc.exedescription ioc process File created C:\Windows\f767d0c f767c70.exe File opened for modification C:\Windows\SYSTEM.INI f767c70.exe File created C:\Windows\f76d143 f7697dc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f767c70.exef7697dc.exepid process 3068 f767c70.exe 3068 f767c70.exe 1848 f7697dc.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
f767c70.exef7697dc.exedescription pid process Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 3068 f767c70.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe Token: SeDebugPrivilege 1848 f7697dc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
rundll32.exerundll32.exef767c70.exef7697dc.exedescription pid process target process PID 3020 wrote to memory of 2336 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2336 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2336 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2336 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2336 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2336 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2336 3020 rundll32.exe rundll32.exe PID 2336 wrote to memory of 3068 2336 rundll32.exe f767c70.exe PID 2336 wrote to memory of 3068 2336 rundll32.exe f767c70.exe PID 2336 wrote to memory of 3068 2336 rundll32.exe f767c70.exe PID 2336 wrote to memory of 3068 2336 rundll32.exe f767c70.exe PID 3068 wrote to memory of 1188 3068 f767c70.exe taskhost.exe PID 3068 wrote to memory of 1276 3068 f767c70.exe Dwm.exe PID 3068 wrote to memory of 1336 3068 f767c70.exe Explorer.EXE PID 3068 wrote to memory of 1872 3068 f767c70.exe DllHost.exe PID 3068 wrote to memory of 3020 3068 f767c70.exe rundll32.exe PID 3068 wrote to memory of 2336 3068 f767c70.exe rundll32.exe PID 3068 wrote to memory of 2336 3068 f767c70.exe rundll32.exe PID 2336 wrote to memory of 2400 2336 rundll32.exe f768160.exe PID 2336 wrote to memory of 2400 2336 rundll32.exe f768160.exe PID 2336 wrote to memory of 2400 2336 rundll32.exe f768160.exe PID 2336 wrote to memory of 2400 2336 rundll32.exe f768160.exe PID 2336 wrote to memory of 1848 2336 rundll32.exe f7697dc.exe PID 2336 wrote to memory of 1848 2336 rundll32.exe f7697dc.exe PID 2336 wrote to memory of 1848 2336 rundll32.exe f7697dc.exe PID 2336 wrote to memory of 1848 2336 rundll32.exe f7697dc.exe PID 3068 wrote to memory of 1188 3068 f767c70.exe taskhost.exe PID 3068 wrote to memory of 1276 3068 f767c70.exe Dwm.exe PID 3068 wrote to memory of 1336 3068 f767c70.exe Explorer.EXE PID 3068 wrote to memory of 2400 3068 f767c70.exe f768160.exe PID 3068 wrote to memory of 2400 3068 f767c70.exe f768160.exe PID 3068 wrote to memory of 1848 3068 f767c70.exe f7697dc.exe PID 3068 wrote to memory of 1848 3068 f767c70.exe f7697dc.exe PID 1848 wrote to memory of 1188 1848 f7697dc.exe taskhost.exe PID 1848 wrote to memory of 1276 1848 f7697dc.exe Dwm.exe PID 1848 wrote to memory of 1336 1848 f7697dc.exe Explorer.EXE -
System policy modification 1 TTPs 2 IoCs
Processes:
f767c70.exef7697dc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767c70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7697dc.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1188
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1276
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1336
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\f767c70.exeC:\Users\Admin\AppData\Local\Temp\f767c70.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\f768160.exeC:\Users\Admin\AppData\Local\Temp\f768160.exe4⤵
- Executes dropped EXE
PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\f7697dc.exeC:\Users\Admin\AppData\Local\Temp\f7697dc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1848
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1872
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD56009ac3081021da2d9ba473519400af2
SHA1d4717a1dc95c707c382ae70cf16cf4b4ebcaefdf
SHA256396686e3cc1724ab037e4c6fb4ce53a92314ec7b81324665fba4a2eb716b72d1
SHA5126657b1d0899debe3c06ddea37e24c4acc4ed7ff8b0211ea93351a5e29490f9b11ee2f4d9279e829f7174084dd6a27d1473196f15253fa987f9c4110e5cba2774
-
Filesize
97KB
MD5b885ad04108c446862172083d185de65
SHA1220281a524e0eb35af9ac178b9bd9b8e4c7e4dac
SHA256a4722b00a7b21fe0ce6c93f597d05afec371cba345774c2c68ca66a106ec0956
SHA512b4a1266e1a6945fd143ded6845cea9983de9e251b45b1e4cbe69a7dcb9a884d089ef42d248616692d74bbac67d5538b31597ac8c931421375adb9c8b07403db5