Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 23:59
Static task
static1
Behavioral task
behavioral1
Sample
279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7_NeikiAnalytics.dll
Resource
win7-20231129-en
General
-
Target
279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7_NeikiAnalytics.dll
-
Size
120KB
-
MD5
3e30b633aafb7989860ed29c7acfc8d0
-
SHA1
9fa535db4aa870aa5c7052d3b1cb0e6846a67e55
-
SHA256
279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7
-
SHA512
1e766dac40b833934258f9f43b8c241d2688f8f23afbe9b156fc0117c7cd2b100b9b15fea07c1a5c0be4d7f79a6941c4668f085b8b2b67a22ec4dbc8fbc6dad0
-
SSDEEP
3072:rRxtcipG4DFjVu+uJNIys9FZBH8t9UKx5x:/trppjY+AN16XBHa9Ugx
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
f7607be.exef762359.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7607be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7607be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f762359.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f762359.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f762359.exe -
Processes:
f7607be.exef762359.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f762359.exe -
Processes:
f7607be.exef762359.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f762359.exe -
Executes dropped EXE 3 IoCs
Processes:
f7607be.exef760925.exef762359.exepid process 1600 f7607be.exe 2580 f760925.exe 2992 f762359.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exepid process 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1600-18-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-15-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-17-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-19-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-22-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-24-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-21-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-16-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-23-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-20-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-65-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-67-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-66-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-68-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-69-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-83-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-84-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-86-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-105-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-108-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-117-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1600-153-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2992-175-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/2992-209-0x0000000000930000-0x00000000019EA000-memory.dmp upx -
Processes:
f7607be.exef762359.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f762359.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f762359.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f762359.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7607be.exe -
Processes:
f7607be.exef762359.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f762359.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f7607be.exef762359.exedescription ioc process File opened (read-only) \??\G: f7607be.exe File opened (read-only) \??\K: f7607be.exe File opened (read-only) \??\G: f762359.exe File opened (read-only) \??\H: f7607be.exe File opened (read-only) \??\O: f7607be.exe File opened (read-only) \??\Q: f7607be.exe File opened (read-only) \??\M: f7607be.exe File opened (read-only) \??\N: f7607be.exe File opened (read-only) \??\J: f7607be.exe File opened (read-only) \??\L: f7607be.exe File opened (read-only) \??\P: f7607be.exe File opened (read-only) \??\R: f7607be.exe File opened (read-only) \??\E: f762359.exe File opened (read-only) \??\E: f7607be.exe File opened (read-only) \??\I: f7607be.exe -
Drops file in Windows directory 3 IoCs
Processes:
f7607be.exef762359.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI f7607be.exe File created C:\Windows\f7657f0 f762359.exe File created C:\Windows\f7607fc f7607be.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f7607be.exef762359.exepid process 1600 f7607be.exe 1600 f7607be.exe 2992 f762359.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
f7607be.exef762359.exedescription pid process Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 1600 f7607be.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe Token: SeDebugPrivilege 2992 f762359.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
rundll32.exerundll32.exef7607be.exef762359.exedescription pid process target process PID 2360 wrote to memory of 2176 2360 rundll32.exe rundll32.exe PID 2360 wrote to memory of 2176 2360 rundll32.exe rundll32.exe PID 2360 wrote to memory of 2176 2360 rundll32.exe rundll32.exe PID 2360 wrote to memory of 2176 2360 rundll32.exe rundll32.exe PID 2360 wrote to memory of 2176 2360 rundll32.exe rundll32.exe PID 2360 wrote to memory of 2176 2360 rundll32.exe rundll32.exe PID 2360 wrote to memory of 2176 2360 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1600 2176 rundll32.exe f7607be.exe PID 2176 wrote to memory of 1600 2176 rundll32.exe f7607be.exe PID 2176 wrote to memory of 1600 2176 rundll32.exe f7607be.exe PID 2176 wrote to memory of 1600 2176 rundll32.exe f7607be.exe PID 1600 wrote to memory of 1288 1600 f7607be.exe taskhost.exe PID 1600 wrote to memory of 1348 1600 f7607be.exe Dwm.exe PID 1600 wrote to memory of 1376 1600 f7607be.exe Explorer.EXE PID 1600 wrote to memory of 772 1600 f7607be.exe DllHost.exe PID 1600 wrote to memory of 2360 1600 f7607be.exe rundll32.exe PID 1600 wrote to memory of 2176 1600 f7607be.exe rundll32.exe PID 1600 wrote to memory of 2176 1600 f7607be.exe rundll32.exe PID 2176 wrote to memory of 2580 2176 rundll32.exe f760925.exe PID 2176 wrote to memory of 2580 2176 rundll32.exe f760925.exe PID 2176 wrote to memory of 2580 2176 rundll32.exe f760925.exe PID 2176 wrote to memory of 2580 2176 rundll32.exe f760925.exe PID 2176 wrote to memory of 2992 2176 rundll32.exe f762359.exe PID 2176 wrote to memory of 2992 2176 rundll32.exe f762359.exe PID 2176 wrote to memory of 2992 2176 rundll32.exe f762359.exe PID 2176 wrote to memory of 2992 2176 rundll32.exe f762359.exe PID 1600 wrote to memory of 1288 1600 f7607be.exe taskhost.exe PID 1600 wrote to memory of 1348 1600 f7607be.exe Dwm.exe PID 1600 wrote to memory of 1376 1600 f7607be.exe Explorer.EXE PID 1600 wrote to memory of 2580 1600 f7607be.exe f760925.exe PID 1600 wrote to memory of 2580 1600 f7607be.exe f760925.exe PID 1600 wrote to memory of 2992 1600 f7607be.exe f762359.exe PID 1600 wrote to memory of 2992 1600 f7607be.exe f762359.exe PID 2992 wrote to memory of 1288 2992 f762359.exe taskhost.exe PID 2992 wrote to memory of 1348 2992 f762359.exe Dwm.exe PID 2992 wrote to memory of 1376 2992 f762359.exe Explorer.EXE -
System policy modification 1 TTPs 2 IoCs
Processes:
f7607be.exef762359.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7607be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f762359.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1288
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1348
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1376
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\f7607be.exeC:\Users\Admin\AppData\Local\Temp\f7607be.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1600
-
-
C:\Users\Admin\AppData\Local\Temp\f760925.exeC:\Users\Admin\AppData\Local\Temp\f760925.exe4⤵
- Executes dropped EXE
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\f762359.exeC:\Users\Admin\AppData\Local\Temp\f762359.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2992
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:772
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5a0209b3996b1de936f7fbcf123688cfe
SHA1aa738f201294a59a6e4414a97a4a8b736fae6dcd
SHA256dd5eb100417e9778bf0283476ddbf68cfd9033a2cf8bbd696d6151ce61f1b6ed
SHA5127a4a1f51cc6a00789c8eab4af108371962710ce0897effb3b6d6ab0e62629ec101304561ae7e7fc70f59c8b157cfbabf65d202df52672757f4d55e572fee8756
-
Filesize
97KB
MD5045d9561863736b5298f19e28cd596fd
SHA116ec39227db371ff5170b7b1e8ba3c9a829db030
SHA25625bb7b93da7aa1271bef2d4a2867564946d91f4bf7aa50ae1f9a69759cceed71
SHA5123fc17299e742271ad0beddcfbaf0474b4f301e47e8b62d0b0379aea361074a929c72473fbd58b52e8598a2e1f079a83844ad7fd21e59def69b6641f80bb52d07