Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-06-2024 15:02
General
-
Target
b064e4d47eaf54123cedd70576c480f26e50676552d611f381184f87d31ac3ee_NeikiAnalytics.dll
-
Size
120KB
-
MD5
959f6e3872de1c2c46cb5ab255d9e230
-
SHA1
281ddb475e97ecc9b6ea55130f598ada6861a50c
-
SHA256
b064e4d47eaf54123cedd70576c480f26e50676552d611f381184f87d31ac3ee
-
SHA512
6856d6d867a1f35ae8c48835d220d9228ff26607e32666f8d03507ce4aebdb6003d54aa10629b41fabf5d5786b66b3b20d42d921f544f322a5839680252f11ac
-
SSDEEP
3072:xobMMkfLUJeCuP1bh4OAbkFd2+FO85lKpwvxbQqUiz:mIpfLBbhHAb8Z7aCvZ1Ui
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b064e4d47eaf54123cedd70576c480f26e50676552d611f381184f87d31ac3ee_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b064e4d47eaf54123cedd70576c480f26e50676552d611f381184f87d31ac3ee_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761b7c.exeC:\Users\Admin\AppData\Local\Temp\f761b7c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f761f15.exeC:\Users\Admin\AppData\Local\Temp\f761f15.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f7636c9.exeC:\Users\Admin\AppData\Local\Temp\f7636c9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD56fc07cde3f6ea2140353988fe38a7c58
SHA1e39a77904c0c480a0ce6869bf4fd3ebfd2bf5a17
SHA25687c141f1bb4349edb729eb7ae863d5a65111ec108b239d186a5e2f1df7303229
SHA51247e30301af63a54d426700811ccb9ed00e20bdd4f9efa8a8c0a0760579808799106bc6be477c11f79235acc490b7b2ec5af95b4fe7b7f1264c0cb0aa863aea4f
-
Filesize
97KB
MD5193e053a835a698d78894dc256459b59
SHA133cfff226050220b3fdaee30a4e7ef0cfeae4d38
SHA2565ac9110bce19897027dc3c8a2bd17de961ebc5b4668bd86b5ccdb253deeb6b50
SHA512b934dac8a366b7868101ef9416f9a75f89da7e7c06f73069f15369d1b060b0c7148e345710827556e6bd629ff66ee60e29acf3b01117fb16cbe2b20a7e4ca6f7
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB