Overview

overview

10

Static

static

3

a607e58ba0...cs.exe

windows7-x64

10

a607e58ba0...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

  • Size

    1.1MB

  • MD5

    1c9f8c3a353b61e83862098b10de2c40

  • SHA1

    2c9dd88638e7bd8bf32714db20d4e5df1b7ca587

  • SHA256

    a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133

  • SHA512

    45692ef1749c18e4be4548e999e89549223c7108e92266d5d8762050c22d056f03a3c1cb48657a9584c05a3734f60bbaba31da33cd763aa9567caf86aa206b4b

  • SSDEEP

    24576:vTllSppqUBMdn+Z7IDJzcUNE6HmtJJGsXC+mFKfawb+Mdl:qEUBMdqGcUNEi+JJG0lag++

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
            "C:\Users\Admin\AppData\Local\Temp\a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2112
            • C:\Windows\SysWOW64\explorer.exe
              explorer C:\Users\Admin\AppData\Local\Temp\
              3⤵
                PID:3064
              • C:\Windows\SysWOW64\1110cc\W43152D.EXE
                C:\Windows\system32\\1110cc\W43152D.EXE
                3⤵
                • Drops startup file
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2380
                • C:\Windows\SysWOW64\1110cc\NT-613AE11E.EXE
                  C:\Windows\SysWOW64\1110cc\NT-613AE11E.EXE 4|-|SOFTWARE\Microsoft\Windows\CurrentVersion\Run\167A83|-|C:\Windows\SysWOW64\1110cc\W43152D.EXE|-|0
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Suspicious use of SetWindowsHookEx
                  PID:2500
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:344
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              PID:2680

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Privilege Escalation

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Modify Registry

            7
            T1112

            Impair Defenses

            4
            T1562

            Disable or Modify Tools

            3
            T1562.001

            Disable or Modify System Firewall

            1
            T1562.004

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Credential Access

            Discovery

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\1110cc\HtmlView.fne
              Filesize

              212KB

              MD5

              4c9e8f81bf741a61915d0d4fc49d595e

              SHA1

              d033008b3a0e5d3fc8876e0423ee5509ecb3897c

              SHA256

              951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129

              SHA512

              cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7

              Download Submit
            • \Users\Admin\AppData\Local\Temp\E_N4\dp1.fne
              Filesize

              124KB

              MD5

              6cd56de35626fc03a82f0ff7a0384e23

              SHA1

              102b631e34a7e99eb3bd4ef6925c9fab07426e27

              SHA256

              d1ed7436c47976f901211f6fa8609c78afc8da4f61a6a5f18b3a5a70acb230b8

              SHA512

              15cbf414f1dde704a46f8c81f2ff21247bb86329bfd5169c30f77e424c40caf1223e75548792448fabdb98bb145db331403c37bf972848bcbb19866c8ca5294f

              Download Submit
            • \Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
              Filesize

              1.1MB

              MD5

              96e899679a46227f904f680c6da36011

              SHA1

              979350dd4b740e02ed5b893d4226ff73403068dd

              SHA256

              1a76228343db9e3fa5185f3a4650d229f7af9e9fbf4966e864aed67aac96bca5

              SHA512

              667e4c999d5606f5c9c151f0672b1a08269b70cb43ad80bd72cb4bd467e9d0124cdd1742fd2333da7eefa7e8223bb8427143cf75f911450fc9728fabb5cddb43

              Download Submit
            • \Windows\SysWOW64\1110cc\W43152D.EXE
              Filesize

              47KB

              MD5

              97e6663edce7d31170933924d58129bf

              SHA1

              cbd17532c7db5abd27ec966032d87a6593fac378

              SHA256

              48ecf74ffa658c5adc6f29104596bcf23b1cde2b801de41f8aada08227fc0d82

              SHA512

              c91cd62421d0c9369dec3701d7669199924783c1b58b75672ba202f6455246a8d11fc4e8b6f2e15c21b50833cfa0b408013d005566cb2b9a755e20aa6a580782

              Download Submit
            • \Windows\SysWOW64\1110cc\eAPI.fne
              Filesize

              328KB

              MD5

              7bcb58659e959d65514c45cd01bfc8e4

              SHA1

              c2f41529a536c746ac0cf92c026dea65798f3ee7

              SHA256

              f37248aa68d84818fba2b1ea160d7eec4d3f426eeca4d215c8db8d8389d18388

              SHA512

              0b33bbcb059de95e74e9e115fb09ca73846720041113c9cab10e5dec40024136241d66a92181527e36db714c4c96ee532b7df00ae2c10798d8bea947f6762217

              Download Submit
            • memory/1116-21-0x0000000000190000-0x0000000000192000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2112-15-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-6-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-17-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-16-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-18-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-11-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-0-0x0000000000400000-0x000000000047B000-memory.dmp
              Filesize

              492KB

              Download
            • memory/2112-56-0x0000000004EC0000-0x0000000004EE1000-memory.dmp
              Filesize

              132KB

              Download
            • memory/2112-44-0x0000000002F20000-0x0000000002F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2112-45-0x0000000002F20000-0x0000000002F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2112-33-0x0000000002F30000-0x0000000002F31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2112-31-0x0000000002F30000-0x0000000002F31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2112-30-0x0000000002F20000-0x0000000002F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2112-19-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-68-0x0000000003130000-0x000000000313F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2112-14-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-13-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-69-0x0000000003130000-0x000000000313F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2112-9-0x0000000010000000-0x000000001011D000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/2112-109-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-110-0x0000000010000000-0x000000001011D000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/2112-12-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-108-0x0000000000400000-0x000000000047B000-memory.dmp
              Filesize

              492KB

              Download
            • memory/2112-89-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2112-88-0x0000000001DE0000-0x0000000002E9A000-memory.dmp
              Filesize

              16.7MB

              Download
            • memory/2380-130-0x0000000001DB0000-0x0000000001DBC000-memory.dmp
              Filesize

              48KB

              Download
            • memory/2380-75-0x00000000001B0000-0x00000000001E8000-memory.dmp
              Filesize

              224KB

              Download
            • memory/2380-87-0x0000000001CB0000-0x0000000001CD1000-memory.dmp
              Filesize

              132KB

              Download
            • memory/2380-83-0x0000000000480000-0x00000000004E1000-memory.dmp
              Filesize

              388KB

              Download
            • memory/2380-131-0x0000000001DB0000-0x0000000001DBF000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2380-70-0x0000000000400000-0x000000000040F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2380-73-0x0000000010000000-0x000000001011D000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/2380-132-0x0000000001DB0000-0x0000000001DBF000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2380-92-0x0000000001CF0000-0x0000000001CFC000-memory.dmp
              Filesize

              48KB

              Download
            • memory/2500-137-0x0000000000400000-0x000000000040F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2500-136-0x0000000010000000-0x000000001011D000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/2500-134-0x0000000000220000-0x0000000000258000-memory.dmp
              Filesize

              224KB

              Download
            • memory/2500-138-0x0000000010000000-0x000000001011D000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/2680-81-0x0000000003900000-0x0000000003910000-memory.dmp
              Filesize

              64KB

              Download
            • memory/3064-78-0x0000000000020000-0x0000000000022000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3064-39-0x0000000000030000-0x0000000000031000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3064-47-0x0000000000020000-0x0000000000022000-memory.dmp
              Filesize

              8KB

              Download