Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
29-06-2024 22:00
General
-
Target
03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239_NeikiAnalytics.dll
-
Size
120KB
-
MD5
8869c3123e84d249b133e4f48727d380
-
SHA1
187294fc1a829cb46ab7d9858e3891c4873f682b
-
SHA256
03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239
-
SHA512
a30a753a23a942b51afa0c3a45cc3d89cffd9c13c4ff10606082456e8339f512e4aea9f326bb0d07b25d5c23740e2baa443a772e11f6b08485daa66cbe1f07d5
-
SSDEEP
3072:DmQimvGDY+yKY6aZ0KxZalyiHPHk6ix4GwGl3D:SYGs+dY6adalyivHvIZ3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f760f0e.exeC:\Users\Admin\AppData\Local\Temp\f760f0e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761333.exeC:\Users\Admin\AppData\Local\Temp\f761333.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763784.exeC:\Users\Admin\AppData\Local\Temp\f763784.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5a238a1e05664bdf22d93d581154141b5
SHA14495626030a5e811a1394a421f360588ddde9fad
SHA256fdcb92a41f90943f0ca6210063039bd164ad31f4be956113bfd0f3e8b089e3c7
SHA512f3c494160f727897dc02906b73f2d05bc8154f53cb3fd9ab3ac335edae40ad32d99ca4cce5cbc207e171d813b4c2e24191b594141a753600978508e4f871cd45
-
\Users\Admin\AppData\Local\Temp\f760f0e.exeFilesize
97KB
MD513d743fff676e5875cbb8fd864f13b2a
SHA1eda3d652b12d08a94e71c3544db7f4bdf893dee0
SHA25660b28b95453c976b7c8321d90c300757d6268355e4a1dc17d2800e84c7f24085
SHA5125fafd089f368d31e96489b8380c93af4c31afbbec6c6990dad543b6b7f8996985ea2043af2989c1f61d07792856de1e879ce33bb66d32f36a488329f00833c80
-
memory/1236-29-0x0000000000410000-0x0000000000412000-memory.dmpFilesize
8KB
-
memory/1936-91-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/1936-190-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1936-189-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/1936-152-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/1936-94-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/1936-77-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1936-92-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2712-93-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2712-87-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2712-86-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2712-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2712-58-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2812-22-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-21-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-47-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/2812-45-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2812-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2812-17-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-131-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-130-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2812-16-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-103-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-59-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-60-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-61-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-62-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-63-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-102-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-100-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-19-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-78-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-48-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/2812-15-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-20-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-18-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-14-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-23-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-95-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-96-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2812-98-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/3052-73-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/3052-76-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/3052-55-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/3052-57-0x0000000000250000-0x0000000000262000-memory.dmpFilesize
72KB
-
memory/3052-36-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/3052-37-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/3052-8-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3052-9-0x0000000000130000-0x0000000000142000-memory.dmpFilesize
72KB
-
memory/3052-10-0x0000000000130000-0x0000000000142000-memory.dmpFilesize
72KB
-
memory/3052-39-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB