Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
29-06-2024 23:24
General
-
Target
0caa5b9c9430e8696ae7b643ac0e88632ea339d90020ec485c69032f0dd40e17_NeikiAnalytics.dll
-
Size
120KB
-
MD5
7ab39f0c4fafd69063933a71631ee7b0
-
SHA1
66ec13af73bf31dbb13652112a228ef4490bfb02
-
SHA256
0caa5b9c9430e8696ae7b643ac0e88632ea339d90020ec485c69032f0dd40e17
-
SHA512
b197da767ab80f0b46ce5b2095ad972433a82fe45537e8ab1c842dd5a947e2c20c318c04f5b2213f9410853894880f7786ce7f714806466c52149f5e5d4c343e
-
SSDEEP
3072:mDWepspMFJVFUTDOa0bsNFyKCPZXwoiE:wspMWDO9b6kwoi
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0caa5b9c9430e8696ae7b643ac0e88632ea339d90020ec485c69032f0dd40e17_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0caa5b9c9430e8696ae7b643ac0e88632ea339d90020ec485c69032f0dd40e17_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f766b8f.exeC:\Users\Admin\AppData\Local\Temp\f766b8f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f766f18.exeC:\Users\Admin\AppData\Local\Temp\f766f18.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7682a7.exeC:\Users\Admin\AppData\Local\Temp\f7682a7.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5fd3f0eb1eb08e417a75ef0b62e718e41
SHA1a9a321cb1eea73b7dc2ac217febb987aceb1689e
SHA256a5050f4021ae6118a916adec2e0af048f69d841b951818fa2814c78711e28600
SHA5124c660ceb63a499d27dd0180be0513fb343330467f8c2925a09b13dd2e18c804aebbe46336737e1a493ede756d089b4af6b87c0edced1d3d86274c6d648aca346
-
\Users\Admin\AppData\Local\Temp\f766b8f.exeFilesize
97KB
MD5f7475bb3248cccbf83f2798850c4ec74
SHA18492237f2e165e3f9376228a0f51e377e9a41937
SHA2560cfb56aaefd721b772d6fc60b15c8bf4b557261d715bc0df34f9806b0327ea16
SHA512b024a03c7ab27dabae991cad0f7db2004c609500a3f1c714064416b9c95730002c48b6256c0bb05c0127918c6e8e078a8c17f3a2ad3985313d5c565f334d7946
-
memory/1208-27-0x0000000001CC0000-0x0000000001CC2000-memory.dmpFilesize
8KB
-
memory/1900-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1900-74-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/1900-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1900-53-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/1900-35-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1900-56-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/1900-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1900-34-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/1900-55-0x0000000000410000-0x0000000000422000-memory.dmpFilesize
72KB
-
memory/1900-44-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1912-175-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1912-104-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1912-100-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1912-77-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1912-101-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2604-171-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2604-102-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2604-94-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2604-93-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2604-58-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2604-164-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/2604-170-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/2940-14-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-60-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-61-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-62-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-63-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-59-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-19-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-66-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-78-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-79-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-81-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-82-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-21-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-20-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-17-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-18-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-54-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/2940-13-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-103-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-145-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-15-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-45-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2940-43-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/2940-16-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2940-11-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB