Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
29-06-2024 10:08
General
-
Target
9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll
-
Size
120KB
-
MD5
f7034aba512b664377a6ca35e0fd8570
-
SHA1
daf966ae376e9ed81752a153c6632f77385787ad
-
SHA256
9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5
-
SHA512
6adbd5e8d5c54125c31f7b33465cdaf52a236dc39ba7e927e911ab7105cd7c1757285d24a2aa642a5c01995d05f98c422715376088b2a7d94ca293f3f43a8f3d
-
SSDEEP
3072:mBCP/9/mpCwXg8Uxumn9QcfGXtQoFzNelJ8xHW:Qi/ZmBNfmySgNelJM
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f760d69.exeC:\Users\Admin\AppData\Local\Temp\f760d69.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f760f2d.exeC:\Users\Admin\AppData\Local\Temp\f760f2d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7628f4.exeC:\Users\Admin\AppData\Local\Temp\f7628f4.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d88190b7bc08def9ef27d78b5879cdb5
SHA143cc217ef2e5b6777319dbc9830c4b3b62c18a03
SHA256e12c71bc3b4f41fae355d87f0da8e52ebcc6433da01398cb5d9401adc7eb7bab
SHA512ec1c85e03d9cb68ad26fb10df638e9239bb5e6adb8217bad74e8cec21462aade7902ccbf0c49b4706511ef25f4de2064709475841b50798533c1094ab6eb6e16
-
\Users\Admin\AppData\Local\Temp\f760d69.exeFilesize
97KB
MD5259decd41726009f38c40ab06e588f88
SHA11df5aac5cb896807993d214dfcc61446ba03e33e
SHA2568a5574393224648cb825d54f69c4352d49d441f4695b58c5b1498f35585430bd
SHA512e298a689443ed4e9b97848e43186cd682899696d06c8b5558867797cf86a7dc44e1c21f72300b68ad5c6900dfe3a6e7bbf539721ef9bbe74dc2551213d4fffba
-
memory/1252-29-0x0000000001F10000-0x0000000001F12000-memory.dmpFilesize
8KB
-
memory/2192-50-0x0000000000300000-0x0000000000302000-memory.dmpFilesize
8KB
-
memory/2192-14-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-45-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2192-20-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-104-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-16-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-21-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-18-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-22-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-108-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-23-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-86-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-107-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-67-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-19-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2192-47-0x0000000000300000-0x0000000000302000-memory.dmpFilesize
8KB
-
memory/2192-149-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2192-17-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-15-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-84-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-82-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-150-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-68-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-61-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-62-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-63-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-64-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2192-65-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/2352-59-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2352-44-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2352-58-0x0000000000280000-0x0000000000292000-memory.dmpFilesize
72KB
-
memory/2352-8-0x0000000000210000-0x0000000000222000-memory.dmpFilesize
72KB
-
memory/2352-56-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2352-36-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2352-9-0x0000000000210000-0x0000000000222000-memory.dmpFilesize
72KB
-
memory/2352-7-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2352-35-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2352-51-0x0000000000280000-0x0000000000292000-memory.dmpFilesize
72KB
-
memory/2484-94-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2484-102-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2484-93-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2484-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2484-162-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2484-178-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2484-179-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2684-103-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2684-100-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2684-101-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2684-80-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2684-183-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB