Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
29-06-2024 14:01
General
-
Target
ae7978c00e28886c82186caf38cc76736d9057da7460e5028447fbf1bb88fed0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
179d5d4f5affdefb5ffad8382fa8b290
-
SHA1
4bd5d3fd78484c4da56b65361bbd62434d301787
-
SHA256
ae7978c00e28886c82186caf38cc76736d9057da7460e5028447fbf1bb88fed0
-
SHA512
54db8879128f6785ce1d0a0e44b6bd04dc2d3210eed44e7468f5a9a6e77768ef8fde19403142dc5d4867c00b2367b339834887473bcaa071eca05749594f62ad
-
SSDEEP
1536:alDY15pYhNgS+iVZi3ntSxHfauJNKytvzcVIzjkj0THEFqMprvTn2:X5yhNgS+iV2MxHfauTTvzcuzQwkbDb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae7978c00e28886c82186caf38cc76736d9057da7460e5028447fbf1bb88fed0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae7978c00e28886c82186caf38cc76736d9057da7460e5028447fbf1bb88fed0_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7605ea.exeC:\Users\Admin\AppData\Local\Temp\f7605ea.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f760770.exeC:\Users\Admin\AppData\Local\Temp\f760770.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762175.exeC:\Users\Admin\AppData\Local\Temp\f762175.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD55b099e8522c5dc2460f9d8b5fa29d90e
SHA1e948efa553bc2d5c10b0ed9df6a383796fccd619
SHA25667ec724ad8fac0d5d3c5f4a7e2bced08269acd524f7bb27c5983d5100dcef9a7
SHA5124513e4080525dae240ebafe3709152dfc23b1f73ec06a290fc51796f3b2e51025dd2b8ec037f21621c6a888978227feb1c96aac00b6f767fe022eee26723110e
-
\Users\Admin\AppData\Local\Temp\f7605ea.exeFilesize
97KB
MD5ba74bb0a05086497e54ebe9cd11ceab7
SHA1279cdbd430df62cd1935a8a570e3f4cf3247ac72
SHA256b9bdee6845d729f002727a6fdd432284a6fc48ceb8dda87fa02f36aff3f67c62
SHA512f028f798f39d9afed231635eedf52f94fde0ab57435fa4679b32d5012521f5ce2cf780dc9ad80e8cc82795e551177dc52137f5f9fcc16746deed9a8f97ae6b93
-
memory/1100-28-0x00000000002E0000-0x00000000002E2000-memory.dmpFilesize
8KB
-
memory/1792-185-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1792-103-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1792-106-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1792-104-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1792-84-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2176-38-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2176-61-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2176-9-0x0000000000170000-0x0000000000182000-memory.dmpFilesize
72KB
-
memory/2176-48-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2176-79-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2176-39-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2176-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2176-83-0x0000000000170000-0x0000000000172000-memory.dmpFilesize
8KB
-
memory/2176-59-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2176-60-0x0000000000330000-0x0000000000342000-memory.dmpFilesize
72KB
-
memory/2392-68-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-86-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-21-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2392-14-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-54-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/2392-16-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-64-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-65-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-66-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-67-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-49-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/2392-70-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-71-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-18-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-15-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-19-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-22-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-88-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-89-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-17-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-155-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2392-13-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-107-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-20-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-51-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/2392-156-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2392-121-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/2704-97-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2704-98-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2704-105-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2704-168-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2704-181-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2704-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB