Analysis
-
max time kernel
15s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 02:07
General
-
Target
2d91c1bba7ac6b651abb7fbad24aa41175d541480a0efb75a2937b0845bd629f_NeikiAnalytics.exe
-
Size
208KB
-
MD5
4f34a63929f5227597ed803621ca2fb0
-
SHA1
67d7a1b72be2698d506625384a3a73c668f97ab1
-
SHA256
2d91c1bba7ac6b651abb7fbad24aa41175d541480a0efb75a2937b0845bd629f
-
SHA512
b4438b7b877ab00f3c0b126d0a950b5b8d945a9c980a103790fd775128cedef0e916dd15ebf4ddc8e8ec0a17abbc5ef83e460bbc3102ac3ff4917cae40f596a0
-
SSDEEP
3072:vwKA7xsI+OmwClcHKj4ap+r3TBcI1AKIp3wWSochZBmGz3nNbhuwTJ6:IKxI+OmwwVkDTBcypImdhZB5ZMwI
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 7 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2d91c1bba7ac6b651abb7fbad24aa41175d541480a0efb75a2937b0845bd629f_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2d91c1bba7ac6b651abb7fbad24aa41175d541480a0efb75a2937b0845bd629f_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\anem.pifFilesize
127KB
MD50266f7f0c7d9e9e030e7b7ea40ac02c9
SHA121e6bee960eb844fb1d9cbeefbadb71a780aeda3
SHA2566a667597a5f7b5c12fba7f4f0536ad2904ba0b53c0d6a095e64e7fa67769bc45
SHA51221b2990ba3674a19a4a2954f6e7cf08c36dff4662b3810fac61a5ea1de276fc511587ff420a1c2e994c6420206351c9ed3b2c2c7adc31786cd1314e79c76dcbd
-
memory/1260-0-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1260-4-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/1260-8-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-5-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-13-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-15-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-14-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-20-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/1260-19-0x0000000004800000-0x0000000004802000-memory.dmpFilesize
8KB
-
memory/1260-16-0x0000000004800000-0x0000000004802000-memory.dmpFilesize
8KB
-
memory/1260-11-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-6-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-18-0x0000000004800000-0x0000000004802000-memory.dmpFilesize
8KB
-
memory/1260-12-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-23-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/1260-24-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/1260-10-0x0000000077BF3000-0x0000000077BF4000-memory.dmpFilesize
4KB
-
memory/1260-9-0x0000000077BF2000-0x0000000077BF3000-memory.dmpFilesize
4KB
-
memory/1260-3-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-7-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/1260-25-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-26-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-27-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-28-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-29-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-32-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-33-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-34-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-35-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-36-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-38-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-40-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-43-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-45-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-47-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-49-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-51-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-53-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-67-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-69-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-71-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-73-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-74-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-75-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-77-0x0000000004800000-0x0000000004802000-memory.dmpFilesize
8KB
-
memory/1260-78-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-80-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-82-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB
-
memory/1260-84-0x0000000002A70000-0x0000000003AFE000-memory.dmpFilesize
16.6MB