Analysis
-
max time kernel
8s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 03:53
General
-
Target
336ec1049ff1bae842f7120c211096b6352f29c26ff7e3c9667648667ae4310e_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
e1d9cf8f0681c095c206be771c74bbe0
-
SHA1
9f145b4cab5880bf7543781746edd1eeddfb7f2f
-
SHA256
336ec1049ff1bae842f7120c211096b6352f29c26ff7e3c9667648667ae4310e
-
SHA512
7d8b7aef957600139f92197c7698462abe1b5b38a89303f53e049dac23eb5087a4c4b5af0f60f94720ebb1213614bc2ab1aabe8cc07f91e669208c413e358a16
-
SSDEEP
98304:tqNY3aiqSfLWppP9qfXme/LbwMlmdxcs/0K3nd2k:tZamTWphmWezbwMYR/0ungk
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\336ec1049ff1bae842f7120c211096b6352f29c26ff7e3c9667648667ae4310e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\336ec1049ff1bae842f7120c211096b6352f29c26ff7e3c9667648667ae4310e_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi4⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 68C4DEE311557C04330228768F269B292⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Defense Evasion
Modify Registry
6Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXEFilesize
3.0MB
MD5f6f02acc9f12ed50752a46d6d604366c
SHA18977f1a83b431e00a7778c3d9ae12186c3195c86
SHA2569b8e03f752edffbb99ec66a296854eb0cdea242b3b0d2d1c4971519f065fde3b
SHA51275d097fd074a271fcdce955f3ed589a33e9f1dff2828a8bc593d40fb3e92b2992ae994f5b9d1985c97ac95b7dc5adb909ec80205349106f26bbd3995e6234be2
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cabFilesize
309KB
MD5aae3979b3284a81600ee6c53b9faceb1
SHA1f9fa42cd6f8f26f2214e992b16e1f844e1f10bca
SHA256b02b597c8f40c3e7eb8a0f341f1deb31ee067f05e0fe2c35f95fe0d048ea7cef
SHA51293314de2c5fc0130c4f82a18cf757c4c61c8001911a32cf693eb4a1241c241dee193124ad98896462be3dd545d3fe5ef2ac9c80effc619fede36202db9b5ceec
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msiFilesize
3.1MB
MD5b80bb6ed55d37e94eedb93ee12382fee
SHA190c020cde0026f62de72da9eca1a10ab6c915483
SHA2566d08b5552e5bf6985fb4deec83889c715007c9f16a25fc5389face4f15c675ab
SHA512d371b1ed142002c0343ffc25228d325f26bd113b277c63225d09bd014483103215f8c0a125d7f3b5025ae02b795addc670628422cda584ca4c5fb2cf3db36c62
-
C:\Windows\Installer\MSI9683.tmpFilesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
8.6MB
MD5f5119ae4966335dc75cffe65ba778638
SHA1254cd9c770cc4eb3a7a1598fa894928b086674b6
SHA2561c909d49bab6c6f2ff42127d027d5db074a943423583b4df211be0680ef53aab
SHA51222bd7b796c121880f998a7d3b9ebd9cabdc75df52ed3854fd56f2a0616b301353da2d97ab97a8b71a5b6f5c15cafa4f0cfe639b850276f298cc36586c33a4fc6
-
\??\Volume{8fc740eb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1015ccc4-9329-428c-acb6-6c6aa100ef96}_OnDiskSnapshotPropFilesize
6KB
MD526a52e4f22eb1bc7e8809cfc6bb469d1
SHA143cbad87900c8aa65a72a692c07c04e2953535b8
SHA256ba2286698c50edb93f9817ea03546e051dd783b87e2ae57a8e25da0bdd46749e
SHA512caf7b0945231465c2b0654a9e9692eb0878a8406024f69a1dee3d8001d55c600bfb57ee49bc8b537b763c6c917ba66be69aea0395e34e05f5f59505a7706ddd8
-
memory/1008-253-0x0000000000A80000-0x0000000000A82000-memory.dmpFilesize
8KB
-
memory/1008-72-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/1008-76-0x0000000000A80000-0x0000000000A82000-memory.dmpFilesize
8KB
-
memory/2808-69-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-79-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-3-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-7-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2808-6-0x0000000000B90000-0x0000000000B92000-memory.dmpFilesize
8KB
-
memory/2808-15-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-16-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-17-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-19-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-18-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-21-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-22-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-4-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-25-0x0000000001001000-0x0000000001002000-memory.dmpFilesize
4KB
-
memory/2808-9-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-66-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-68-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-0-0x0000000001000000-0x0000000001320000-memory.dmpFilesize
3.1MB
-
memory/2808-1-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-14-0x0000000000B90000-0x0000000000B92000-memory.dmpFilesize
8KB
-
memory/2808-8-0x0000000000B90000-0x0000000000B92000-memory.dmpFilesize
8KB
-
memory/2808-12-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-77-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-5-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-82-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-84-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-86-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-88-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-90-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-95-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-97-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-13-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-105-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-104-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-11-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-112-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-127-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-163-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-164-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-206-0x0000000000B90000-0x0000000000B92000-memory.dmpFilesize
8KB
-
memory/2808-10-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/2808-273-0x0000000001000000-0x0000000001320000-memory.dmpFilesize
3.1MB
-
memory/2808-274-0x0000000002730000-0x00000000037BE000-memory.dmpFilesize
16.6MB
-
memory/4868-219-0x0000000003450000-0x0000000003452000-memory.dmpFilesize
8KB
-
memory/4868-74-0x0000000003450000-0x0000000003452000-memory.dmpFilesize
8KB
-
memory/4868-75-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB