Analysis
-
max time kernel
45s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 18:48
Static task
static1
Behavioral task
behavioral1
Sample
a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149_NeikiAnalytics.dll
-
Size
120KB
-
MD5
c18c7c8557208c8732ab57635850b240
-
SHA1
e85b7120efcb4d3a3b5fb2bee6d5050ed4eaad89
-
SHA256
a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149
-
SHA512
a896b703a6492da5423b085063b5c0ecc8cdff282b7081e96e351e1ace0c2aaf765372fe3191d8f4a54df1a39f01e9f53c920527bb36130c62bd0fa480577789
-
SSDEEP
3072:N7E4vwC3Ur94KxRBdWpXm6lvAFyZcej2:N7E4xO/zupXmUvA4Z
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e574805.exee5763cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574805.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574805.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5763cb.exe -
Processes:
e574805.exee5763cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5763cb.exe -
Processes:
e574805.exee5763cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5763cb.exe -
Executes dropped EXE 3 IoCs
Processes:
e574805.exee57499c.exee5763cb.exepid process 436 e574805.exe 4600 e57499c.exe 3352 e5763cb.exe -
Processes:
resource yara_rule behavioral2/memory/436-6-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-7-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-9-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-10-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-19-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-32-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-31-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-33-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-11-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-34-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-35-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-36-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-37-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-38-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-39-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-40-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-42-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-43-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-52-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-54-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-55-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-65-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-66-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-69-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-71-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-74-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-75-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-78-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-79-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-81-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-82-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/436-85-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/3352-108-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3352-148-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e574805.exee5763cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5763cb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574805.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5763cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5763cb.exe -
Processes:
e574805.exee5763cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5763cb.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e574805.exee5763cb.exedescription ioc process File opened (read-only) \??\H: e574805.exe File opened (read-only) \??\Q: e574805.exe File opened (read-only) \??\S: e574805.exe File opened (read-only) \??\E: e5763cb.exe File opened (read-only) \??\E: e574805.exe File opened (read-only) \??\G: e574805.exe File opened (read-only) \??\J: e574805.exe File opened (read-only) \??\O: e574805.exe File opened (read-only) \??\R: e574805.exe File opened (read-only) \??\I: e574805.exe File opened (read-only) \??\L: e574805.exe File opened (read-only) \??\M: e574805.exe File opened (read-only) \??\K: e574805.exe File opened (read-only) \??\N: e574805.exe File opened (read-only) \??\P: e574805.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e574805.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e574805.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e574805.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e574805.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e574805.exe -
Drops file in Windows directory 3 IoCs
Processes:
e574805.exee5763cb.exedescription ioc process File created C:\Windows\e574853 e574805.exe File opened for modification C:\Windows\SYSTEM.INI e574805.exe File created C:\Windows\e5798d5 e5763cb.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e574805.exee5763cb.exepid process 436 e574805.exe 436 e574805.exe 436 e574805.exe 436 e574805.exe 3352 e5763cb.exe 3352 e5763cb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e574805.exedescription pid process Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe Token: SeDebugPrivilege 436 e574805.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee574805.exee5763cb.exedescription pid process target process PID 2972 wrote to memory of 4456 2972 rundll32.exe rundll32.exe PID 2972 wrote to memory of 4456 2972 rundll32.exe rundll32.exe PID 2972 wrote to memory of 4456 2972 rundll32.exe rundll32.exe PID 4456 wrote to memory of 436 4456 rundll32.exe e574805.exe PID 4456 wrote to memory of 436 4456 rundll32.exe e574805.exe PID 4456 wrote to memory of 436 4456 rundll32.exe e574805.exe PID 436 wrote to memory of 784 436 e574805.exe fontdrvhost.exe PID 436 wrote to memory of 792 436 e574805.exe fontdrvhost.exe PID 436 wrote to memory of 316 436 e574805.exe dwm.exe PID 436 wrote to memory of 2712 436 e574805.exe sihost.exe PID 436 wrote to memory of 2756 436 e574805.exe svchost.exe PID 436 wrote to memory of 2988 436 e574805.exe taskhostw.exe PID 436 wrote to memory of 3408 436 e574805.exe Explorer.EXE PID 436 wrote to memory of 3628 436 e574805.exe svchost.exe PID 436 wrote to memory of 3812 436 e574805.exe DllHost.exe PID 436 wrote to memory of 3908 436 e574805.exe StartMenuExperienceHost.exe PID 436 wrote to memory of 3976 436 e574805.exe RuntimeBroker.exe PID 436 wrote to memory of 4064 436 e574805.exe SearchApp.exe PID 436 wrote to memory of 3940 436 e574805.exe RuntimeBroker.exe PID 436 wrote to memory of 388 436 e574805.exe RuntimeBroker.exe PID 436 wrote to memory of 3404 436 e574805.exe TextInputHost.exe PID 436 wrote to memory of 2972 436 e574805.exe rundll32.exe PID 436 wrote to memory of 4456 436 e574805.exe rundll32.exe PID 436 wrote to memory of 4456 436 e574805.exe rundll32.exe PID 4456 wrote to memory of 4600 4456 rundll32.exe e57499c.exe PID 4456 wrote to memory of 4600 4456 rundll32.exe e57499c.exe PID 4456 wrote to memory of 4600 4456 rundll32.exe e57499c.exe PID 4456 wrote to memory of 3352 4456 rundll32.exe e5763cb.exe PID 4456 wrote to memory of 3352 4456 rundll32.exe e5763cb.exe PID 4456 wrote to memory of 3352 4456 rundll32.exe e5763cb.exe PID 436 wrote to memory of 784 436 e574805.exe fontdrvhost.exe PID 436 wrote to memory of 792 436 e574805.exe fontdrvhost.exe PID 436 wrote to memory of 316 436 e574805.exe dwm.exe PID 436 wrote to memory of 2712 436 e574805.exe sihost.exe PID 436 wrote to memory of 2756 436 e574805.exe svchost.exe PID 436 wrote to memory of 2988 436 e574805.exe taskhostw.exe PID 436 wrote to memory of 3408 436 e574805.exe Explorer.EXE PID 436 wrote to memory of 3628 436 e574805.exe svchost.exe PID 436 wrote to memory of 3812 436 e574805.exe DllHost.exe PID 436 wrote to memory of 3908 436 e574805.exe StartMenuExperienceHost.exe PID 436 wrote to memory of 3976 436 e574805.exe RuntimeBroker.exe PID 436 wrote to memory of 4064 436 e574805.exe SearchApp.exe PID 436 wrote to memory of 3940 436 e574805.exe RuntimeBroker.exe PID 436 wrote to memory of 388 436 e574805.exe RuntimeBroker.exe PID 436 wrote to memory of 3404 436 e574805.exe TextInputHost.exe PID 436 wrote to memory of 4600 436 e574805.exe e57499c.exe PID 436 wrote to memory of 4600 436 e574805.exe e57499c.exe PID 436 wrote to memory of 3352 436 e574805.exe e5763cb.exe PID 436 wrote to memory of 3352 436 e574805.exe e5763cb.exe PID 3352 wrote to memory of 784 3352 e5763cb.exe fontdrvhost.exe PID 3352 wrote to memory of 792 3352 e5763cb.exe fontdrvhost.exe PID 3352 wrote to memory of 316 3352 e5763cb.exe dwm.exe PID 3352 wrote to memory of 2712 3352 e5763cb.exe sihost.exe PID 3352 wrote to memory of 2756 3352 e5763cb.exe svchost.exe PID 3352 wrote to memory of 2988 3352 e5763cb.exe taskhostw.exe PID 3352 wrote to memory of 3408 3352 e5763cb.exe Explorer.EXE PID 3352 wrote to memory of 3628 3352 e5763cb.exe svchost.exe PID 3352 wrote to memory of 3812 3352 e5763cb.exe DllHost.exe PID 3352 wrote to memory of 3908 3352 e5763cb.exe StartMenuExperienceHost.exe PID 3352 wrote to memory of 3976 3352 e5763cb.exe RuntimeBroker.exe PID 3352 wrote to memory of 4064 3352 e5763cb.exe SearchApp.exe PID 3352 wrote to memory of 3940 3352 e5763cb.exe RuntimeBroker.exe PID 3352 wrote to memory of 388 3352 e5763cb.exe RuntimeBroker.exe PID 3352 wrote to memory of 3404 3352 e5763cb.exe TextInputHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e574805.exee5763cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574805.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5763cb.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574805.exeC:\Users\Admin\AppData\Local\Temp\e574805.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57499c.exeC:\Users\Admin\AppData\Local\Temp\e57499c.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5763cb.exeC:\Users\Admin\AppData\Local\Temp\e5763cb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574805.exeFilesize
97KB
MD53fb0888c03303ff16f013e253c784d8e
SHA114c2e58eee5e56daca9e19100caf9b1d774a074c
SHA256816c6c2755b81c69bc27d497fecfaab667190198fe8751034befcb861b4c7645
SHA51288b6c8b010fd9f293881b7290841afed353bd28f2fd262291b894119ad5bbb311a1c299fdec19e5e14a704c9cdced670e666398fca750dc67681d9c29e9013c9
-
C:\Windows\SYSTEM.INIFilesize
256B
MD547bca47662a837e40f4c5706082ade59
SHA15f4479aa2db6ea69a01f5cf185ea833f3ff352ac
SHA25675badd0e05a6808e095d75ca81cf7c5b73c21ab6612096c97c6b6da58b96b217
SHA512b3549fc7d8862cea2fd787662d8959139d72c6334a93174d6012cbe12ea5f9c3948ea6a113b7233ec7a86e50ddcedc6ce030bb6c0064158333b1166c3736e908
-
memory/436-52-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-74-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-6-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-10-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-26-0x0000000000680000-0x0000000000682000-memory.dmpFilesize
8KB
-
memory/436-20-0x0000000000680000-0x0000000000682000-memory.dmpFilesize
8KB
-
memory/436-19-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-32-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-31-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-33-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-11-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-17-0x0000000003BF0000-0x0000000003BF1000-memory.dmpFilesize
4KB
-
memory/436-34-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/436-54-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-85-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-102-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/436-35-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-36-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-37-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-38-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-39-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-40-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-42-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-43-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-94-0x0000000000680000-0x0000000000682000-memory.dmpFilesize
8KB
-
memory/436-9-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-82-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-81-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-55-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-79-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-78-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-75-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-7-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-71-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-69-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-65-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/436-66-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/3352-148-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3352-149-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3352-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3352-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3352-108-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3352-60-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/4456-25-0x0000000004140000-0x0000000004142000-memory.dmpFilesize
8KB
-
memory/4456-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4456-12-0x0000000004140000-0x0000000004142000-memory.dmpFilesize
8KB
-
memory/4456-13-0x0000000004140000-0x0000000004142000-memory.dmpFilesize
8KB
-
memory/4456-15-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/4600-30-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4600-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4600-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4600-58-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/4600-106-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB