sality | a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149

Analysis

max time kernel
45s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149_NeikiAnalytics.dll
Size

120KB
MD5

c18c7c8557208c8732ab57635850b240
SHA1

e85b7120efcb4d3a3b5fb2bee6d5050ed4eaad89
SHA256

a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149
SHA512

a896b703a6492da5423b085063b5c0ecc8cdff282b7081e96e351e1ace0c2aaf765372fe3191d8f4a54df1a39f01e9f53c920527bb36130c62bd0fa480577789
SSDEEP

3072:N7E4vwC3Ur94KxRBdWpXm6lvAFyZcej2:N7E4xO/zupXmUvA4Z

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e574805.exee5763cb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5763cb.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574805.exee5763cb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5763cb.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574805.exee5763cb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5763cb.exe

Executes dropped EXE 3 IoCs

Processes:

e574805.exee57499c.exee5763cb.exe

pid process

436 e574805.exe
4600 e57499c.exe
3352 e5763cb.exe

pid	process
436	e574805.exe
4600	e57499c.exe
3352	e5763cb.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/436-6-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-7-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-9-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-10-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-19-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-32-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-31-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-33-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-11-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-34-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-35-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-36-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-37-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-38-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-39-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-40-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-42-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-43-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-52-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-54-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-55-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-65-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-66-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-69-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-71-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-74-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-75-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-78-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-79-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-81-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-82-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/436-85-0x0000000000890000-0x000000000194A000-memory.dmp	upx
behavioral2/memory/3352-108-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx
behavioral2/memory/3352-148-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574805.exee5763cb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5763cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574805.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5763cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5763cb.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e574805.exee5763cb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5763cb.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e574805.exee5763cb.exe

description	ioc	process
File opened (read-only)	\??\H:	e574805.exe
File opened (read-only)	\??\Q:	e574805.exe
File opened (read-only)	\??\S:	e574805.exe
File opened (read-only)	\??\E:	e5763cb.exe
File opened (read-only)	\??\E:	e574805.exe
File opened (read-only)	\??\G:	e574805.exe
File opened (read-only)	\??\J:	e574805.exe
File opened (read-only)	\??\O:	e574805.exe
File opened (read-only)	\??\R:	e574805.exe
File opened (read-only)	\??\I:	e574805.exe
File opened (read-only)	\??\L:	e574805.exe
File opened (read-only)	\??\M:	e574805.exe
File opened (read-only)	\??\K:	e574805.exe
File opened (read-only)	\??\N:	e574805.exe
File opened (read-only)	\??\P:	e574805.exe

Drops file in Program Files directory 4 IoCs

Processes:

e574805.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e574805.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e574805.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e574805.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e574805.exe

Drops file in Windows directory 3 IoCs

Processes:

e574805.exee5763cb.exe

description ioc process

File created C:\Windows\e574853 e574805.exe
File opened for modification C:\Windows\SYSTEM.INI e574805.exe
File created C:\Windows\e5798d5 e5763cb.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e574805.exee5763cb.exe

pid process

436 e574805.exe
436 e574805.exe
436 e574805.exe
436 e574805.exe
3352 e5763cb.exe
3352 e5763cb.exe

description	ioc	process
File created	C:\Windows\e574853	e574805.exe
File opened for modification	C:\Windows\SYSTEM.INI	e574805.exe
File created	C:\Windows\e5798d5	e5763cb.exe

pid	process
436	e574805.exe
436	e574805.exe
436	e574805.exe
436	e574805.exe
3352	e5763cb.exe
3352	e5763cb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e574805.exe

description	pid	process
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe
Token: SeDebugPrivilege	436	e574805.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee574805.exee5763cb.exe

description	pid	process	target process
PID 2972 wrote to memory of 4456	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 4456	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 4456	2972	rundll32.exe	rundll32.exe
PID 4456 wrote to memory of 436	4456	rundll32.exe	e574805.exe
PID 4456 wrote to memory of 436	4456	rundll32.exe	e574805.exe
PID 4456 wrote to memory of 436	4456	rundll32.exe	e574805.exe
PID 436 wrote to memory of 784	436	e574805.exe	fontdrvhost.exe
PID 436 wrote to memory of 792	436	e574805.exe	fontdrvhost.exe
PID 436 wrote to memory of 316	436	e574805.exe	dwm.exe
PID 436 wrote to memory of 2712	436	e574805.exe	sihost.exe
PID 436 wrote to memory of 2756	436	e574805.exe	svchost.exe
PID 436 wrote to memory of 2988	436	e574805.exe	taskhostw.exe
PID 436 wrote to memory of 3408	436	e574805.exe	Explorer.EXE
PID 436 wrote to memory of 3628	436	e574805.exe	svchost.exe
PID 436 wrote to memory of 3812	436	e574805.exe	DllHost.exe
PID 436 wrote to memory of 3908	436	e574805.exe	StartMenuExperienceHost.exe
PID 436 wrote to memory of 3976	436	e574805.exe	RuntimeBroker.exe
PID 436 wrote to memory of 4064	436	e574805.exe	SearchApp.exe
PID 436 wrote to memory of 3940	436	e574805.exe	RuntimeBroker.exe
PID 436 wrote to memory of 388	436	e574805.exe	RuntimeBroker.exe
PID 436 wrote to memory of 3404	436	e574805.exe	TextInputHost.exe
PID 436 wrote to memory of 2972	436	e574805.exe	rundll32.exe
PID 436 wrote to memory of 4456	436	e574805.exe	rundll32.exe
PID 436 wrote to memory of 4456	436	e574805.exe	rundll32.exe
PID 4456 wrote to memory of 4600	4456	rundll32.exe	e57499c.exe
PID 4456 wrote to memory of 4600	4456	rundll32.exe	e57499c.exe
PID 4456 wrote to memory of 4600	4456	rundll32.exe	e57499c.exe
PID 4456 wrote to memory of 3352	4456	rundll32.exe	e5763cb.exe
PID 4456 wrote to memory of 3352	4456	rundll32.exe	e5763cb.exe
PID 4456 wrote to memory of 3352	4456	rundll32.exe	e5763cb.exe
PID 436 wrote to memory of 784	436	e574805.exe	fontdrvhost.exe
PID 436 wrote to memory of 792	436	e574805.exe	fontdrvhost.exe
PID 436 wrote to memory of 316	436	e574805.exe	dwm.exe
PID 436 wrote to memory of 2712	436	e574805.exe	sihost.exe
PID 436 wrote to memory of 2756	436	e574805.exe	svchost.exe
PID 436 wrote to memory of 2988	436	e574805.exe	taskhostw.exe
PID 436 wrote to memory of 3408	436	e574805.exe	Explorer.EXE
PID 436 wrote to memory of 3628	436	e574805.exe	svchost.exe
PID 436 wrote to memory of 3812	436	e574805.exe	DllHost.exe
PID 436 wrote to memory of 3908	436	e574805.exe	StartMenuExperienceHost.exe
PID 436 wrote to memory of 3976	436	e574805.exe	RuntimeBroker.exe
PID 436 wrote to memory of 4064	436	e574805.exe	SearchApp.exe
PID 436 wrote to memory of 3940	436	e574805.exe	RuntimeBroker.exe
PID 436 wrote to memory of 388	436	e574805.exe	RuntimeBroker.exe
PID 436 wrote to memory of 3404	436	e574805.exe	TextInputHost.exe
PID 436 wrote to memory of 4600	436	e574805.exe	e57499c.exe
PID 436 wrote to memory of 4600	436	e574805.exe	e57499c.exe
PID 436 wrote to memory of 3352	436	e574805.exe	e5763cb.exe
PID 436 wrote to memory of 3352	436	e574805.exe	e5763cb.exe
PID 3352 wrote to memory of 784	3352	e5763cb.exe	fontdrvhost.exe
PID 3352 wrote to memory of 792	3352	e5763cb.exe	fontdrvhost.exe
PID 3352 wrote to memory of 316	3352	e5763cb.exe	dwm.exe
PID 3352 wrote to memory of 2712	3352	e5763cb.exe	sihost.exe
PID 3352 wrote to memory of 2756	3352	e5763cb.exe	svchost.exe
PID 3352 wrote to memory of 2988	3352	e5763cb.exe	taskhostw.exe
PID 3352 wrote to memory of 3408	3352	e5763cb.exe	Explorer.EXE
PID 3352 wrote to memory of 3628	3352	e5763cb.exe	svchost.exe
PID 3352 wrote to memory of 3812	3352	e5763cb.exe	DllHost.exe
PID 3352 wrote to memory of 3908	3352	e5763cb.exe	StartMenuExperienceHost.exe
PID 3352 wrote to memory of 3976	3352	e5763cb.exe	RuntimeBroker.exe
PID 3352 wrote to memory of 4064	3352	e5763cb.exe	SearchApp.exe
PID 3352 wrote to memory of 3940	3352	e5763cb.exe	RuntimeBroker.exe
PID 3352 wrote to memory of 388	3352	e5763cb.exe	RuntimeBroker.exe
PID 3352 wrote to memory of 3404	3352	e5763cb.exe	TextInputHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e574805.exee5763cb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574805.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5763cb.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2756

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2988

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a62aa2b25c3d8100c0f93c96b6a0f0e5981866039f2aaa48f334537d09f1a149_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\e574805.exe
C:\Users\Admin\AppData\Local\Temp\e574805.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:436

C:\Users\Admin\AppData\Local\Temp\e57499c.exe
C:\Users\Admin\AppData\Local\Temp\e57499c.exe
4⤵
- Executes dropped EXE
PID:4600

C:\Users\Admin\AppData\Local\Temp\e5763cb.exe
C:\Users\Admin\AppData\Local\Temp\e5763cb.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:388

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3404

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e574805.exe
Filesize
97KB

MD5
3fb0888c03303ff16f013e253c784d8e

SHA1
14c2e58eee5e56daca9e19100caf9b1d774a074c

SHA256
816c6c2755b81c69bc27d497fecfaab667190198fe8751034befcb861b4c7645

SHA512
88b6c8b010fd9f293881b7290841afed353bd28f2fd262291b894119ad5bbb311a1c299fdec19e5e14a704c9cdced670e666398fca750dc67681d9c29e9013c9

Download Submit
C:\Windows\SYSTEM.INI
Filesize
256B

MD5
47bca47662a837e40f4c5706082ade59

SHA1
5f4479aa2db6ea69a01f5cf185ea833f3ff352ac

SHA256
75badd0e05a6808e095d75ca81cf7c5b73c21ab6612096c97c6b6da58b96b217

SHA512
b3549fc7d8862cea2fd787662d8959139d72c6334a93174d6012cbe12ea5f9c3948ea6a113b7233ec7a86e50ddcedc6ce030bb6c0064158333b1166c3736e908

Download Submit
memory/436-52-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-74-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-6-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-10-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-26-0x0000000000680000-0x0000000000682000-memory.dmp

Filesize
8KB

Download
memory/436-20-0x0000000000680000-0x0000000000682000-memory.dmp

Filesize
8KB

Download
memory/436-19-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-32-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-31-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-33-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-11-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-17-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/436-34-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/436-54-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-85-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-102-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/436-35-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-36-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-37-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-38-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-39-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-40-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-42-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-43-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-94-0x0000000000680000-0x0000000000682000-memory.dmp

Filesize
8KB

Download
memory/436-9-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-82-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-81-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-55-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-79-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-78-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-75-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-7-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-71-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-69-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-65-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/436-66-0x0000000000890000-0x000000000194A000-memory.dmp

Filesize
16.7MB

Download
memory/3352-148-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Filesize
16.7MB

Download
memory/3352-149-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3352-51-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3352-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3352-108-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Filesize
16.7MB

Download
memory/3352-60-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4456-25-0x0000000004140000-0x0000000004142000-memory.dmp

Filesize
8KB

Download
memory/4456-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4456-12-0x0000000004140000-0x0000000004142000-memory.dmp

Filesize
8KB

Download
memory/4456-13-0x0000000004140000-0x0000000004142000-memory.dmp

Filesize
8KB

Download
memory/4456-15-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/4600-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4600-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4600-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4600-58-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4600-106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads