sality | 03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239

Analysis

max time kernel
115s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239_NeikiAnalytics.dll
Size

120KB
MD5

8869c3123e84d249b133e4f48727d380
SHA1

187294fc1a829cb46ab7d9858e3891c4873f682b
SHA256

03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239
SHA512

a30a753a23a942b51afa0c3a45cc3d89cffd9c13c4ff10606082456e8339f512e4aea9f326bb0d07b25d5c23740e2baa443a772e11f6b08485daa66cbe1f07d5
SSDEEP

3072:DmQimvGDY+yKY6aZ0KxZalyiHPHk6ix4GwGl3D:SYGs+dY6adalyivHvIZ3

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e5843ca.exee584282.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5843ca.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e584282.exee5843ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5843ca.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5843ca.exee584282.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5843ca.exe

Executes dropped EXE 3 IoCs

Processes:

e584282.exee5843ca.exee587412.exe

pid process

1420 e584282.exe
4076 e5843ca.exe
4128 e587412.exe

pid	process
1420	e584282.exe
4076	e5843ca.exe
4128	e587412.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1420-6-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-10-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-9-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-8-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-12-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-13-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-26-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-32-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-25-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-29-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-37-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-36-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-38-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-42-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-39-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-54-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-55-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-56-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-57-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-60-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-61-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/1420-63-0x0000000000770000-0x000000000182A000-memory.dmp	upx
behavioral2/memory/4076-90-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/4076-87-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/4076-86-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/4076-85-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/4076-89-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/4076-88-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/4076-83-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/4076-104-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e584282.exee5843ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5843ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5843ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5843ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e584282.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e584282.exee5843ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5843ca.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e584282.exe

description	ioc	process
File opened (read-only)	\??\J:	e584282.exe
File opened (read-only)	\??\K:	e584282.exe
File opened (read-only)	\??\E:	e584282.exe
File opened (read-only)	\??\G:	e584282.exe
File opened (read-only)	\??\H:	e584282.exe
File opened (read-only)	\??\I:	e584282.exe

Drops file in Windows directory 3 IoCs

Processes:

e5843ca.exee584282.exe

description ioc process

File created C:\Windows\e589361 e5843ca.exe
File created C:\Windows\e5842d0 e584282.exe
File opened for modification C:\Windows\SYSTEM.INI e584282.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e584282.exe

pid process

1420 e584282.exe
1420 e584282.exe
1420 e584282.exe
1420 e584282.exe

description	ioc	process
File created	C:\Windows\e589361	e5843ca.exe
File created	C:\Windows\e5842d0	e584282.exe
File opened for modification	C:\Windows\SYSTEM.INI	e584282.exe

pid	process
1420	e584282.exe
1420	e584282.exe
1420	e584282.exe
1420	e584282.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e584282.exe

description	pid	process
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe
Token: SeDebugPrivilege	1420	e584282.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee584282.exe

description	pid	process	target process
PID 4984 wrote to memory of 1388	4984	rundll32.exe	rundll32.exe
PID 4984 wrote to memory of 1388	4984	rundll32.exe	rundll32.exe
PID 4984 wrote to memory of 1388	4984	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 1420	1388	rundll32.exe	e584282.exe
PID 1388 wrote to memory of 1420	1388	rundll32.exe	e584282.exe
PID 1388 wrote to memory of 1420	1388	rundll32.exe	e584282.exe
PID 1420 wrote to memory of 764	1420	e584282.exe	fontdrvhost.exe
PID 1420 wrote to memory of 768	1420	e584282.exe	fontdrvhost.exe
PID 1420 wrote to memory of 64	1420	e584282.exe	dwm.exe
PID 1420 wrote to memory of 2860	1420	e584282.exe	sihost.exe
PID 1420 wrote to memory of 2924	1420	e584282.exe	svchost.exe
PID 1420 wrote to memory of 3048	1420	e584282.exe	taskhostw.exe
PID 1420 wrote to memory of 3444	1420	e584282.exe	Explorer.EXE
PID 1420 wrote to memory of 3616	1420	e584282.exe	svchost.exe
PID 1420 wrote to memory of 3812	1420	e584282.exe	DllHost.exe
PID 1420 wrote to memory of 3992	1420	e584282.exe	StartMenuExperienceHost.exe
PID 1420 wrote to memory of 4056	1420	e584282.exe	RuntimeBroker.exe
PID 1420 wrote to memory of 3728	1420	e584282.exe	SearchApp.exe
PID 1420 wrote to memory of 4120	1420	e584282.exe	RuntimeBroker.exe
PID 1420 wrote to memory of 2272	1420	e584282.exe	TextInputHost.exe
PID 1420 wrote to memory of 2120	1420	e584282.exe	RuntimeBroker.exe
PID 1420 wrote to memory of 2680	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 4328	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 4160	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 3888	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 1680	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 4992	1420	e584282.exe	RuntimeBroker.exe
PID 1420 wrote to memory of 636	1420	e584282.exe	backgroundTaskHost.exe
PID 1420 wrote to memory of 3656	1420	e584282.exe	backgroundTaskHost.exe
PID 1420 wrote to memory of 4984	1420	e584282.exe	rundll32.exe
PID 1420 wrote to memory of 1388	1420	e584282.exe	rundll32.exe
PID 1420 wrote to memory of 1388	1420	e584282.exe	rundll32.exe
PID 1388 wrote to memory of 4076	1388	rundll32.exe	e5843ca.exe
PID 1388 wrote to memory of 4076	1388	rundll32.exe	e5843ca.exe
PID 1388 wrote to memory of 4076	1388	rundll32.exe	e5843ca.exe
PID 1420 wrote to memory of 764	1420	e584282.exe	fontdrvhost.exe
PID 1420 wrote to memory of 768	1420	e584282.exe	fontdrvhost.exe
PID 1420 wrote to memory of 64	1420	e584282.exe	dwm.exe
PID 1420 wrote to memory of 2860	1420	e584282.exe	sihost.exe
PID 1420 wrote to memory of 2924	1420	e584282.exe	svchost.exe
PID 1420 wrote to memory of 3048	1420	e584282.exe	taskhostw.exe
PID 1420 wrote to memory of 3444	1420	e584282.exe	Explorer.EXE
PID 1420 wrote to memory of 3616	1420	e584282.exe	svchost.exe
PID 1420 wrote to memory of 3812	1420	e584282.exe	DllHost.exe
PID 1420 wrote to memory of 3992	1420	e584282.exe	StartMenuExperienceHost.exe
PID 1420 wrote to memory of 4056	1420	e584282.exe	RuntimeBroker.exe
PID 1420 wrote to memory of 3728	1420	e584282.exe	SearchApp.exe
PID 1420 wrote to memory of 4120	1420	e584282.exe	RuntimeBroker.exe
PID 1420 wrote to memory of 2272	1420	e584282.exe	TextInputHost.exe
PID 1420 wrote to memory of 2120	1420	e584282.exe	RuntimeBroker.exe
PID 1420 wrote to memory of 2680	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 4328	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 4160	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 3888	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 1680	1420	e584282.exe	msedge.exe
PID 1420 wrote to memory of 4992	1420	e584282.exe	RuntimeBroker.exe
PID 1420 wrote to memory of 636	1420	e584282.exe	backgroundTaskHost.exe
PID 1420 wrote to memory of 3656	1420	e584282.exe	backgroundTaskHost.exe
PID 1420 wrote to memory of 4984	1420	e584282.exe	rundll32.exe
PID 1420 wrote to memory of 4076	1420	e584282.exe	e5843ca.exe
PID 1420 wrote to memory of 4076	1420	e584282.exe	e5843ca.exe
PID 1420 wrote to memory of 4420	1420	e584282.exe	BackgroundTaskHost.exe
PID 1388 wrote to memory of 4128	1388	rundll32.exe	e587412.exe
PID 1388 wrote to memory of 4128	1388	rundll32.exe	e587412.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e584282.exee5843ca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e584282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5843ca.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:64

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2924

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3048

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\e584282.exe
C:\Users\Admin\AppData\Local\Temp\e584282.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1420

C:\Users\Admin\AppData\Local\Temp\e5843ca.exe
C:\Users\Admin\AppData\Local\Temp\e5843ca.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:4076

C:\Users\Admin\AppData\Local\Temp\e587412.exe
C:\Users\Admin\AppData\Local\Temp\e587412.exe
4⤵
- Executes dropped EXE
PID:4128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4120

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2272

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7fffdb4a4ef8,0x7fffdb4a4f04,0x7fffdb4a4f10
2⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:2
2⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1968,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:3
2⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2432,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:8
2⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4596,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
2⤵
PID:1792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4992

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:636

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3656

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4420

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e584282.exe
Filesize
97KB

MD5
13d743fff676e5875cbb8fd864f13b2a

SHA1
eda3d652b12d08a94e71c3544db7f4bdf893dee0

SHA256
60b28b95453c976b7c8321d90c300757d6268355e4a1dc17d2800e84c7f24085

SHA512
5fafd089f368d31e96489b8380c93af4c31afbbec6c6990dad543b6b7f8996985ea2043af2989c1f61d07792856de1e879ce33bb66d32f36a488329f00833c80

Download Submit
C:\Windows\SYSTEM.INI
Filesize
256B

MD5
9cc9a040ca10e56355fb333afa9be051

SHA1
40b0998138c4dcef0a032235950b4b3a6a0cae79

SHA256
8a900a566d559dd8a5329086d32b15eb3686d7fb33e8b840b672a6655ee63463

SHA512
8b3e9dc9b100409542111ec25977e9155a6eca71bf9d76f7221f84108e1a1dfc8dd342fbe7d96c06004c725ecfd4f5b1baaaa9cfa1f9ecbefe0c1de38f3a7c4b

Download Submit
memory/1388-35-0x0000000004390000-0x0000000004392000-memory.dmp

Filesize
8KB

Download
memory/1388-2-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1388-15-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/1388-18-0x0000000004390000-0x0000000004392000-memory.dmp

Filesize
8KB

Download
memory/1388-14-0x0000000004390000-0x0000000004392000-memory.dmp

Filesize
8KB

Download
memory/1420-63-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-39-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-13-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-26-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-8-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1420-33-0x0000000001B00000-0x0000000001B02000-memory.dmp

Filesize
8KB

Download
memory/1420-32-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-25-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-9-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-17-0x0000000001B10000-0x0000000001B11000-memory.dmp

Filesize
4KB

Download
memory/1420-10-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-27-0x0000000001B00000-0x0000000001B02000-memory.dmp

Filesize
8KB

Download
memory/1420-29-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-37-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-36-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-38-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-82-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1420-71-0x0000000001B00000-0x0000000001B02000-memory.dmp

Filesize
8KB

Download
memory/1420-6-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-42-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-12-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-61-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-54-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-55-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-56-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-57-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/1420-60-0x0000000000770000-0x000000000182A000-memory.dmp

Filesize
16.7MB

Download
memory/4076-86-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4076-89-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4076-41-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4076-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4076-105-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4076-100-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4076-43-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4076-90-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4076-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4076-85-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4076-87-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4076-88-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4076-83-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4076-104-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4128-106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download