sality | 575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll
Size

120KB
MD5

5ed92b7849978ff3dd44fd63aba545a0
SHA1

ece1536f437bd76a11a23d4a1aba6c4c9416d6c2
SHA256

575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634
SHA512

58ea3b1ca95f43c357f577a9f0b12422ea5ea850053ea3a83b084a2d68b06cdca0cd8d145566421dfa293ed9cd4c193f98c2fa169fc3a4ff41110f41ac379976
SSDEEP

1536:ztMHvrWZaCM4tQbB7V5uZnsgQt/rxkfbSeZ4+SNb4GB/:z6CRFQ17V5AArxubSeZaNf

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e573e51.exee575b8d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e573e51.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573e51.exee575b8d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575b8d.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573e51.exee575b8d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575b8d.exe

Executes dropped EXE 3 IoCs

Processes:

e573e51.exee573f2c.exee575b8d.exe

pid process

4892 e573e51.exe
864 e573f2c.exe
2960 e575b8d.exe

pid	process
4892	e573e51.exe
864	e573f2c.exe
2960	e575b8d.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4892-6-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-8-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-10-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-26-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-32-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-27-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-25-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-12-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-29-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-11-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-37-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-36-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-38-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-39-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-40-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-49-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-50-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-59-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-60-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-62-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-64-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-66-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-69-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-70-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-72-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-73-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-74-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/4892-78-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/2960-111-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/2960-125-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573e51.exee575b8d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575b8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575b8d.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e573e51.exee575b8d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575b8d.exe

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e573e51.exe

description	ioc	process
File opened (read-only)	\??\I:	e573e51.exe
File opened (read-only)	\??\N:	e573e51.exe
File opened (read-only)	\??\O:	e573e51.exe
File opened (read-only)	\??\P:	e573e51.exe
File opened (read-only)	\??\H:	e573e51.exe
File opened (read-only)	\??\G:	e573e51.exe
File opened (read-only)	\??\J:	e573e51.exe
File opened (read-only)	\??\K:	e573e51.exe
File opened (read-only)	\??\L:	e573e51.exe
File opened (read-only)	\??\M:	e573e51.exe
File opened (read-only)	\??\E:	e573e51.exe

Drops file in Program Files directory 3 IoCs

Processes:

e573e51.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e573e51.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e573e51.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e573e51.exe

Drops file in Windows directory 3 IoCs

Processes:

e573e51.exee575b8d.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI e573e51.exe
File created C:\Windows\e57ab24 e575b8d.exe
File created C:\Windows\e573e9f e573e51.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e573e51.exee575b8d.exe

pid process

4892 e573e51.exe
4892 e573e51.exe
4892 e573e51.exe
4892 e573e51.exe
2960 e575b8d.exe
2960 e575b8d.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	e573e51.exe
File created	C:\Windows\e57ab24	e575b8d.exe
File created	C:\Windows\e573e9f	e573e51.exe

pid	process
4892	e573e51.exe
4892	e573e51.exe
4892	e573e51.exe
4892	e573e51.exe
2960	e575b8d.exe
2960	e575b8d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e573e51.exe

description	pid	process
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe
Token: SeDebugPrivilege	4892	e573e51.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee573e51.exee575b8d.exe

description	pid	process	target process
PID 4936 wrote to memory of 3588	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 3588	4936	rundll32.exe	rundll32.exe
PID 4936 wrote to memory of 3588	4936	rundll32.exe	rundll32.exe
PID 3588 wrote to memory of 4892	3588	rundll32.exe	e573e51.exe
PID 3588 wrote to memory of 4892	3588	rundll32.exe	e573e51.exe
PID 3588 wrote to memory of 4892	3588	rundll32.exe	e573e51.exe
PID 4892 wrote to memory of 784	4892	e573e51.exe	fontdrvhost.exe
PID 4892 wrote to memory of 792	4892	e573e51.exe	fontdrvhost.exe
PID 4892 wrote to memory of 332	4892	e573e51.exe	dwm.exe
PID 4892 wrote to memory of 3116	4892	e573e51.exe	sihost.exe
PID 4892 wrote to memory of 3128	4892	e573e51.exe	svchost.exe
PID 4892 wrote to memory of 3188	4892	e573e51.exe	taskhostw.exe
PID 4892 wrote to memory of 3472	4892	e573e51.exe	Explorer.EXE
PID 4892 wrote to memory of 3592	4892	e573e51.exe	svchost.exe
PID 4892 wrote to memory of 3780	4892	e573e51.exe	DllHost.exe
PID 4892 wrote to memory of 3892	4892	e573e51.exe	StartMenuExperienceHost.exe
PID 4892 wrote to memory of 3952	4892	e573e51.exe	RuntimeBroker.exe
PID 4892 wrote to memory of 4044	4892	e573e51.exe	SearchApp.exe
PID 4892 wrote to memory of 4164	4892	e573e51.exe	RuntimeBroker.exe
PID 4892 wrote to memory of 2036	4892	e573e51.exe	TextInputHost.exe
PID 4892 wrote to memory of 4592	4892	e573e51.exe	RuntimeBroker.exe
PID 4892 wrote to memory of 1196	4892	e573e51.exe	backgroundTaskHost.exe
PID 4892 wrote to memory of 4832	4892	e573e51.exe	backgroundTaskHost.exe
PID 4892 wrote to memory of 4936	4892	e573e51.exe	rundll32.exe
PID 4892 wrote to memory of 3588	4892	e573e51.exe	rundll32.exe
PID 4892 wrote to memory of 3588	4892	e573e51.exe	rundll32.exe
PID 3588 wrote to memory of 864	3588	rundll32.exe	e573f2c.exe
PID 3588 wrote to memory of 864	3588	rundll32.exe	e573f2c.exe
PID 3588 wrote to memory of 864	3588	rundll32.exe	e573f2c.exe
PID 3588 wrote to memory of 2960	3588	rundll32.exe	e575b8d.exe
PID 3588 wrote to memory of 2960	3588	rundll32.exe	e575b8d.exe
PID 3588 wrote to memory of 2960	3588	rundll32.exe	e575b8d.exe
PID 4892 wrote to memory of 784	4892	e573e51.exe	fontdrvhost.exe
PID 4892 wrote to memory of 792	4892	e573e51.exe	fontdrvhost.exe
PID 4892 wrote to memory of 332	4892	e573e51.exe	dwm.exe
PID 4892 wrote to memory of 3116	4892	e573e51.exe	sihost.exe
PID 4892 wrote to memory of 3128	4892	e573e51.exe	svchost.exe
PID 4892 wrote to memory of 3188	4892	e573e51.exe	taskhostw.exe
PID 4892 wrote to memory of 3472	4892	e573e51.exe	Explorer.EXE
PID 4892 wrote to memory of 3592	4892	e573e51.exe	svchost.exe
PID 4892 wrote to memory of 3780	4892	e573e51.exe	DllHost.exe
PID 4892 wrote to memory of 3892	4892	e573e51.exe	StartMenuExperienceHost.exe
PID 4892 wrote to memory of 3952	4892	e573e51.exe	RuntimeBroker.exe
PID 4892 wrote to memory of 4044	4892	e573e51.exe	SearchApp.exe
PID 4892 wrote to memory of 4164	4892	e573e51.exe	RuntimeBroker.exe
PID 4892 wrote to memory of 2036	4892	e573e51.exe	TextInputHost.exe
PID 4892 wrote to memory of 4592	4892	e573e51.exe	RuntimeBroker.exe
PID 4892 wrote to memory of 1196	4892	e573e51.exe	backgroundTaskHost.exe
PID 4892 wrote to memory of 864	4892	e573e51.exe	e573f2c.exe
PID 4892 wrote to memory of 864	4892	e573e51.exe	e573f2c.exe
PID 4892 wrote to memory of 5052	4892	e573e51.exe	RuntimeBroker.exe
PID 4892 wrote to memory of 1516	4892	e573e51.exe	RuntimeBroker.exe
PID 4892 wrote to memory of 2960	4892	e573e51.exe	e575b8d.exe
PID 4892 wrote to memory of 2960	4892	e573e51.exe	e575b8d.exe
PID 4892 wrote to memory of 4520	4892	e573e51.exe	DllHost.exe
PID 2960 wrote to memory of 784	2960	e575b8d.exe	fontdrvhost.exe
PID 2960 wrote to memory of 792	2960	e575b8d.exe	fontdrvhost.exe
PID 2960 wrote to memory of 332	2960	e575b8d.exe	dwm.exe
PID 2960 wrote to memory of 3116	2960	e575b8d.exe	sihost.exe
PID 2960 wrote to memory of 3128	2960	e575b8d.exe	svchost.exe
PID 2960 wrote to memory of 3188	2960	e575b8d.exe	taskhostw.exe
PID 2960 wrote to memory of 3472	2960	e575b8d.exe	Explorer.EXE
PID 2960 wrote to memory of 3592	2960	e575b8d.exe	svchost.exe
PID 2960 wrote to memory of 3780	2960	e575b8d.exe	DllHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e573e51.exee575b8d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573e51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575b8d.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:332

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3128

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\e573e51.exe
C:\Users\Admin\AppData\Local\Temp\e573e51.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4892

C:\Users\Admin\AppData\Local\Temp\e573f2c.exe
C:\Users\Admin\AppData\Local\Temp\e573f2c.exe
4⤵
- Executes dropped EXE
PID:864

C:\Users\Admin\AppData\Local\Temp\e575b8d.exe
C:\Users\Admin\AppData\Local\Temp\e575b8d.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4164

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4592

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1196

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4520

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e573e51.exe
Filesize
97KB

MD5
745998fddf5ffcd591d8945f33f48c5a

SHA1
db2cb77689dc8f3493b0030e327b44faa21c7482

SHA256
2e750a898eef427bc04a4aac23e882aa702fe32d4ba9482b6d0d5e36eafe2766

SHA512
02d1208bd1f832553f2a390e1b2afe4c365fb04339e08a0a34d5ac86e893eac1e917c9d8cdb6f6c34b34da0a3814861c91d42049056b60b95d467405aa85fafa

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
ff90a542ea8679b31cf2885dde3c62a3

SHA1
55526cc8c80ee27ae32655548b110173658ff9bd

SHA256
85c3e0d6638d9e62ddcfbc101414a3c3842915b77aac4cf3e5541cb0d8d582f8

SHA512
e94b3896f83dd9b8ca99642514f24ebdd09750ee66ef15d3ae9001516f5ef462f36ac3f7ca4ce856245f88562551749c38ca42db5f772c3d0057ee6c9e160c8a

Download Submit
memory/864-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/864-53-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/864-52-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/864-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/864-99-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2960-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2960-111-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/2960-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2960-125-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/2960-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2960-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3588-14-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3588-13-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/3588-17-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/3588-31-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/3588-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4892-49-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-60-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-11-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-37-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-36-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-38-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-39-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-40-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-29-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-50-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-28-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/4892-30-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/4892-12-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-25-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-27-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-32-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-59-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-16-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4892-62-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-64-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-66-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-69-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-70-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-72-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-73-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-74-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-84-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/4892-95-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4892-78-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-26-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-10-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-8-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-6-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/4892-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download