Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 03:13
Static task
static1
Behavioral task
behavioral1
Sample
575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll
Resource
win7-20231129-en
General
-
Target
575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5ed92b7849978ff3dd44fd63aba545a0
-
SHA1
ece1536f437bd76a11a23d4a1aba6c4c9416d6c2
-
SHA256
575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634
-
SHA512
58ea3b1ca95f43c357f577a9f0b12422ea5ea850053ea3a83b084a2d68b06cdca0cd8d145566421dfa293ed9cd4c193f98c2fa169fc3a4ff41110f41ac379976
-
SSDEEP
1536:ztMHvrWZaCM4tQbB7V5uZnsgQt/rxkfbSeZ4+SNb4GB/:z6CRFQ17V5AArxubSeZaNf
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e573e51.exee575b8d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573e51.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573e51.exe -
Processes:
e573e51.exee575b8d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575b8d.exe -
Processes:
e573e51.exee575b8d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575b8d.exe -
Executes dropped EXE 3 IoCs
Processes:
e573e51.exee573f2c.exee575b8d.exepid process 4892 e573e51.exe 864 e573f2c.exe 2960 e575b8d.exe -
Processes:
resource yara_rule behavioral2/memory/4892-6-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-8-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-10-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-26-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-32-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-27-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-25-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-12-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-29-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-11-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-37-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-36-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-38-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-39-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-40-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-49-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-50-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-59-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-60-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-62-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-64-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-66-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-69-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-70-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-72-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-73-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-74-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-78-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2960-111-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/2960-125-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Processes:
e573e51.exee575b8d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575b8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575b8d.exe -
Processes:
e573e51.exee575b8d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575b8d.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573e51.exedescription ioc process File opened (read-only) \??\I: e573e51.exe File opened (read-only) \??\N: e573e51.exe File opened (read-only) \??\O: e573e51.exe File opened (read-only) \??\P: e573e51.exe File opened (read-only) \??\H: e573e51.exe File opened (read-only) \??\G: e573e51.exe File opened (read-only) \??\J: e573e51.exe File opened (read-only) \??\K: e573e51.exe File opened (read-only) \??\L: e573e51.exe File opened (read-only) \??\M: e573e51.exe File opened (read-only) \??\E: e573e51.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e573e51.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e573e51.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573e51.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573e51.exe -
Drops file in Windows directory 3 IoCs
Processes:
e573e51.exee575b8d.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI e573e51.exe File created C:\Windows\e57ab24 e575b8d.exe File created C:\Windows\e573e9f e573e51.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e573e51.exee575b8d.exepid process 4892 e573e51.exe 4892 e573e51.exe 4892 e573e51.exe 4892 e573e51.exe 2960 e575b8d.exe 2960 e575b8d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573e51.exedescription pid process Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee573e51.exee575b8d.exedescription pid process target process PID 4936 wrote to memory of 3588 4936 rundll32.exe rundll32.exe PID 4936 wrote to memory of 3588 4936 rundll32.exe rundll32.exe PID 4936 wrote to memory of 3588 4936 rundll32.exe rundll32.exe PID 3588 wrote to memory of 4892 3588 rundll32.exe e573e51.exe PID 3588 wrote to memory of 4892 3588 rundll32.exe e573e51.exe PID 3588 wrote to memory of 4892 3588 rundll32.exe e573e51.exe PID 4892 wrote to memory of 784 4892 e573e51.exe fontdrvhost.exe PID 4892 wrote to memory of 792 4892 e573e51.exe fontdrvhost.exe PID 4892 wrote to memory of 332 4892 e573e51.exe dwm.exe PID 4892 wrote to memory of 3116 4892 e573e51.exe sihost.exe PID 4892 wrote to memory of 3128 4892 e573e51.exe svchost.exe PID 4892 wrote to memory of 3188 4892 e573e51.exe taskhostw.exe PID 4892 wrote to memory of 3472 4892 e573e51.exe Explorer.EXE PID 4892 wrote to memory of 3592 4892 e573e51.exe svchost.exe PID 4892 wrote to memory of 3780 4892 e573e51.exe DllHost.exe PID 4892 wrote to memory of 3892 4892 e573e51.exe StartMenuExperienceHost.exe PID 4892 wrote to memory of 3952 4892 e573e51.exe RuntimeBroker.exe PID 4892 wrote to memory of 4044 4892 e573e51.exe SearchApp.exe PID 4892 wrote to memory of 4164 4892 e573e51.exe RuntimeBroker.exe PID 4892 wrote to memory of 2036 4892 e573e51.exe TextInputHost.exe PID 4892 wrote to memory of 4592 4892 e573e51.exe RuntimeBroker.exe PID 4892 wrote to memory of 1196 4892 e573e51.exe backgroundTaskHost.exe PID 4892 wrote to memory of 4832 4892 e573e51.exe backgroundTaskHost.exe PID 4892 wrote to memory of 4936 4892 e573e51.exe rundll32.exe PID 4892 wrote to memory of 3588 4892 e573e51.exe rundll32.exe PID 4892 wrote to memory of 3588 4892 e573e51.exe rundll32.exe PID 3588 wrote to memory of 864 3588 rundll32.exe e573f2c.exe PID 3588 wrote to memory of 864 3588 rundll32.exe e573f2c.exe PID 3588 wrote to memory of 864 3588 rundll32.exe e573f2c.exe PID 3588 wrote to memory of 2960 3588 rundll32.exe e575b8d.exe PID 3588 wrote to memory of 2960 3588 rundll32.exe e575b8d.exe PID 3588 wrote to memory of 2960 3588 rundll32.exe e575b8d.exe PID 4892 wrote to memory of 784 4892 e573e51.exe fontdrvhost.exe PID 4892 wrote to memory of 792 4892 e573e51.exe fontdrvhost.exe PID 4892 wrote to memory of 332 4892 e573e51.exe dwm.exe PID 4892 wrote to memory of 3116 4892 e573e51.exe sihost.exe PID 4892 wrote to memory of 3128 4892 e573e51.exe svchost.exe PID 4892 wrote to memory of 3188 4892 e573e51.exe taskhostw.exe PID 4892 wrote to memory of 3472 4892 e573e51.exe Explorer.EXE PID 4892 wrote to memory of 3592 4892 e573e51.exe svchost.exe PID 4892 wrote to memory of 3780 4892 e573e51.exe DllHost.exe PID 4892 wrote to memory of 3892 4892 e573e51.exe StartMenuExperienceHost.exe PID 4892 wrote to memory of 3952 4892 e573e51.exe RuntimeBroker.exe PID 4892 wrote to memory of 4044 4892 e573e51.exe SearchApp.exe PID 4892 wrote to memory of 4164 4892 e573e51.exe RuntimeBroker.exe PID 4892 wrote to memory of 2036 4892 e573e51.exe TextInputHost.exe PID 4892 wrote to memory of 4592 4892 e573e51.exe RuntimeBroker.exe PID 4892 wrote to memory of 1196 4892 e573e51.exe backgroundTaskHost.exe PID 4892 wrote to memory of 864 4892 e573e51.exe e573f2c.exe PID 4892 wrote to memory of 864 4892 e573e51.exe e573f2c.exe PID 4892 wrote to memory of 5052 4892 e573e51.exe RuntimeBroker.exe PID 4892 wrote to memory of 1516 4892 e573e51.exe RuntimeBroker.exe PID 4892 wrote to memory of 2960 4892 e573e51.exe e575b8d.exe PID 4892 wrote to memory of 2960 4892 e573e51.exe e575b8d.exe PID 4892 wrote to memory of 4520 4892 e573e51.exe DllHost.exe PID 2960 wrote to memory of 784 2960 e575b8d.exe fontdrvhost.exe PID 2960 wrote to memory of 792 2960 e575b8d.exe fontdrvhost.exe PID 2960 wrote to memory of 332 2960 e575b8d.exe dwm.exe PID 2960 wrote to memory of 3116 2960 e575b8d.exe sihost.exe PID 2960 wrote to memory of 3128 2960 e575b8d.exe svchost.exe PID 2960 wrote to memory of 3188 2960 e575b8d.exe taskhostw.exe PID 2960 wrote to memory of 3472 2960 e575b8d.exe Explorer.EXE PID 2960 wrote to memory of 3592 2960 e575b8d.exe svchost.exe PID 2960 wrote to memory of 3780 2960 e575b8d.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e573e51.exee575b8d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575b8d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573e51.exeC:\Users\Admin\AppData\Local\Temp\e573e51.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573f2c.exeC:\Users\Admin\AppData\Local\Temp\e573f2c.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e575b8d.exeC:\Users\Admin\AppData\Local\Temp\e575b8d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573e51.exeFilesize
97KB
MD5745998fddf5ffcd591d8945f33f48c5a
SHA1db2cb77689dc8f3493b0030e327b44faa21c7482
SHA2562e750a898eef427bc04a4aac23e882aa702fe32d4ba9482b6d0d5e36eafe2766
SHA51202d1208bd1f832553f2a390e1b2afe4c365fb04339e08a0a34d5ac86e893eac1e917c9d8cdb6f6c34b34da0a3814861c91d42049056b60b95d467405aa85fafa
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5ff90a542ea8679b31cf2885dde3c62a3
SHA155526cc8c80ee27ae32655548b110173658ff9bd
SHA25685c3e0d6638d9e62ddcfbc101414a3c3842915b77aac4cf3e5541cb0d8d582f8
SHA512e94b3896f83dd9b8ca99642514f24ebdd09750ee66ef15d3ae9001516f5ef462f36ac3f7ca4ce856245f88562551749c38ca42db5f772c3d0057ee6c9e160c8a
-
memory/864-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/864-53-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/864-52-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/864-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/864-99-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2960-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2960-111-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/2960-124-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2960-125-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/2960-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2960-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3588-14-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/3588-13-0x0000000000620000-0x0000000000622000-memory.dmpFilesize
8KB
-
memory/3588-17-0x0000000000620000-0x0000000000622000-memory.dmpFilesize
8KB
-
memory/3588-31-0x0000000000620000-0x0000000000622000-memory.dmpFilesize
8KB
-
memory/3588-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4892-49-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-60-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-11-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-37-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-36-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-38-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-39-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-40-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-29-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-50-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-28-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/4892-30-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/4892-12-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-25-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-27-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-32-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-59-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-16-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/4892-62-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-64-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-66-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-69-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-70-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-72-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-73-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-74-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-84-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/4892-95-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4892-78-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-26-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-10-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-8-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-6-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/4892-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB