sality | 658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799

Analysis

max time kernel
47s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799_NeikiAnalytics.dll
Size

120KB
MD5

b55cbeba6b169273080a0ce70477f960
SHA1

afaaf28e22055e0d74390908e59bba9081fe7ef0
SHA256

658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799
SHA512

e9051d45f87d6b2e816a01e856e5ebeca06da99cc43a6505f3f34671c3a3659913f1b1356b2112d931794eaaf1c48569001e64cfcd1fc52d83023f137eb150b5
SSDEEP

3072:LSysEb9tffDVDF3FUeUfSFKtmhyf8svJe0:LflnnDVDFVUeUf4hE8svn

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e5791c0.exee577455.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5791c0.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e577455.exee5791c0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5791c0.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5791c0.exee577455.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5791c0.exe

Executes dropped EXE 4 IoCs

Processes:

e577455.exee577659.exee5791a1.exee5791c0.exe

pid process

3472 e577455.exe
4504 e577659.exe
2652 e5791a1.exe
1200 e5791c0.exe

pid	process
3472	e577455.exe
4504	e577659.exe
2652	e5791a1.exe
1200	e5791c0.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3472-6-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-10-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-11-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-20-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-13-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-14-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-32-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-12-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-9-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-8-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-35-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-36-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-37-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-38-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-40-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-39-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-55-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-56-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-57-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-71-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-73-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-74-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-75-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-78-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-80-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-83-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-84-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-87-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/3472-88-0x00000000008A0000-0x000000000195A000-memory.dmp	upx
behavioral2/memory/1200-123-0x0000000000B30000-0x0000000001BEA000-memory.dmp	upx
behavioral2/memory/1200-160-0x0000000000B30000-0x0000000001BEA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e577455.exee5791c0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5791c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e577455.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5791c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5791c0.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e577455.exee5791c0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5791c0.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e577455.exee5791c0.exe

description	ioc	process
File opened (read-only)	\??\H:	e577455.exe
File opened (read-only)	\??\K:	e577455.exe
File opened (read-only)	\??\O:	e577455.exe
File opened (read-only)	\??\E:	e5791c0.exe
File opened (read-only)	\??\L:	e577455.exe
File opened (read-only)	\??\M:	e577455.exe
File opened (read-only)	\??\N:	e577455.exe
File opened (read-only)	\??\E:	e577455.exe
File opened (read-only)	\??\I:	e577455.exe
File opened (read-only)	\??\P:	e577455.exe
File opened (read-only)	\??\Q:	e577455.exe
File opened (read-only)	\??\G:	e5791c0.exe
File opened (read-only)	\??\G:	e577455.exe
File opened (read-only)	\??\J:	e577455.exe

Drops file in Program Files directory 3 IoCs

Processes:

e577455.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e577455.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e577455.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e577455.exe

Drops file in Windows directory 3 IoCs

Processes:

e577455.exee5791c0.exe

description ioc process

File created C:\Windows\e577494 e577455.exe
File opened for modification C:\Windows\SYSTEM.INI e577455.exe
File created C:\Windows\e57c5e0 e5791c0.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e577455.exee5791c0.exe

pid process

3472 e577455.exe
3472 e577455.exe
3472 e577455.exe
3472 e577455.exe
1200 e5791c0.exe
1200 e5791c0.exe

description	ioc	process
File created	C:\Windows\e577494	e577455.exe
File opened for modification	C:\Windows\SYSTEM.INI	e577455.exe
File created	C:\Windows\e57c5e0	e5791c0.exe

pid	process
3472	e577455.exe
3472	e577455.exe
3472	e577455.exe
3472	e577455.exe
1200	e5791c0.exe
1200	e5791c0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e577455.exe

description	pid	process
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe
Token: SeDebugPrivilege	3472	e577455.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee577455.exee5791c0.exe

description	pid	process	target process
PID 2492 wrote to memory of 4416	2492	rundll32.exe	rundll32.exe
PID 2492 wrote to memory of 4416	2492	rundll32.exe	rundll32.exe
PID 2492 wrote to memory of 4416	2492	rundll32.exe	rundll32.exe
PID 4416 wrote to memory of 3472	4416	rundll32.exe	e577455.exe
PID 4416 wrote to memory of 3472	4416	rundll32.exe	e577455.exe
PID 4416 wrote to memory of 3472	4416	rundll32.exe	e577455.exe
PID 3472 wrote to memory of 784	3472	e577455.exe	fontdrvhost.exe
PID 3472 wrote to memory of 792	3472	e577455.exe	fontdrvhost.exe
PID 3472 wrote to memory of 1020	3472	e577455.exe	dwm.exe
PID 3472 wrote to memory of 2504	3472	e577455.exe	sihost.exe
PID 3472 wrote to memory of 2564	3472	e577455.exe	svchost.exe
PID 3472 wrote to memory of 2692	3472	e577455.exe	taskhostw.exe
PID 3472 wrote to memory of 3460	3472	e577455.exe	Explorer.EXE
PID 3472 wrote to memory of 3604	3472	e577455.exe	svchost.exe
PID 3472 wrote to memory of 3792	3472	e577455.exe	DllHost.exe
PID 3472 wrote to memory of 3896	3472	e577455.exe	StartMenuExperienceHost.exe
PID 3472 wrote to memory of 3960	3472	e577455.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 4084	3472	e577455.exe	SearchApp.exe
PID 3472 wrote to memory of 4140	3472	e577455.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 4464	3472	e577455.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 336	3472	e577455.exe	TextInputHost.exe
PID 3472 wrote to memory of 2492	3472	e577455.exe	rundll32.exe
PID 3472 wrote to memory of 4416	3472	e577455.exe	rundll32.exe
PID 3472 wrote to memory of 4416	3472	e577455.exe	rundll32.exe
PID 4416 wrote to memory of 4504	4416	rundll32.exe	e577659.exe
PID 4416 wrote to memory of 4504	4416	rundll32.exe	e577659.exe
PID 4416 wrote to memory of 4504	4416	rundll32.exe	e577659.exe
PID 4416 wrote to memory of 2652	4416	rundll32.exe	e5791a1.exe
PID 4416 wrote to memory of 2652	4416	rundll32.exe	e5791a1.exe
PID 4416 wrote to memory of 2652	4416	rundll32.exe	e5791a1.exe
PID 4416 wrote to memory of 1200	4416	rundll32.exe	e5791c0.exe
PID 4416 wrote to memory of 1200	4416	rundll32.exe	e5791c0.exe
PID 4416 wrote to memory of 1200	4416	rundll32.exe	e5791c0.exe
PID 3472 wrote to memory of 784	3472	e577455.exe	fontdrvhost.exe
PID 3472 wrote to memory of 792	3472	e577455.exe	fontdrvhost.exe
PID 3472 wrote to memory of 1020	3472	e577455.exe	dwm.exe
PID 3472 wrote to memory of 2504	3472	e577455.exe	sihost.exe
PID 3472 wrote to memory of 2564	3472	e577455.exe	svchost.exe
PID 3472 wrote to memory of 2692	3472	e577455.exe	taskhostw.exe
PID 3472 wrote to memory of 3460	3472	e577455.exe	Explorer.EXE
PID 3472 wrote to memory of 3604	3472	e577455.exe	svchost.exe
PID 3472 wrote to memory of 3792	3472	e577455.exe	DllHost.exe
PID 3472 wrote to memory of 3896	3472	e577455.exe	StartMenuExperienceHost.exe
PID 3472 wrote to memory of 3960	3472	e577455.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 4084	3472	e577455.exe	SearchApp.exe
PID 3472 wrote to memory of 4140	3472	e577455.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 4464	3472	e577455.exe	RuntimeBroker.exe
PID 3472 wrote to memory of 336	3472	e577455.exe	TextInputHost.exe
PID 3472 wrote to memory of 4504	3472	e577455.exe	e577659.exe
PID 3472 wrote to memory of 4504	3472	e577455.exe	e577659.exe
PID 3472 wrote to memory of 2652	3472	e577455.exe	e5791a1.exe
PID 3472 wrote to memory of 2652	3472	e577455.exe	e5791a1.exe
PID 3472 wrote to memory of 1200	3472	e577455.exe	e5791c0.exe
PID 3472 wrote to memory of 1200	3472	e577455.exe	e5791c0.exe
PID 1200 wrote to memory of 784	1200	e5791c0.exe	fontdrvhost.exe
PID 1200 wrote to memory of 792	1200	e5791c0.exe	fontdrvhost.exe
PID 1200 wrote to memory of 1020	1200	e5791c0.exe	dwm.exe
PID 1200 wrote to memory of 2504	1200	e5791c0.exe	sihost.exe
PID 1200 wrote to memory of 2564	1200	e5791c0.exe	svchost.exe
PID 1200 wrote to memory of 2692	1200	e5791c0.exe	taskhostw.exe
PID 1200 wrote to memory of 3460	1200	e5791c0.exe	Explorer.EXE
PID 1200 wrote to memory of 3604	1200	e5791c0.exe	svchost.exe
PID 1200 wrote to memory of 3792	1200	e5791c0.exe	DllHost.exe
PID 1200 wrote to memory of 3896	1200	e5791c0.exe	StartMenuExperienceHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e577455.exee5791c0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5791c0.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2564

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2692

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\e577455.exe
C:\Users\Admin\AppData\Local\Temp\e577455.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3472

C:\Users\Admin\AppData\Local\Temp\e577659.exe
C:\Users\Admin\AppData\Local\Temp\e577659.exe
4⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Local\Temp\e5791a1.exe
C:\Users\Admin\AppData\Local\Temp\e5791a1.exe
4⤵
- Executes dropped EXE
PID:2652

C:\Users\Admin\AppData\Local\Temp\e5791c0.exe
C:\Users\Admin\AppData\Local\Temp\e5791c0.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3960

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4464

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e577455.exe
Filesize
97KB

MD5
be666717caf9abac7269fd51a0ed46e5

SHA1
2b57c13d8ea0905b2608b343c9cfb58554fd25ff

SHA256
d37e6466c23b5fdf10a24be4bd8ccf2f84da8f5854416f1be4abde6c71527315

SHA512
a9967cc0faca73fe777ad8bfc56a44ea57ff12d3b47f03094490bf5370e4b948593298120a7977ce4100fda26995dd57d5fb0de689a9062c94e28bae45fecf2d

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
e802d0539c19373943af93836b5853c9

SHA1
0f2511883da0905db365c412be7ba3cb5c5a1b1b

SHA256
d13621f3e4f33ed667dd6eb9f5ba523d5637f3983fc015ea3d2fb41ab2cfa5c3

SHA512
9a22ebd3a594389a42d389bd386ed7f01372fb2105903dc8bcd9020adfa6d3562384da233f74840c884183a45563242c6f87160c721059cac3d4969a6d41abca

Download Submit
memory/1200-159-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1200-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1200-123-0x0000000000B30000-0x0000000001BEA000-memory.dmp

Filesize
16.7MB

Download
memory/1200-160-0x0000000000B30000-0x0000000001BEA000-memory.dmp

Filesize
16.7MB

Download
memory/1200-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1200-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1200-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2652-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2652-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2652-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2652-66-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2652-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3472-75-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-83-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3472-6-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-12-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-9-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-8-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-35-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-36-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-37-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-38-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-40-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-39-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-10-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-11-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-20-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-55-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-56-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-57-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-33-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/3472-32-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-88-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-14-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-107-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3472-97-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/3472-28-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/3472-13-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-87-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-71-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-73-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-74-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-84-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-78-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-80-0x00000000008A0000-0x000000000195A000-memory.dmp

Filesize
16.7MB

Download
memory/3472-24-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4416-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4416-27-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/4416-25-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/4416-47-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/4416-21-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/4416-22-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4504-68-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4504-60-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4504-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4504-65-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4504-111-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download