Analysis
-
max time kernel
47s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799_NeikiAnalytics.dll
-
Size
120KB
-
MD5
b55cbeba6b169273080a0ce70477f960
-
SHA1
afaaf28e22055e0d74390908e59bba9081fe7ef0
-
SHA256
658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799
-
SHA512
e9051d45f87d6b2e816a01e856e5ebeca06da99cc43a6505f3f34671c3a3659913f1b1356b2112d931794eaaf1c48569001e64cfcd1fc52d83023f137eb150b5
-
SSDEEP
3072:LSysEb9tffDVDF3FUeUfSFKtmhyf8svJe0:LflnnDVDFVUeUf4hE8svn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e5791c0.exee577455.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577455.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577455.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5791c0.exe -
Processes:
e577455.exee5791c0.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5791c0.exe -
Processes:
e5791c0.exee577455.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5791c0.exe -
Executes dropped EXE 4 IoCs
Processes:
e577455.exee577659.exee5791a1.exee5791c0.exepid process 3472 e577455.exe 4504 e577659.exe 2652 e5791a1.exe 1200 e5791c0.exe -
Processes:
resource yara_rule behavioral2/memory/3472-6-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-10-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-11-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-20-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-13-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-14-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-32-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-12-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-9-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-8-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-35-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-36-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-37-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-38-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-40-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-39-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-55-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-56-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-57-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-71-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-73-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-74-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-75-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-78-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-80-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-83-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-84-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-87-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3472-88-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1200-123-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1200-160-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Processes:
e577455.exee5791c0.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5791c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577455.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5791c0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5791c0.exe -
Processes:
e577455.exee5791c0.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5791c0.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e577455.exee5791c0.exedescription ioc process File opened (read-only) \??\H: e577455.exe File opened (read-only) \??\K: e577455.exe File opened (read-only) \??\O: e577455.exe File opened (read-only) \??\E: e5791c0.exe File opened (read-only) \??\L: e577455.exe File opened (read-only) \??\M: e577455.exe File opened (read-only) \??\N: e577455.exe File opened (read-only) \??\E: e577455.exe File opened (read-only) \??\I: e577455.exe File opened (read-only) \??\P: e577455.exe File opened (read-only) \??\Q: e577455.exe File opened (read-only) \??\G: e5791c0.exe File opened (read-only) \??\G: e577455.exe File opened (read-only) \??\J: e577455.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e577455.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zG.exe e577455.exe File opened for modification C:\Program Files\7-Zip\7z.exe e577455.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e577455.exe -
Drops file in Windows directory 3 IoCs
Processes:
e577455.exee5791c0.exedescription ioc process File created C:\Windows\e577494 e577455.exe File opened for modification C:\Windows\SYSTEM.INI e577455.exe File created C:\Windows\e57c5e0 e5791c0.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e577455.exee5791c0.exepid process 3472 e577455.exe 3472 e577455.exe 3472 e577455.exe 3472 e577455.exe 1200 e5791c0.exe 1200 e5791c0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e577455.exedescription pid process Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe Token: SeDebugPrivilege 3472 e577455.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee577455.exee5791c0.exedescription pid process target process PID 2492 wrote to memory of 4416 2492 rundll32.exe rundll32.exe PID 2492 wrote to memory of 4416 2492 rundll32.exe rundll32.exe PID 2492 wrote to memory of 4416 2492 rundll32.exe rundll32.exe PID 4416 wrote to memory of 3472 4416 rundll32.exe e577455.exe PID 4416 wrote to memory of 3472 4416 rundll32.exe e577455.exe PID 4416 wrote to memory of 3472 4416 rundll32.exe e577455.exe PID 3472 wrote to memory of 784 3472 e577455.exe fontdrvhost.exe PID 3472 wrote to memory of 792 3472 e577455.exe fontdrvhost.exe PID 3472 wrote to memory of 1020 3472 e577455.exe dwm.exe PID 3472 wrote to memory of 2504 3472 e577455.exe sihost.exe PID 3472 wrote to memory of 2564 3472 e577455.exe svchost.exe PID 3472 wrote to memory of 2692 3472 e577455.exe taskhostw.exe PID 3472 wrote to memory of 3460 3472 e577455.exe Explorer.EXE PID 3472 wrote to memory of 3604 3472 e577455.exe svchost.exe PID 3472 wrote to memory of 3792 3472 e577455.exe DllHost.exe PID 3472 wrote to memory of 3896 3472 e577455.exe StartMenuExperienceHost.exe PID 3472 wrote to memory of 3960 3472 e577455.exe RuntimeBroker.exe PID 3472 wrote to memory of 4084 3472 e577455.exe SearchApp.exe PID 3472 wrote to memory of 4140 3472 e577455.exe RuntimeBroker.exe PID 3472 wrote to memory of 4464 3472 e577455.exe RuntimeBroker.exe PID 3472 wrote to memory of 336 3472 e577455.exe TextInputHost.exe PID 3472 wrote to memory of 2492 3472 e577455.exe rundll32.exe PID 3472 wrote to memory of 4416 3472 e577455.exe rundll32.exe PID 3472 wrote to memory of 4416 3472 e577455.exe rundll32.exe PID 4416 wrote to memory of 4504 4416 rundll32.exe e577659.exe PID 4416 wrote to memory of 4504 4416 rundll32.exe e577659.exe PID 4416 wrote to memory of 4504 4416 rundll32.exe e577659.exe PID 4416 wrote to memory of 2652 4416 rundll32.exe e5791a1.exe PID 4416 wrote to memory of 2652 4416 rundll32.exe e5791a1.exe PID 4416 wrote to memory of 2652 4416 rundll32.exe e5791a1.exe PID 4416 wrote to memory of 1200 4416 rundll32.exe e5791c0.exe PID 4416 wrote to memory of 1200 4416 rundll32.exe e5791c0.exe PID 4416 wrote to memory of 1200 4416 rundll32.exe e5791c0.exe PID 3472 wrote to memory of 784 3472 e577455.exe fontdrvhost.exe PID 3472 wrote to memory of 792 3472 e577455.exe fontdrvhost.exe PID 3472 wrote to memory of 1020 3472 e577455.exe dwm.exe PID 3472 wrote to memory of 2504 3472 e577455.exe sihost.exe PID 3472 wrote to memory of 2564 3472 e577455.exe svchost.exe PID 3472 wrote to memory of 2692 3472 e577455.exe taskhostw.exe PID 3472 wrote to memory of 3460 3472 e577455.exe Explorer.EXE PID 3472 wrote to memory of 3604 3472 e577455.exe svchost.exe PID 3472 wrote to memory of 3792 3472 e577455.exe DllHost.exe PID 3472 wrote to memory of 3896 3472 e577455.exe StartMenuExperienceHost.exe PID 3472 wrote to memory of 3960 3472 e577455.exe RuntimeBroker.exe PID 3472 wrote to memory of 4084 3472 e577455.exe SearchApp.exe PID 3472 wrote to memory of 4140 3472 e577455.exe RuntimeBroker.exe PID 3472 wrote to memory of 4464 3472 e577455.exe RuntimeBroker.exe PID 3472 wrote to memory of 336 3472 e577455.exe TextInputHost.exe PID 3472 wrote to memory of 4504 3472 e577455.exe e577659.exe PID 3472 wrote to memory of 4504 3472 e577455.exe e577659.exe PID 3472 wrote to memory of 2652 3472 e577455.exe e5791a1.exe PID 3472 wrote to memory of 2652 3472 e577455.exe e5791a1.exe PID 3472 wrote to memory of 1200 3472 e577455.exe e5791c0.exe PID 3472 wrote to memory of 1200 3472 e577455.exe e5791c0.exe PID 1200 wrote to memory of 784 1200 e5791c0.exe fontdrvhost.exe PID 1200 wrote to memory of 792 1200 e5791c0.exe fontdrvhost.exe PID 1200 wrote to memory of 1020 1200 e5791c0.exe dwm.exe PID 1200 wrote to memory of 2504 1200 e5791c0.exe sihost.exe PID 1200 wrote to memory of 2564 1200 e5791c0.exe svchost.exe PID 1200 wrote to memory of 2692 1200 e5791c0.exe taskhostw.exe PID 1200 wrote to memory of 3460 1200 e5791c0.exe Explorer.EXE PID 1200 wrote to memory of 3604 1200 e5791c0.exe svchost.exe PID 1200 wrote to memory of 3792 1200 e5791c0.exe DllHost.exe PID 1200 wrote to memory of 3896 1200 e5791c0.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e577455.exee5791c0.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577455.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5791c0.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\658f84f1b964852cb4f6a97d008a005b62cc4bc164d040b97db1362f87bba799_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e577455.exeC:\Users\Admin\AppData\Local\Temp\e577455.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e577659.exeC:\Users\Admin\AppData\Local\Temp\e577659.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5791a1.exeC:\Users\Admin\AppData\Local\Temp\e5791a1.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5791c0.exeC:\Users\Admin\AppData\Local\Temp\e5791c0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e577455.exeFilesize
97KB
MD5be666717caf9abac7269fd51a0ed46e5
SHA12b57c13d8ea0905b2608b343c9cfb58554fd25ff
SHA256d37e6466c23b5fdf10a24be4bd8ccf2f84da8f5854416f1be4abde6c71527315
SHA512a9967cc0faca73fe777ad8bfc56a44ea57ff12d3b47f03094490bf5370e4b948593298120a7977ce4100fda26995dd57d5fb0de689a9062c94e28bae45fecf2d
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5e802d0539c19373943af93836b5853c9
SHA10f2511883da0905db365c412be7ba3cb5c5a1b1b
SHA256d13621f3e4f33ed667dd6eb9f5ba523d5637f3983fc015ea3d2fb41ab2cfa5c3
SHA5129a22ebd3a594389a42d389bd386ed7f01372fb2105903dc8bcd9020adfa6d3562384da233f74840c884183a45563242c6f87160c721059cac3d4969a6d41abca
-
memory/1200-159-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1200-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1200-123-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/1200-160-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/1200-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1200-64-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1200-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2652-140-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2652-69-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2652-62-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2652-66-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2652-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3472-75-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-83-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3472-6-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-12-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-9-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-8-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-35-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-36-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-37-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-38-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-40-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-39-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-10-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-11-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-20-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-55-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-56-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-57-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-33-0x0000000000770000-0x0000000000772000-memory.dmpFilesize
8KB
-
memory/3472-32-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-88-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-14-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-107-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3472-97-0x0000000000770000-0x0000000000772000-memory.dmpFilesize
8KB
-
memory/3472-28-0x0000000000770000-0x0000000000772000-memory.dmpFilesize
8KB
-
memory/3472-13-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-87-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-71-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-73-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-74-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-84-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-78-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-80-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3472-24-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/4416-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4416-27-0x00000000009C0000-0x00000000009C2000-memory.dmpFilesize
8KB
-
memory/4416-25-0x00000000009C0000-0x00000000009C2000-memory.dmpFilesize
8KB
-
memory/4416-47-0x00000000009C0000-0x00000000009C2000-memory.dmpFilesize
8KB
-
memory/4416-21-0x00000000009C0000-0x00000000009C2000-memory.dmpFilesize
8KB
-
memory/4416-22-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/4504-68-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/4504-60-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/4504-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4504-65-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/4504-111-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB