sality | 66a7fba154ff276250f9f535786ccd1eed89b29c236148b31a432e0618e7b6b1

Analysis

max time kernel
138s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66a7fba154ff276250f9f535786ccd1eed89b29c236148b31a432e0618e7b6b1_NeikiAnalytics.dll
Size

120KB
MD5

6615f571a0c6d89fec4fb418bd94a910
SHA1

10b53495064da961cfcbcac16dcc261c255576f2
SHA256

66a7fba154ff276250f9f535786ccd1eed89b29c236148b31a432e0618e7b6b1
SHA512

e46d9c50cb775069eb2b7dbb459a58d3df124ef77549c746d51c05693c931a3a3dc518d08da8c1307405ca9e3cf666783fc6106a4cf49780920cba2aaaf512cc
SSDEEP

1536:ITbwOoGtsfvlnGYlXrqNtnw9Wgq1yV0Nrk72QDv5ykzsSmG971:GcOohkYlXuNte/q9k2QDC65

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e5835a1.exee585b5a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e585b5a.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5835a1.exee585b5a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e585b5a.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5835a1.exee585b5a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5835a1.exe

Executes dropped EXE 3 IoCs

Processes:

e5835a1.exee5836f9.exee585b5a.exe

pid process

3412 e5835a1.exe
832 e5836f9.exe
5080 e585b5a.exe

pid	process
3412	e5835a1.exe
832	e5836f9.exe
5080	e585b5a.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3412-10-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-9-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-18-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-35-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-12-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-27-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-13-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-8-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-6-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-28-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-37-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-36-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-38-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-39-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-40-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-58-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-59-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-60-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-61-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-63-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-65-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-67-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-70-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/3412-73-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5080-106-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx
behavioral2/memory/5080-141-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5835a1.exee585b5a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e585b5a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e585b5a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e585b5a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e585b5a.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e5835a1.exee585b5a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e585b5a.exe

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e5835a1.exee585b5a.exe

description	ioc	process
File opened (read-only)	\??\E:	e5835a1.exe
File opened (read-only)	\??\H:	e5835a1.exe
File opened (read-only)	\??\K:	e5835a1.exe
File opened (read-only)	\??\L:	e5835a1.exe
File opened (read-only)	\??\E:	e585b5a.exe
File opened (read-only)	\??\G:	e5835a1.exe
File opened (read-only)	\??\I:	e5835a1.exe
File opened (read-only)	\??\J:	e5835a1.exe
File opened (read-only)	\??\M:	e5835a1.exe
File opened (read-only)	\??\G:	e585b5a.exe
File opened (read-only)	\??\H:	e585b5a.exe

Drops file in Windows directory 3 IoCs

Processes:

e5835a1.exee585b5a.exe

description ioc process

File created C:\Windows\e5835f0 e5835a1.exe
File opened for modification C:\Windows\SYSTEM.INI e5835a1.exe
File created C:\Windows\e588901 e585b5a.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e5835a1.exee585b5a.exe

pid process

3412 e5835a1.exe
3412 e5835a1.exe
3412 e5835a1.exe
3412 e5835a1.exe
5080 e585b5a.exe
5080 e585b5a.exe

description	ioc	process
File created	C:\Windows\e5835f0	e5835a1.exe
File opened for modification	C:\Windows\SYSTEM.INI	e5835a1.exe
File created	C:\Windows\e588901	e585b5a.exe

pid	process
3412	e5835a1.exe
3412	e5835a1.exe
3412	e5835a1.exe
3412	e5835a1.exe
5080	e585b5a.exe
5080	e585b5a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e5835a1.exe

description	pid	process
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe
Token: SeDebugPrivilege	3412	e5835a1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee5835a1.exe

description	pid	process	target process
PID 4372 wrote to memory of 3532	4372	rundll32.exe	rundll32.exe
PID 4372 wrote to memory of 3532	4372	rundll32.exe	rundll32.exe
PID 4372 wrote to memory of 3532	4372	rundll32.exe	rundll32.exe
PID 3532 wrote to memory of 3412	3532	rundll32.exe	e5835a1.exe
PID 3532 wrote to memory of 3412	3532	rundll32.exe	e5835a1.exe
PID 3532 wrote to memory of 3412	3532	rundll32.exe	e5835a1.exe
PID 3412 wrote to memory of 792	3412	e5835a1.exe	fontdrvhost.exe
PID 3412 wrote to memory of 796	3412	e5835a1.exe	fontdrvhost.exe
PID 3412 wrote to memory of 60	3412	e5835a1.exe	dwm.exe
PID 3412 wrote to memory of 2972	3412	e5835a1.exe	sihost.exe
PID 3412 wrote to memory of 3028	3412	e5835a1.exe	svchost.exe
PID 3412 wrote to memory of 1132	3412	e5835a1.exe	taskhostw.exe
PID 3412 wrote to memory of 3452	3412	e5835a1.exe	Explorer.EXE
PID 3412 wrote to memory of 3560	3412	e5835a1.exe	svchost.exe
PID 3412 wrote to memory of 3760	3412	e5835a1.exe	DllHost.exe
PID 3412 wrote to memory of 3852	3412	e5835a1.exe	StartMenuExperienceHost.exe
PID 3412 wrote to memory of 3920	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 3996	3412	e5835a1.exe	SearchApp.exe
PID 3412 wrote to memory of 3676	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 3424	3412	e5835a1.exe	TextInputHost.exe
PID 3412 wrote to memory of 2032	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 2416	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 4624	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 3928	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 4220	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 4756	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 3968	3412	e5835a1.exe	backgroundTaskHost.exe
PID 3412 wrote to memory of 2188	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 2400	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 3900	3412	e5835a1.exe	backgroundTaskHost.exe
PID 3412 wrote to memory of 4372	3412	e5835a1.exe	rundll32.exe
PID 3412 wrote to memory of 3532	3412	e5835a1.exe	rundll32.exe
PID 3412 wrote to memory of 3532	3412	e5835a1.exe	rundll32.exe
PID 3532 wrote to memory of 832	3532	rundll32.exe	e5836f9.exe
PID 3532 wrote to memory of 832	3532	rundll32.exe	e5836f9.exe
PID 3532 wrote to memory of 832	3532	rundll32.exe	e5836f9.exe
PID 3532 wrote to memory of 5080	3532	rundll32.exe	e585b5a.exe
PID 3532 wrote to memory of 5080	3532	rundll32.exe	e585b5a.exe
PID 3532 wrote to memory of 5080	3532	rundll32.exe	e585b5a.exe
PID 3412 wrote to memory of 792	3412	e5835a1.exe	fontdrvhost.exe
PID 3412 wrote to memory of 796	3412	e5835a1.exe	fontdrvhost.exe
PID 3412 wrote to memory of 60	3412	e5835a1.exe	dwm.exe
PID 3412 wrote to memory of 2972	3412	e5835a1.exe	sihost.exe
PID 3412 wrote to memory of 3028	3412	e5835a1.exe	svchost.exe
PID 3412 wrote to memory of 1132	3412	e5835a1.exe	taskhostw.exe
PID 3412 wrote to memory of 3452	3412	e5835a1.exe	Explorer.EXE
PID 3412 wrote to memory of 3560	3412	e5835a1.exe	svchost.exe
PID 3412 wrote to memory of 3760	3412	e5835a1.exe	DllHost.exe
PID 3412 wrote to memory of 3852	3412	e5835a1.exe	StartMenuExperienceHost.exe
PID 3412 wrote to memory of 3920	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 3996	3412	e5835a1.exe	SearchApp.exe
PID 3412 wrote to memory of 3676	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 3424	3412	e5835a1.exe	TextInputHost.exe
PID 3412 wrote to memory of 2032	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 2416	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 4624	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 3928	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 4220	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 4756	3412	e5835a1.exe	msedge.exe
PID 3412 wrote to memory of 3968	3412	e5835a1.exe	backgroundTaskHost.exe
PID 3412 wrote to memory of 2188	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 2400	3412	e5835a1.exe	RuntimeBroker.exe
PID 3412 wrote to memory of 3900	3412	e5835a1.exe	backgroundTaskHost.exe
PID 3412 wrote to memory of 832	3412	e5835a1.exe	e5836f9.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e5835a1.exee585b5a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5835a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e585b5a.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:60

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3028

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66a7fba154ff276250f9f535786ccd1eed89b29c236148b31a432e0618e7b6b1_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66a7fba154ff276250f9f535786ccd1eed89b29c236148b31a432e0618e7b6b1_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\e5835a1.exe
C:\Users\Admin\AppData\Local\Temp\e5835a1.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3412

C:\Users\Admin\AppData\Local\Temp\e5836f9.exe
C:\Users\Admin\AppData\Local\Temp\e5836f9.exe
4⤵
- Executes dropped EXE
PID:832

C:\Users\Admin\AppData\Local\Temp\e585b5a.exe
C:\Users\Admin\AppData\Local\Temp\e585b5a.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3676

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3424

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffd37124ef8,0x7ffd37124f04,0x7ffd37124f10
2⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2328,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=2324 /prefetch:2
2⤵
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1880,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:3
2⤵
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2348,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:8
2⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2816,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:8
2⤵
PID:3536

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2188

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2400

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3900

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5835a1.exe
Filesize
97KB

MD5
51fbd3196304f56d6b52cb6af0a5ff8d

SHA1
a83e08c9b5df7ddef9b7d4fbc6115df1bc35d7e2

SHA256
fae28ae5381dd688979df19459e3efefc1be73b55fc3aaade2a46ab0af0ea6c1

SHA512
185df0cdc3e7cb8e6568ab859994ed29025e1406ebdf8d4cbfcf7c8f45514610fdb594168e02bfca4ccddbee02bc5c620d29f6720e4765b3f0acad9a8e60544d

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
5de10689763817aaedc91c810bd1e076

SHA1
ff54232f003f90b461066c8c84569501428ce4e0

SHA256
8f7b0d424d7777e8c7e2beea3a48e5566c49e161a6711c6d2037f1e7c9ae2526

SHA512
e9bb47b4a77964b28b95092be0335c1bc275ce2645801db307a07f52f067cf9a38f75426f1967031fd649fd1092f1e6111bf0ebd117b739dc5e87ea1e2315a76

Download Submit
memory/832-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/832-91-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/832-94-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/832-51-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/832-54-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3412-40-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-35-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-27-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-13-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-17-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/3412-8-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3412-10-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-9-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-73-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-6-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-28-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-37-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-36-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-38-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-39-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-32-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/3412-90-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3412-79-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/3412-70-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-67-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-12-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-65-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-29-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/3412-18-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-58-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-59-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-60-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-61-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3412-63-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/3532-14-0x0000000001120000-0x0000000001122000-memory.dmp

Filesize
8KB

Download
memory/3532-15-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3532-24-0x0000000001120000-0x0000000001122000-memory.dmp

Filesize
8KB

Download
memory/3532-34-0x0000000001120000-0x0000000001122000-memory.dmp

Filesize
8KB

Download
memory/3532-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/5080-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/5080-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/5080-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5080-47-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5080-106-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Filesize
16.7MB

Download
memory/5080-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5080-141-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Filesize
16.7MB

Download