sality | 71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll
Size

120KB
MD5

163cf396957170cb78de1e659bbecaa0
SHA1

426dba85964e52866c3e72bbc0e6126f9158c538
SHA256

71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db
SHA512

f82ba9eb52ec3668ee28b433d48c2be681eca37db7ad0b52ac7edc45cf5450e395309979f39e4060e0d84cebbfbd12ab489bf9c2a893935e80affdddcafe31f4
SSDEEP

1536:QOwGisdzxX3ciMB6Gipx1X9zsBYgMDSMRFGtq9lLMxec5w3Z9UJuf+3aZpJ3r+Eb:Qzs1iiMgGA9zg/MPhr3Z90qZjf

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e5809ee.exee57d12b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5809ee.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5809ee.exee57d12b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57d12b.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57d12b.exee5809ee.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5809ee.exe

Executes dropped EXE 3 IoCs

Processes:

e57d12b.exee57d2c1.exee5809ee.exe

pid process

4976 e57d12b.exe
3592 e57d2c1.exe
2236 e5809ee.exe

pid	process
4976	e57d12b.exe
3592	e57d2c1.exe
2236	e5809ee.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4976-6-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-8-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-10-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-9-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-12-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-24-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-13-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-25-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-35-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-36-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-11-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-37-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-38-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-39-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-44-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-45-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-47-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-56-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-57-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-59-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-61-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-63-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/4976-80-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2236-88-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/2236-89-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/2236-97-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/2236-98-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/2236-94-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/2236-95-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/2236-135-0x0000000000780000-0x000000000183A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57d12b.exee5809ee.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5809ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5809ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5809ee.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e57d12b.exee5809ee.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5809ee.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e5809ee.exee57d12b.exe

description	ioc	process
File opened (read-only)	\??\E:	e5809ee.exe
File opened (read-only)	\??\E:	e57d12b.exe
File opened (read-only)	\??\G:	e57d12b.exe
File opened (read-only)	\??\H:	e57d12b.exe
File opened (read-only)	\??\I:	e57d12b.exe
File opened (read-only)	\??\J:	e57d12b.exe
File opened (read-only)	\??\K:	e57d12b.exe

Drops file in Windows directory 3 IoCs

Processes:

e57d12b.exee5809ee.exe

description ioc process

File created C:\Windows\e57d188 e57d12b.exe
File opened for modification C:\Windows\SYSTEM.INI e57d12b.exe
File created C:\Windows\e58314c e5809ee.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e57d12b.exee5809ee.exe

pid process

4976 e57d12b.exe
4976 e57d12b.exe
4976 e57d12b.exe
4976 e57d12b.exe
2236 e5809ee.exe
2236 e5809ee.exe

description	ioc	process
File created	C:\Windows\e57d188	e57d12b.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57d12b.exe
File created	C:\Windows\e58314c	e5809ee.exe

pid	process
4976	e57d12b.exe
4976	e57d12b.exe
4976	e57d12b.exe
4976	e57d12b.exe
2236	e5809ee.exe
2236	e5809ee.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57d12b.exe

description	pid	process
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe
Token: SeDebugPrivilege	4976	e57d12b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee57d12b.exee5809ee.exe

description	pid	process	target process
PID 4660 wrote to memory of 1900	4660	rundll32.exe	rundll32.exe
PID 4660 wrote to memory of 1900	4660	rundll32.exe	rundll32.exe
PID 4660 wrote to memory of 1900	4660	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 4976	1900	rundll32.exe	e57d12b.exe
PID 1900 wrote to memory of 4976	1900	rundll32.exe	e57d12b.exe
PID 1900 wrote to memory of 4976	1900	rundll32.exe	e57d12b.exe
PID 4976 wrote to memory of 776	4976	e57d12b.exe	fontdrvhost.exe
PID 4976 wrote to memory of 784	4976	e57d12b.exe	fontdrvhost.exe
PID 4976 wrote to memory of 316	4976	e57d12b.exe	dwm.exe
PID 4976 wrote to memory of 2568	4976	e57d12b.exe	sihost.exe
PID 4976 wrote to memory of 2596	4976	e57d12b.exe	svchost.exe
PID 4976 wrote to memory of 2844	4976	e57d12b.exe	taskhostw.exe
PID 4976 wrote to memory of 3392	4976	e57d12b.exe	Explorer.EXE
PID 4976 wrote to memory of 3564	4976	e57d12b.exe	svchost.exe
PID 4976 wrote to memory of 3756	4976	e57d12b.exe	DllHost.exe
PID 4976 wrote to memory of 3852	4976	e57d12b.exe	StartMenuExperienceHost.exe
PID 4976 wrote to memory of 3912	4976	e57d12b.exe	RuntimeBroker.exe
PID 4976 wrote to memory of 4004	4976	e57d12b.exe	SearchApp.exe
PID 4976 wrote to memory of 3788	4976	e57d12b.exe	RuntimeBroker.exe
PID 4976 wrote to memory of 4416	4976	e57d12b.exe	RuntimeBroker.exe
PID 4976 wrote to memory of 4652	4976	e57d12b.exe	TextInputHost.exe
PID 4976 wrote to memory of 5004	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 4956	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 4480	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 4492	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 3936	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 2172	4976	e57d12b.exe	backgroundTaskHost.exe
PID 4976 wrote to memory of 3108	4976	e57d12b.exe	backgroundTaskHost.exe
PID 4976 wrote to memory of 4660	4976	e57d12b.exe	rundll32.exe
PID 4976 wrote to memory of 1900	4976	e57d12b.exe	rundll32.exe
PID 4976 wrote to memory of 1900	4976	e57d12b.exe	rundll32.exe
PID 1900 wrote to memory of 3592	1900	rundll32.exe	e57d2c1.exe
PID 1900 wrote to memory of 3592	1900	rundll32.exe	e57d2c1.exe
PID 1900 wrote to memory of 3592	1900	rundll32.exe	e57d2c1.exe
PID 4976 wrote to memory of 776	4976	e57d12b.exe	fontdrvhost.exe
PID 4976 wrote to memory of 784	4976	e57d12b.exe	fontdrvhost.exe
PID 4976 wrote to memory of 316	4976	e57d12b.exe	dwm.exe
PID 4976 wrote to memory of 2568	4976	e57d12b.exe	sihost.exe
PID 4976 wrote to memory of 2596	4976	e57d12b.exe	svchost.exe
PID 4976 wrote to memory of 2844	4976	e57d12b.exe	taskhostw.exe
PID 4976 wrote to memory of 3392	4976	e57d12b.exe	Explorer.EXE
PID 4976 wrote to memory of 3564	4976	e57d12b.exe	svchost.exe
PID 4976 wrote to memory of 3756	4976	e57d12b.exe	DllHost.exe
PID 4976 wrote to memory of 3852	4976	e57d12b.exe	StartMenuExperienceHost.exe
PID 4976 wrote to memory of 3912	4976	e57d12b.exe	RuntimeBroker.exe
PID 4976 wrote to memory of 4004	4976	e57d12b.exe	SearchApp.exe
PID 4976 wrote to memory of 3788	4976	e57d12b.exe	RuntimeBroker.exe
PID 4976 wrote to memory of 4416	4976	e57d12b.exe	RuntimeBroker.exe
PID 4976 wrote to memory of 4652	4976	e57d12b.exe	TextInputHost.exe
PID 4976 wrote to memory of 5004	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 4956	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 4480	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 4492	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 3936	4976	e57d12b.exe	msedge.exe
PID 4976 wrote to memory of 2172	4976	e57d12b.exe	backgroundTaskHost.exe
PID 4976 wrote to memory of 3108	4976	e57d12b.exe	backgroundTaskHost.exe
PID 4976 wrote to memory of 4660	4976	e57d12b.exe	rundll32.exe
PID 4976 wrote to memory of 3592	4976	e57d12b.exe	e57d2c1.exe
PID 4976 wrote to memory of 3592	4976	e57d12b.exe	e57d2c1.exe
PID 1900 wrote to memory of 2236	1900	rundll32.exe	e5809ee.exe
PID 1900 wrote to memory of 2236	1900	rundll32.exe	e5809ee.exe
PID 1900 wrote to memory of 2236	1900	rundll32.exe	e5809ee.exe
PID 2236 wrote to memory of 776	2236	e5809ee.exe	fontdrvhost.exe
PID 2236 wrote to memory of 784	2236	e5809ee.exe	fontdrvhost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e57d12b.exee5809ee.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57d12b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5809ee.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2596

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2844

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\e57d12b.exe
C:\Users\Admin\AppData\Local\Temp\e57d12b.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4976

C:\Users\Admin\AppData\Local\Temp\e57d2c1.exe
C:\Users\Admin\AppData\Local\Temp\e57d2c1.exe
4⤵
- Executes dropped EXE
PID:3592

C:\Users\Admin\AppData\Local\Temp\e5809ee.exe
C:\Users\Admin\AppData\Local\Temp\e5809ee.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4416

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7fffa4104ef8,0x7fffa4104f04,0x7fffa4104f10
2⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:2
2⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1888,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=3092 /prefetch:3
2⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2360,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=3228 /prefetch:8
2⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2432,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=3048 /prefetch:8
2⤵
PID:1696

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2172

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3108

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3212

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57d12b.exe
Filesize
97KB

MD5
3f0ee0071f010b0a817514b9fce4796a

SHA1
3360f62f7bf1b184463bf5bac9ac1414b4769f0e

SHA256
3ab4f11430c87411c6110c1a827c7ba20ce0b230cef11a0d7b773e19c9050393

SHA512
4f445dcd0ee76c93d484e6e1303de2407f61517620260a6c62d759cd24c734c7fd74ad7f53acb10dbb2e0b06b6642994057377befbcd07fa6456f0dd738c7ada

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
89e3b0c937afde9e2790a6ea9bced01a

SHA1
84fc4d4ebaedca24409e930d700b59c92394ccf4

SHA256
5aae79e1b37b97294c45ea7ddd38ec02c4e1ba835a32f9afd5284afe2fd52e1b

SHA512
c4b490893079bc675548eb4689712defe2db5189a061f3a5cb7efb6cc454b17af2b84dc4fdc552e3b5fa0c6f3466e5374f488713ccb7f3e9adccb20bece13e56

Download Submit
memory/1900-22-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1900-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1900-14-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/1900-18-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/1900-21-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/2236-88-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/2236-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2236-97-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/2236-135-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/2236-89-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/2236-94-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/2236-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2236-98-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/2236-109-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/2236-95-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/2236-110-0x0000000001B00000-0x0000000001B01000-memory.dmp

Filesize
4KB

Download
memory/3592-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3592-87-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3592-43-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3592-42-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3592-41-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4976-36-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-72-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/4976-38-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-37-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-17-0x0000000003E70000-0x0000000003E71000-memory.dmp

Filesize
4KB

Download
memory/4976-44-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-45-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-47-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-11-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-56-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-57-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-59-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-61-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-63-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-80-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-39-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4976-26-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/4976-34-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/4976-35-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-25-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-13-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-24-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-12-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-9-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-10-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-8-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-6-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/4976-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download