Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 06:01
Static task
static1
Behavioral task
behavioral1
Sample
71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll
-
Size
120KB
-
MD5
163cf396957170cb78de1e659bbecaa0
-
SHA1
426dba85964e52866c3e72bbc0e6126f9158c538
-
SHA256
71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db
-
SHA512
f82ba9eb52ec3668ee28b433d48c2be681eca37db7ad0b52ac7edc45cf5450e395309979f39e4060e0d84cebbfbd12ab489bf9c2a893935e80affdddcafe31f4
-
SSDEEP
1536:QOwGisdzxX3ciMB6Gipx1X9zsBYgMDSMRFGtq9lLMxec5w3Z9UJuf+3aZpJ3r+Eb:Qzs1iiMgGA9zg/MPhr3Z90qZjf
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e5809ee.exee57d12b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5809ee.exe -
Processes:
e5809ee.exee57d12b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d12b.exe -
Processes:
e57d12b.exee5809ee.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5809ee.exe -
Executes dropped EXE 3 IoCs
Processes:
e57d12b.exee57d2c1.exee5809ee.exepid process 4976 e57d12b.exe 3592 e57d2c1.exe 2236 e5809ee.exe -
Processes:
resource yara_rule behavioral2/memory/4976-6-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-8-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-24-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-13-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-25-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-35-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-39-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-44-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-45-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-47-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-56-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-57-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-59-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-61-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-63-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4976-80-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2236-88-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2236-89-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2236-97-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2236-98-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2236-94-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2236-95-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2236-135-0x0000000000780000-0x000000000183A000-memory.dmp upx -
Processes:
e57d12b.exee5809ee.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5809ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5809ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5809ee.exe -
Processes:
e57d12b.exee5809ee.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5809ee.exe -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e5809ee.exee57d12b.exedescription ioc process File opened (read-only) \??\E: e5809ee.exe File opened (read-only) \??\E: e57d12b.exe File opened (read-only) \??\G: e57d12b.exe File opened (read-only) \??\H: e57d12b.exe File opened (read-only) \??\I: e57d12b.exe File opened (read-only) \??\J: e57d12b.exe File opened (read-only) \??\K: e57d12b.exe -
Drops file in Windows directory 3 IoCs
Processes:
e57d12b.exee5809ee.exedescription ioc process File created C:\Windows\e57d188 e57d12b.exe File opened for modification C:\Windows\SYSTEM.INI e57d12b.exe File created C:\Windows\e58314c e5809ee.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e57d12b.exee5809ee.exepid process 4976 e57d12b.exe 4976 e57d12b.exe 4976 e57d12b.exe 4976 e57d12b.exe 2236 e5809ee.exe 2236 e5809ee.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e57d12b.exedescription pid process Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe Token: SeDebugPrivilege 4976 e57d12b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee57d12b.exee5809ee.exedescription pid process target process PID 4660 wrote to memory of 1900 4660 rundll32.exe rundll32.exe PID 4660 wrote to memory of 1900 4660 rundll32.exe rundll32.exe PID 4660 wrote to memory of 1900 4660 rundll32.exe rundll32.exe PID 1900 wrote to memory of 4976 1900 rundll32.exe e57d12b.exe PID 1900 wrote to memory of 4976 1900 rundll32.exe e57d12b.exe PID 1900 wrote to memory of 4976 1900 rundll32.exe e57d12b.exe PID 4976 wrote to memory of 776 4976 e57d12b.exe fontdrvhost.exe PID 4976 wrote to memory of 784 4976 e57d12b.exe fontdrvhost.exe PID 4976 wrote to memory of 316 4976 e57d12b.exe dwm.exe PID 4976 wrote to memory of 2568 4976 e57d12b.exe sihost.exe PID 4976 wrote to memory of 2596 4976 e57d12b.exe svchost.exe PID 4976 wrote to memory of 2844 4976 e57d12b.exe taskhostw.exe PID 4976 wrote to memory of 3392 4976 e57d12b.exe Explorer.EXE PID 4976 wrote to memory of 3564 4976 e57d12b.exe svchost.exe PID 4976 wrote to memory of 3756 4976 e57d12b.exe DllHost.exe PID 4976 wrote to memory of 3852 4976 e57d12b.exe StartMenuExperienceHost.exe PID 4976 wrote to memory of 3912 4976 e57d12b.exe RuntimeBroker.exe PID 4976 wrote to memory of 4004 4976 e57d12b.exe SearchApp.exe PID 4976 wrote to memory of 3788 4976 e57d12b.exe RuntimeBroker.exe PID 4976 wrote to memory of 4416 4976 e57d12b.exe RuntimeBroker.exe PID 4976 wrote to memory of 4652 4976 e57d12b.exe TextInputHost.exe PID 4976 wrote to memory of 5004 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 4956 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 4480 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 4492 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 3936 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 2172 4976 e57d12b.exe backgroundTaskHost.exe PID 4976 wrote to memory of 3108 4976 e57d12b.exe backgroundTaskHost.exe PID 4976 wrote to memory of 4660 4976 e57d12b.exe rundll32.exe PID 4976 wrote to memory of 1900 4976 e57d12b.exe rundll32.exe PID 4976 wrote to memory of 1900 4976 e57d12b.exe rundll32.exe PID 1900 wrote to memory of 3592 1900 rundll32.exe e57d2c1.exe PID 1900 wrote to memory of 3592 1900 rundll32.exe e57d2c1.exe PID 1900 wrote to memory of 3592 1900 rundll32.exe e57d2c1.exe PID 4976 wrote to memory of 776 4976 e57d12b.exe fontdrvhost.exe PID 4976 wrote to memory of 784 4976 e57d12b.exe fontdrvhost.exe PID 4976 wrote to memory of 316 4976 e57d12b.exe dwm.exe PID 4976 wrote to memory of 2568 4976 e57d12b.exe sihost.exe PID 4976 wrote to memory of 2596 4976 e57d12b.exe svchost.exe PID 4976 wrote to memory of 2844 4976 e57d12b.exe taskhostw.exe PID 4976 wrote to memory of 3392 4976 e57d12b.exe Explorer.EXE PID 4976 wrote to memory of 3564 4976 e57d12b.exe svchost.exe PID 4976 wrote to memory of 3756 4976 e57d12b.exe DllHost.exe PID 4976 wrote to memory of 3852 4976 e57d12b.exe StartMenuExperienceHost.exe PID 4976 wrote to memory of 3912 4976 e57d12b.exe RuntimeBroker.exe PID 4976 wrote to memory of 4004 4976 e57d12b.exe SearchApp.exe PID 4976 wrote to memory of 3788 4976 e57d12b.exe RuntimeBroker.exe PID 4976 wrote to memory of 4416 4976 e57d12b.exe RuntimeBroker.exe PID 4976 wrote to memory of 4652 4976 e57d12b.exe TextInputHost.exe PID 4976 wrote to memory of 5004 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 4956 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 4480 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 4492 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 3936 4976 e57d12b.exe msedge.exe PID 4976 wrote to memory of 2172 4976 e57d12b.exe backgroundTaskHost.exe PID 4976 wrote to memory of 3108 4976 e57d12b.exe backgroundTaskHost.exe PID 4976 wrote to memory of 4660 4976 e57d12b.exe rundll32.exe PID 4976 wrote to memory of 3592 4976 e57d12b.exe e57d2c1.exe PID 4976 wrote to memory of 3592 4976 e57d12b.exe e57d2c1.exe PID 1900 wrote to memory of 2236 1900 rundll32.exe e5809ee.exe PID 1900 wrote to memory of 2236 1900 rundll32.exe e5809ee.exe PID 1900 wrote to memory of 2236 1900 rundll32.exe e5809ee.exe PID 2236 wrote to memory of 776 2236 e5809ee.exe fontdrvhost.exe PID 2236 wrote to memory of 784 2236 e5809ee.exe fontdrvhost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e57d12b.exee5809ee.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d12b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5809ee.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71739fdd097b9ea4670dcfe5e9066b97768bc54ff4d6d526b9d4f24c9b5476db_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57d12b.exeC:\Users\Admin\AppData\Local\Temp\e57d12b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57d2c1.exeC:\Users\Admin\AppData\Local\Temp\e57d2c1.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5809ee.exeC:\Users\Admin\AppData\Local\Temp\e5809ee.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7fffa4104ef8,0x7fffa4104f04,0x7fffa4104f102⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1888,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=3092 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2360,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=3228 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2432,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=3048 /prefetch:82⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57d12b.exeFilesize
97KB
MD53f0ee0071f010b0a817514b9fce4796a
SHA13360f62f7bf1b184463bf5bac9ac1414b4769f0e
SHA2563ab4f11430c87411c6110c1a827c7ba20ce0b230cef11a0d7b773e19c9050393
SHA5124f445dcd0ee76c93d484e6e1303de2407f61517620260a6c62d759cd24c734c7fd74ad7f53acb10dbb2e0b06b6642994057377befbcd07fa6456f0dd738c7ada
-
C:\Windows\SYSTEM.INIFilesize
257B
MD589e3b0c937afde9e2790a6ea9bced01a
SHA184fc4d4ebaedca24409e930d700b59c92394ccf4
SHA2565aae79e1b37b97294c45ea7ddd38ec02c4e1ba835a32f9afd5284afe2fd52e1b
SHA512c4b490893079bc675548eb4689712defe2db5189a061f3a5cb7efb6cc454b17af2b84dc4fdc552e3b5fa0c6f3466e5374f488713ccb7f3e9adccb20bece13e56
-
memory/1900-22-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/1900-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1900-14-0x00000000008D0000-0x00000000008D2000-memory.dmpFilesize
8KB
-
memory/1900-18-0x00000000008D0000-0x00000000008D2000-memory.dmpFilesize
8KB
-
memory/1900-21-0x00000000008D0000-0x00000000008D2000-memory.dmpFilesize
8KB
-
memory/2236-88-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2236-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2236-97-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2236-135-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2236-89-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2236-94-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2236-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2236-98-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2236-109-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2236-95-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2236-110-0x0000000001B00000-0x0000000001B01000-memory.dmpFilesize
4KB
-
memory/3592-33-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3592-87-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3592-43-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3592-42-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3592-41-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4976-36-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-72-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4976-38-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-37-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-17-0x0000000003E70000-0x0000000003E71000-memory.dmpFilesize
4KB
-
memory/4976-44-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-45-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-47-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-11-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-56-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-57-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-59-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-61-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-63-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-80-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-39-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4976-26-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4976-34-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4976-35-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-25-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-13-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-24-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-12-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-9-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-10-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-8-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-6-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4976-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB