Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 07:21
Static task
static1
Behavioral task
behavioral1
Sample
7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658_NeikiAnalytics.dll
Resource
win7-20240220-en
General
-
Target
7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658_NeikiAnalytics.dll
-
Size
120KB
-
MD5
55c3ecd2e70ddf0891e6c71d8b57d590
-
SHA1
16a4c0a5f8c88076acd53f8f6d8706a43838227a
-
SHA256
7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658
-
SHA512
ed0acc40f73e9fbc8f8b828bf0e6269686c5f554aebf61273f7400db605d11ef7e08cc0675b2754db5f3e52bf5a20e5130fd0af342a6a16729b9f8644456d519
-
SSDEEP
3072:84EWK3jjN0rQhFGm4r2kU5eN4ShLoFuPYdqaHIPYyPV:FK3jh0raGmU2kYemSh3ypy9
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e57f1d2.exee581383.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e581383.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e581383.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e581383.exe -
Processes:
e57f1d2.exee581383.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e581383.exe -
Processes:
e581383.exee57f1d2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e581383.exe -
Executes dropped EXE 4 IoCs
Processes:
e57f1d2.exee57f889.exee581383.exee58148d.exepid process 1360 e57f1d2.exe 1720 e57f889.exe 1012 e581383.exe 4816 e58148d.exe -
Processes:
resource yara_rule behavioral2/memory/1360-6-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-8-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-9-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-12-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-19-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-20-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-21-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-13-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-11-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-10-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-35-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-36-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-37-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-49-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-51-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1360-69-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1012-86-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-90-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-89-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-101-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-92-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-98-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-99-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-100-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-91-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-88-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-102-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1012-125-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Processes:
e57f1d2.exee581383.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f1d2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e581383.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e581383.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e581383.exe -
Processes:
e57f1d2.exee581383.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e581383.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e57f1d2.exedescription ioc process File opened (read-only) \??\E: e57f1d2.exe -
Drops file in Windows directory 3 IoCs
Processes:
e57f1d2.exee581383.exedescription ioc process File created C:\Windows\e57f433 e57f1d2.exe File opened for modification C:\Windows\SYSTEM.INI e57f1d2.exe File created C:\Windows\e5861a3 e581383.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e57f1d2.exee581383.exepid process 1360 e57f1d2.exe 1360 e57f1d2.exe 1360 e57f1d2.exe 1360 e57f1d2.exe 1012 e581383.exe 1012 e581383.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e57f1d2.exedescription pid process Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe Token: SeDebugPrivilege 1360 e57f1d2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee57f1d2.exedescription pid process target process PID 536 wrote to memory of 4856 536 rundll32.exe rundll32.exe PID 536 wrote to memory of 4856 536 rundll32.exe rundll32.exe PID 536 wrote to memory of 4856 536 rundll32.exe rundll32.exe PID 4856 wrote to memory of 1360 4856 rundll32.exe e57f1d2.exe PID 4856 wrote to memory of 1360 4856 rundll32.exe e57f1d2.exe PID 4856 wrote to memory of 1360 4856 rundll32.exe e57f1d2.exe PID 1360 wrote to memory of 784 1360 e57f1d2.exe fontdrvhost.exe PID 1360 wrote to memory of 792 1360 e57f1d2.exe fontdrvhost.exe PID 1360 wrote to memory of 388 1360 e57f1d2.exe dwm.exe PID 1360 wrote to memory of 2808 1360 e57f1d2.exe sihost.exe PID 1360 wrote to memory of 2848 1360 e57f1d2.exe svchost.exe PID 1360 wrote to memory of 2952 1360 e57f1d2.exe taskhostw.exe PID 1360 wrote to memory of 3372 1360 e57f1d2.exe Explorer.EXE PID 1360 wrote to memory of 3564 1360 e57f1d2.exe svchost.exe PID 1360 wrote to memory of 3756 1360 e57f1d2.exe DllHost.exe PID 1360 wrote to memory of 3880 1360 e57f1d2.exe StartMenuExperienceHost.exe PID 1360 wrote to memory of 3972 1360 e57f1d2.exe RuntimeBroker.exe PID 1360 wrote to memory of 4056 1360 e57f1d2.exe SearchApp.exe PID 1360 wrote to memory of 4108 1360 e57f1d2.exe RuntimeBroker.exe PID 1360 wrote to memory of 4800 1360 e57f1d2.exe RuntimeBroker.exe PID 1360 wrote to memory of 2272 1360 e57f1d2.exe TextInputHost.exe PID 1360 wrote to memory of 3848 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 1292 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 3312 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 3112 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 3428 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 4128 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 3892 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 536 1360 e57f1d2.exe rundll32.exe PID 1360 wrote to memory of 4856 1360 e57f1d2.exe rundll32.exe PID 1360 wrote to memory of 4856 1360 e57f1d2.exe rundll32.exe PID 4856 wrote to memory of 1720 4856 rundll32.exe e57f889.exe PID 4856 wrote to memory of 1720 4856 rundll32.exe e57f889.exe PID 4856 wrote to memory of 1720 4856 rundll32.exe e57f889.exe PID 4856 wrote to memory of 1012 4856 rundll32.exe e581383.exe PID 4856 wrote to memory of 1012 4856 rundll32.exe e581383.exe PID 4856 wrote to memory of 1012 4856 rundll32.exe e581383.exe PID 4856 wrote to memory of 4816 4856 rundll32.exe e58148d.exe PID 4856 wrote to memory of 4816 4856 rundll32.exe e58148d.exe PID 4856 wrote to memory of 4816 4856 rundll32.exe e58148d.exe PID 1360 wrote to memory of 784 1360 e57f1d2.exe fontdrvhost.exe PID 1360 wrote to memory of 792 1360 e57f1d2.exe fontdrvhost.exe PID 1360 wrote to memory of 388 1360 e57f1d2.exe dwm.exe PID 1360 wrote to memory of 2808 1360 e57f1d2.exe sihost.exe PID 1360 wrote to memory of 2848 1360 e57f1d2.exe svchost.exe PID 1360 wrote to memory of 2952 1360 e57f1d2.exe taskhostw.exe PID 1360 wrote to memory of 3372 1360 e57f1d2.exe Explorer.EXE PID 1360 wrote to memory of 3564 1360 e57f1d2.exe svchost.exe PID 1360 wrote to memory of 3756 1360 e57f1d2.exe DllHost.exe PID 1360 wrote to memory of 3880 1360 e57f1d2.exe StartMenuExperienceHost.exe PID 1360 wrote to memory of 3972 1360 e57f1d2.exe RuntimeBroker.exe PID 1360 wrote to memory of 4056 1360 e57f1d2.exe SearchApp.exe PID 1360 wrote to memory of 4108 1360 e57f1d2.exe RuntimeBroker.exe PID 1360 wrote to memory of 4800 1360 e57f1d2.exe RuntimeBroker.exe PID 1360 wrote to memory of 2272 1360 e57f1d2.exe TextInputHost.exe PID 1360 wrote to memory of 3848 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 1292 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 3312 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 3112 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 3428 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 4128 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 3892 1360 e57f1d2.exe msedge.exe PID 1360 wrote to memory of 1720 1360 e57f1d2.exe e57f889.exe PID 1360 wrote to memory of 1720 1360 e57f1d2.exe e57f889.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e57f1d2.exee581383.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f1d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e581383.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57f1d2.exeC:\Users\Admin\AppData\Local\Temp\e57f1d2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57f889.exeC:\Users\Admin\AppData\Local\Temp\e57f889.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e581383.exeC:\Users\Admin\AppData\Local\Temp\e581383.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e58148d.exeC:\Users\Admin\AppData\Local\Temp\e58148d.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x214,0x7ff825262e98,0x7ff825262ea4,0x7ff825262eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2740 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2800 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5544 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57f1d2.exeFilesize
97KB
MD566f06434c02252a70a44805aac745596
SHA1a5a727f68b45a862a73eff0c2f126b287bee444c
SHA2566e644836c7d94a36d592e4844f797acd38b077ea0acca4e7892de694e9ce97df
SHA512900c3f76c1f2a08aeedef7d1de2ddf6def6b88f7ef3e9469ddb3593c1be3696d5d28a86331f5a59ca1e5a504ed7a3e56d675e4fe84058438835978e987c00437
-
C:\Windows\SYSTEM.INIFilesize
257B
MD507729ffed83a3428b24fc990c88984bc
SHA1f26dc81de3bdb15975e98403a6d2c868bd45aa78
SHA25662986be4562983036fa849d0796eca43acaef93b90d714a8b65bf8c7f3ae954b
SHA512e1d451da4026459be6cbcbdb54beecb559785d758c6275856b51c824bba49b310b3e68321fe2a0e77151498229bd60fc0d050129c3b5289dba2a774d2a367d1d
-
memory/1012-99-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-98-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-102-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-88-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-91-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-100-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1012-124-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1012-92-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-101-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-89-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-90-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-86-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-125-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1012-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1012-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1360-27-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1360-33-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/1360-10-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-35-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-36-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-37-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1360-49-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-51-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-6-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-8-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-13-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-9-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-12-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-19-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-20-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-11-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-29-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/1360-70-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/1360-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1360-69-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1360-21-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1720-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1720-53-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1720-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1720-82-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1720-85-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1720-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4816-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4816-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4816-108-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4816-57-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4816-50-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4856-23-0x0000000004930000-0x0000000004932000-memory.dmpFilesize
8KB
-
memory/4856-25-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/4856-22-0x0000000004930000-0x0000000004932000-memory.dmpFilesize
8KB
-
memory/4856-32-0x0000000004930000-0x0000000004932000-memory.dmpFilesize
8KB
-
memory/4856-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB