sality | 7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658_NeikiAnalytics.dll
Size

120KB
MD5

55c3ecd2e70ddf0891e6c71d8b57d590
SHA1

16a4c0a5f8c88076acd53f8f6d8706a43838227a
SHA256

7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658
SHA512

ed0acc40f73e9fbc8f8b828bf0e6269686c5f554aebf61273f7400db605d11ef7e08cc0675b2754db5f3e52bf5a20e5130fd0af342a6a16729b9f8644456d519
SSDEEP

3072:84EWK3jjN0rQhFGm4r2kU5eN4ShLoFuPYdqaHIPYyPV:FK3jh0raGmU2kYemSh3ypy9

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e57f1d2.exee581383.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e581383.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57f1d2.exee581383.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e581383.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e581383.exee57f1d2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e581383.exe

Executes dropped EXE 4 IoCs

Processes:

e57f1d2.exee57f889.exee581383.exee58148d.exe

pid process

1360 e57f1d2.exe
1720 e57f889.exe
1012 e581383.exe
4816 e58148d.exe

pid	process
1360	e57f1d2.exe
1720	e57f889.exe
1012	e581383.exe
4816	e58148d.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1360-6-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-8-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-9-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-12-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-19-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-20-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-21-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-13-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-11-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-10-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-35-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-36-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-37-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-49-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-51-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1360-69-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/1012-86-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-90-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-89-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-101-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-92-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-98-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-99-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-100-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-91-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-88-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-102-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/1012-125-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57f1d2.exee581383.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57f1d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e581383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e581383.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e581383.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e57f1d2.exee581383.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e581383.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

e57f1d2.exe

description ioc process

File opened (read-only) \??\E: e57f1d2.exe
Drops file in Windows directory 3 IoCs

Processes:

e57f1d2.exee581383.exe

description ioc process

File created C:\Windows\e57f433 e57f1d2.exe
File opened for modification C:\Windows\SYSTEM.INI e57f1d2.exe
File created C:\Windows\e5861a3 e581383.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e57f1d2.exee581383.exe

pid process

1360 e57f1d2.exe
1360 e57f1d2.exe
1360 e57f1d2.exe
1360 e57f1d2.exe
1012 e581383.exe
1012 e581383.exe

description	ioc	process
File opened (read-only)	\??\E:	e57f1d2.exe

description	ioc	process
File created	C:\Windows\e57f433	e57f1d2.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57f1d2.exe
File created	C:\Windows\e5861a3	e581383.exe

pid	process
1360	e57f1d2.exe
1360	e57f1d2.exe
1360	e57f1d2.exe
1360	e57f1d2.exe
1012	e581383.exe
1012	e581383.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57f1d2.exe

description	pid	process
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe
Token: SeDebugPrivilege	1360	e57f1d2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee57f1d2.exe

description	pid	process	target process
PID 536 wrote to memory of 4856	536	rundll32.exe	rundll32.exe
PID 536 wrote to memory of 4856	536	rundll32.exe	rundll32.exe
PID 536 wrote to memory of 4856	536	rundll32.exe	rundll32.exe
PID 4856 wrote to memory of 1360	4856	rundll32.exe	e57f1d2.exe
PID 4856 wrote to memory of 1360	4856	rundll32.exe	e57f1d2.exe
PID 4856 wrote to memory of 1360	4856	rundll32.exe	e57f1d2.exe
PID 1360 wrote to memory of 784	1360	e57f1d2.exe	fontdrvhost.exe
PID 1360 wrote to memory of 792	1360	e57f1d2.exe	fontdrvhost.exe
PID 1360 wrote to memory of 388	1360	e57f1d2.exe	dwm.exe
PID 1360 wrote to memory of 2808	1360	e57f1d2.exe	sihost.exe
PID 1360 wrote to memory of 2848	1360	e57f1d2.exe	svchost.exe
PID 1360 wrote to memory of 2952	1360	e57f1d2.exe	taskhostw.exe
PID 1360 wrote to memory of 3372	1360	e57f1d2.exe	Explorer.EXE
PID 1360 wrote to memory of 3564	1360	e57f1d2.exe	svchost.exe
PID 1360 wrote to memory of 3756	1360	e57f1d2.exe	DllHost.exe
PID 1360 wrote to memory of 3880	1360	e57f1d2.exe	StartMenuExperienceHost.exe
PID 1360 wrote to memory of 3972	1360	e57f1d2.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 4056	1360	e57f1d2.exe	SearchApp.exe
PID 1360 wrote to memory of 4108	1360	e57f1d2.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 4800	1360	e57f1d2.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 2272	1360	e57f1d2.exe	TextInputHost.exe
PID 1360 wrote to memory of 3848	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 1292	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 3312	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 3112	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 3428	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 4128	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 3892	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 536	1360	e57f1d2.exe	rundll32.exe
PID 1360 wrote to memory of 4856	1360	e57f1d2.exe	rundll32.exe
PID 1360 wrote to memory of 4856	1360	e57f1d2.exe	rundll32.exe
PID 4856 wrote to memory of 1720	4856	rundll32.exe	e57f889.exe
PID 4856 wrote to memory of 1720	4856	rundll32.exe	e57f889.exe
PID 4856 wrote to memory of 1720	4856	rundll32.exe	e57f889.exe
PID 4856 wrote to memory of 1012	4856	rundll32.exe	e581383.exe
PID 4856 wrote to memory of 1012	4856	rundll32.exe	e581383.exe
PID 4856 wrote to memory of 1012	4856	rundll32.exe	e581383.exe
PID 4856 wrote to memory of 4816	4856	rundll32.exe	e58148d.exe
PID 4856 wrote to memory of 4816	4856	rundll32.exe	e58148d.exe
PID 4856 wrote to memory of 4816	4856	rundll32.exe	e58148d.exe
PID 1360 wrote to memory of 784	1360	e57f1d2.exe	fontdrvhost.exe
PID 1360 wrote to memory of 792	1360	e57f1d2.exe	fontdrvhost.exe
PID 1360 wrote to memory of 388	1360	e57f1d2.exe	dwm.exe
PID 1360 wrote to memory of 2808	1360	e57f1d2.exe	sihost.exe
PID 1360 wrote to memory of 2848	1360	e57f1d2.exe	svchost.exe
PID 1360 wrote to memory of 2952	1360	e57f1d2.exe	taskhostw.exe
PID 1360 wrote to memory of 3372	1360	e57f1d2.exe	Explorer.EXE
PID 1360 wrote to memory of 3564	1360	e57f1d2.exe	svchost.exe
PID 1360 wrote to memory of 3756	1360	e57f1d2.exe	DllHost.exe
PID 1360 wrote to memory of 3880	1360	e57f1d2.exe	StartMenuExperienceHost.exe
PID 1360 wrote to memory of 3972	1360	e57f1d2.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 4056	1360	e57f1d2.exe	SearchApp.exe
PID 1360 wrote to memory of 4108	1360	e57f1d2.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 4800	1360	e57f1d2.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 2272	1360	e57f1d2.exe	TextInputHost.exe
PID 1360 wrote to memory of 3848	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 1292	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 3312	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 3112	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 3428	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 4128	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 3892	1360	e57f1d2.exe	msedge.exe
PID 1360 wrote to memory of 1720	1360	e57f1d2.exe	e57f889.exe
PID 1360 wrote to memory of 1720	1360	e57f1d2.exe	e57f889.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e57f1d2.exee581383.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57f1d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e581383.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2848

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2952

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f505ddd3c5265692b72a1744392f9700cc09162233943912bf09bdd4e4ed658_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\e57f1d2.exe
C:\Users\Admin\AppData\Local\Temp\e57f1d2.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1360

C:\Users\Admin\AppData\Local\Temp\e57f889.exe
C:\Users\Admin\AppData\Local\Temp\e57f889.exe
4⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\e581383.exe
C:\Users\Admin\AppData\Local\Temp\e581383.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1012

C:\Users\Admin\AppData\Local\Temp\e58148d.exe
C:\Users\Admin\AppData\Local\Temp\e58148d.exe
4⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4800

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x214,0x7ff825262e98,0x7ff825262ea4,0x7ff825262eb0
2⤵
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2740 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:2
2⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2800 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:3
2⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
2⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1
2⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5544 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1
2⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
2⤵
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57f1d2.exe
Filesize
97KB

MD5
66f06434c02252a70a44805aac745596

SHA1
a5a727f68b45a862a73eff0c2f126b287bee444c

SHA256
6e644836c7d94a36d592e4844f797acd38b077ea0acca4e7892de694e9ce97df

SHA512
900c3f76c1f2a08aeedef7d1de2ddf6def6b88f7ef3e9469ddb3593c1be3696d5d28a86331f5a59ca1e5a504ed7a3e56d675e4fe84058438835978e987c00437

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
07729ffed83a3428b24fc990c88984bc

SHA1
f26dc81de3bdb15975e98403a6d2c868bd45aa78

SHA256
62986be4562983036fa849d0796eca43acaef93b90d714a8b65bf8c7f3ae954b

SHA512
e1d451da4026459be6cbcbdb54beecb559785d758c6275856b51c824bba49b310b3e68321fe2a0e77151498229bd60fc0d050129c3b5289dba2a774d2a367d1d

Download Submit
memory/1012-99-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-98-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-102-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-88-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-91-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-100-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1012-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1012-92-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-101-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-89-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-90-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-86-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-125-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/1012-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1012-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1360-27-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1360-33-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/1360-10-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-35-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-36-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-37-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1360-49-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-51-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-6-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-8-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-13-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-9-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-12-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-19-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-20-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-11-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-29-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/1360-70-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/1360-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1360-69-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1360-21-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/1720-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1720-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1720-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1720-82-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1720-85-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1720-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4816-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4816-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4816-108-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4816-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4816-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4856-23-0x0000000004930000-0x0000000004932000-memory.dmp

Filesize
8KB

Download
memory/4856-25-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/4856-22-0x0000000004930000-0x0000000004932000-memory.dmp

Filesize
8KB

Download
memory/4856-32-0x0000000004930000-0x0000000004932000-memory.dmp

Filesize
8KB

Download
memory/4856-0-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download