sality | 900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll
Size

120KB
MD5

06d552d79c8c49d814b9d37d609f2e30
SHA1

80ea275aae6173d90f695b759aacc5220c2e44d6
SHA256

900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9
SHA512

e65bf51e2c9fc016cfdc399fdbd46233629e2830cffdfd449eb02999e157b790105ff94cb4fece48ba6ed9d16c90830acc64e794dc86a1b74682cd6b679d52dc
SSDEEP

1536:VCn+rJBiAiu+UZ0oKPJ+/p+My7IoYAvJHEmB+BFCbnM+PdW/IoyZ6aRHs6PpXl84:VSAPPKPJM8My9REibnM+P4IpMwpXmb

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e577b98.exee575f75.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e575f75.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e575f75.exee577b98.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577b98.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e575f75.exee577b98.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e577b98.exe

Executes dropped EXE 4 IoCs

Processes:

e575f75.exee5760cd.exee577b79.exee577b98.exe

pid process

1412 e575f75.exe
1560 e5760cd.exe
2452 e577b79.exe
332 e577b98.exe

pid	process
1412	e575f75.exe
1560	e5760cd.exe
2452	e577b79.exe
332	e577b98.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1412-10-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-8-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-9-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-11-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-18-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-29-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-17-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-19-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-35-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-30-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-36-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-37-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-38-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-39-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-40-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-42-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-43-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-57-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-59-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-60-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-75-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-76-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-77-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-80-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-84-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-90-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-93-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-94-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-96-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/1412-97-0x0000000000850000-0x000000000190A000-memory.dmp	upx
behavioral2/memory/332-137-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx
behavioral2/memory/332-167-0x0000000000B50000-0x0000000001C0A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e575f75.exee577b98.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e577b98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e577b98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e577b98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e577b98.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e575f75.exee577b98.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577b98.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e575f75.exee577b98.exe

description	ioc	process
File opened (read-only)	\??\H:	e575f75.exe
File opened (read-only)	\??\K:	e575f75.exe
File opened (read-only)	\??\N:	e575f75.exe
File opened (read-only)	\??\O:	e575f75.exe
File opened (read-only)	\??\P:	e575f75.exe
File opened (read-only)	\??\E:	e577b98.exe
File opened (read-only)	\??\G:	e575f75.exe
File opened (read-only)	\??\J:	e575f75.exe
File opened (read-only)	\??\Q:	e575f75.exe
File opened (read-only)	\??\I:	e575f75.exe
File opened (read-only)	\??\L:	e575f75.exe
File opened (read-only)	\??\M:	e575f75.exe
File opened (read-only)	\??\E:	e575f75.exe
File opened (read-only)	\??\R:	e575f75.exe
File opened (read-only)	\??\S:	e575f75.exe

Drops file in Program Files directory 4 IoCs

Processes:

e575f75.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e575f75.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e575f75.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e575f75.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e575f75.exe

Drops file in Windows directory 3 IoCs

Processes:

e575f75.exee577b98.exe

description ioc process

File created C:\Windows\e575fe3 e575f75.exe
File opened for modification C:\Windows\SYSTEM.INI e575f75.exe
File created C:\Windows\e57b016 e577b98.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e575f75.exee577b98.exe

pid process

1412 e575f75.exe
1412 e575f75.exe
1412 e575f75.exe
1412 e575f75.exe
332 e577b98.exe
332 e577b98.exe

description	ioc	process
File created	C:\Windows\e575fe3	e575f75.exe
File opened for modification	C:\Windows\SYSTEM.INI	e575f75.exe
File created	C:\Windows\e57b016	e577b98.exe

pid	process
1412	e575f75.exe
1412	e575f75.exe
1412	e575f75.exe
1412	e575f75.exe
332	e577b98.exe
332	e577b98.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e575f75.exe

description	pid	process
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe
Token: SeDebugPrivilege	1412	e575f75.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee575f75.exee577b98.exe

description	pid	process	target process
PID 3336 wrote to memory of 4036	3336	rundll32.exe	rundll32.exe
PID 3336 wrote to memory of 4036	3336	rundll32.exe	rundll32.exe
PID 3336 wrote to memory of 4036	3336	rundll32.exe	rundll32.exe
PID 4036 wrote to memory of 1412	4036	rundll32.exe	e575f75.exe
PID 4036 wrote to memory of 1412	4036	rundll32.exe	e575f75.exe
PID 4036 wrote to memory of 1412	4036	rundll32.exe	e575f75.exe
PID 1412 wrote to memory of 800	1412	e575f75.exe	fontdrvhost.exe
PID 1412 wrote to memory of 804	1412	e575f75.exe	fontdrvhost.exe
PID 1412 wrote to memory of 380	1412	e575f75.exe	dwm.exe
PID 1412 wrote to memory of 2876	1412	e575f75.exe	sihost.exe
PID 1412 wrote to memory of 2968	1412	e575f75.exe	svchost.exe
PID 1412 wrote to memory of 3068	1412	e575f75.exe	taskhostw.exe
PID 1412 wrote to memory of 3436	1412	e575f75.exe	Explorer.EXE
PID 1412 wrote to memory of 3584	1412	e575f75.exe	svchost.exe
PID 1412 wrote to memory of 3792	1412	e575f75.exe	DllHost.exe
PID 1412 wrote to memory of 3892	1412	e575f75.exe	StartMenuExperienceHost.exe
PID 1412 wrote to memory of 3960	1412	e575f75.exe	RuntimeBroker.exe
PID 1412 wrote to memory of 4040	1412	e575f75.exe	SearchApp.exe
PID 1412 wrote to memory of 4188	1412	e575f75.exe	RuntimeBroker.exe
PID 1412 wrote to memory of 4616	1412	e575f75.exe	RuntimeBroker.exe
PID 1412 wrote to memory of 4052	1412	e575f75.exe	TextInputHost.exe
PID 1412 wrote to memory of 3336	1412	e575f75.exe	rundll32.exe
PID 1412 wrote to memory of 4036	1412	e575f75.exe	rundll32.exe
PID 1412 wrote to memory of 4036	1412	e575f75.exe	rundll32.exe
PID 4036 wrote to memory of 1560	4036	rundll32.exe	e5760cd.exe
PID 4036 wrote to memory of 1560	4036	rundll32.exe	e5760cd.exe
PID 4036 wrote to memory of 1560	4036	rundll32.exe	e5760cd.exe
PID 4036 wrote to memory of 2452	4036	rundll32.exe	e577b79.exe
PID 4036 wrote to memory of 2452	4036	rundll32.exe	e577b79.exe
PID 4036 wrote to memory of 2452	4036	rundll32.exe	e577b79.exe
PID 4036 wrote to memory of 332	4036	rundll32.exe	e577b98.exe
PID 4036 wrote to memory of 332	4036	rundll32.exe	e577b98.exe
PID 4036 wrote to memory of 332	4036	rundll32.exe	e577b98.exe
PID 1412 wrote to memory of 800	1412	e575f75.exe	fontdrvhost.exe
PID 1412 wrote to memory of 804	1412	e575f75.exe	fontdrvhost.exe
PID 1412 wrote to memory of 380	1412	e575f75.exe	dwm.exe
PID 1412 wrote to memory of 2876	1412	e575f75.exe	sihost.exe
PID 1412 wrote to memory of 2968	1412	e575f75.exe	svchost.exe
PID 1412 wrote to memory of 3068	1412	e575f75.exe	taskhostw.exe
PID 1412 wrote to memory of 3436	1412	e575f75.exe	Explorer.EXE
PID 1412 wrote to memory of 3584	1412	e575f75.exe	svchost.exe
PID 1412 wrote to memory of 3792	1412	e575f75.exe	DllHost.exe
PID 1412 wrote to memory of 3892	1412	e575f75.exe	StartMenuExperienceHost.exe
PID 1412 wrote to memory of 3960	1412	e575f75.exe	RuntimeBroker.exe
PID 1412 wrote to memory of 4040	1412	e575f75.exe	SearchApp.exe
PID 1412 wrote to memory of 4188	1412	e575f75.exe	RuntimeBroker.exe
PID 1412 wrote to memory of 4616	1412	e575f75.exe	RuntimeBroker.exe
PID 1412 wrote to memory of 4052	1412	e575f75.exe	TextInputHost.exe
PID 1412 wrote to memory of 1560	1412	e575f75.exe	e5760cd.exe
PID 1412 wrote to memory of 1560	1412	e575f75.exe	e5760cd.exe
PID 1412 wrote to memory of 2452	1412	e575f75.exe	e577b79.exe
PID 1412 wrote to memory of 2452	1412	e575f75.exe	e577b79.exe
PID 1412 wrote to memory of 332	1412	e575f75.exe	e577b98.exe
PID 1412 wrote to memory of 332	1412	e575f75.exe	e577b98.exe
PID 332 wrote to memory of 800	332	e577b98.exe	fontdrvhost.exe
PID 332 wrote to memory of 804	332	e577b98.exe	fontdrvhost.exe
PID 332 wrote to memory of 380	332	e577b98.exe	dwm.exe
PID 332 wrote to memory of 2876	332	e577b98.exe	sihost.exe
PID 332 wrote to memory of 2968	332	e577b98.exe	svchost.exe
PID 332 wrote to memory of 3068	332	e577b98.exe	taskhostw.exe
PID 332 wrote to memory of 3436	332	e577b98.exe	Explorer.EXE
PID 332 wrote to memory of 3584	332	e577b98.exe	svchost.exe
PID 332 wrote to memory of 3792	332	e577b98.exe	DllHost.exe
PID 332 wrote to memory of 3892	332	e577b98.exe	StartMenuExperienceHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e575f75.exee577b98.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575f75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577b98.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2968

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3068

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\e575f75.exe
C:\Users\Admin\AppData\Local\Temp\e575f75.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1412

C:\Users\Admin\AppData\Local\Temp\e5760cd.exe
C:\Users\Admin\AppData\Local\Temp\e5760cd.exe
4⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Local\Temp\e577b79.exe
C:\Users\Admin\AppData\Local\Temp\e577b79.exe
4⤵
- Executes dropped EXE
PID:2452

C:\Users\Admin\AppData\Local\Temp\e577b98.exe
C:\Users\Admin\AppData\Local\Temp\e577b98.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3960

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4188

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4616

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e575f75.exe
Filesize
97KB

MD5
e073d86fde40b6f3b71fc3386fed72cb

SHA1
9757aec5768c457ecf5adba97f9d3b172521a23b

SHA256
38b8f22c36a6570d995325da15e35bc241ea5e3fa2bab7435fb5ea7a72b8a8b0

SHA512
94ddf415933ce6fa1387954e150e22731eafb0f6b263ddfede1d31f4b3186b643d2344eba3b4c07cb1913a2d200dfc34a5114290f461948b534074ce57f10988

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
9ce61ed88100dd73aed8edfbf3fafc53

SHA1
b1cfa039ab160644e8dba369012825d997692ed8

SHA256
b7601ca5c2f92099bac562c7a5a4427519ae9b787a9287ccd21537ca7d74e445

SHA512
068f1c1cae90365a6007e09a7016016992fac8d778b7f9e34272cd8aa99fa9eb10949338f69671f2c6479edb34e4844357f3bb461c3cd03928fa500f8fd32993

Download Submit
memory/332-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/332-167-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/332-166-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/332-137-0x0000000000B50000-0x0000000001C0A000-memory.dmp

Filesize
16.7MB

Download
memory/332-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/332-68-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1412-77-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-90-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-29-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1412-10-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-8-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-23-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1412-9-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-17-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-19-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-35-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-30-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-36-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-37-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-38-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-39-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-40-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-42-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-43-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-116-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1412-33-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1412-57-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-59-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-60-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-103-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1412-97-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-18-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-96-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-94-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-11-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-93-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-31-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1412-75-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-76-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-84-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1412-80-0x0000000000850000-0x000000000190A000-memory.dmp

Filesize
16.7MB

Download
memory/1560-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1560-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1560-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1560-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2452-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2452-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2452-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2452-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2452-148-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4036-2-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4036-20-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/4036-24-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/4036-27-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/4036-28-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download