Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll
-
Size
120KB
-
MD5
06d552d79c8c49d814b9d37d609f2e30
-
SHA1
80ea275aae6173d90f695b759aacc5220c2e44d6
-
SHA256
900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9
-
SHA512
e65bf51e2c9fc016cfdc399fdbd46233629e2830cffdfd449eb02999e157b790105ff94cb4fece48ba6ed9d16c90830acc64e794dc86a1b74682cd6b679d52dc
-
SSDEEP
1536:VCn+rJBiAiu+UZ0oKPJ+/p+My7IoYAvJHEmB+BFCbnM+PdW/IoyZ6aRHs6PpXl84:VSAPPKPJM8My9REibnM+P4IpMwpXmb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e577b98.exee575f75.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577b98.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577b98.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577b98.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575f75.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575f75.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575f75.exe -
Processes:
e575f75.exee577b98.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577b98.exe -
Processes:
e575f75.exee577b98.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577b98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577b98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577b98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577b98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577b98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577b98.exe -
Executes dropped EXE 4 IoCs
Processes:
e575f75.exee5760cd.exee577b79.exee577b98.exepid process 1412 e575f75.exe 1560 e5760cd.exe 2452 e577b79.exe 332 e577b98.exe -
Processes:
resource yara_rule behavioral2/memory/1412-10-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-8-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-9-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-11-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-18-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-29-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-17-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-19-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-35-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-30-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-36-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-37-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-38-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-39-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-40-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-42-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-43-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-57-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-59-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-60-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-75-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-76-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-77-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-80-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-84-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-90-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-93-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-94-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-96-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1412-97-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/332-137-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/332-167-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Processes:
e575f75.exee577b98.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577b98.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577b98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577b98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577b98.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577b98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577b98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577b98.exe -
Processes:
e575f75.exee577b98.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577b98.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e575f75.exee577b98.exedescription ioc process File opened (read-only) \??\H: e575f75.exe File opened (read-only) \??\K: e575f75.exe File opened (read-only) \??\N: e575f75.exe File opened (read-only) \??\O: e575f75.exe File opened (read-only) \??\P: e575f75.exe File opened (read-only) \??\E: e577b98.exe File opened (read-only) \??\G: e575f75.exe File opened (read-only) \??\J: e575f75.exe File opened (read-only) \??\Q: e575f75.exe File opened (read-only) \??\I: e575f75.exe File opened (read-only) \??\L: e575f75.exe File opened (read-only) \??\M: e575f75.exe File opened (read-only) \??\E: e575f75.exe File opened (read-only) \??\R: e575f75.exe File opened (read-only) \??\S: e575f75.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e575f75.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zG.exe e575f75.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e575f75.exe File opened for modification C:\Program Files\7-Zip\7z.exe e575f75.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e575f75.exe -
Drops file in Windows directory 3 IoCs
Processes:
e575f75.exee577b98.exedescription ioc process File created C:\Windows\e575fe3 e575f75.exe File opened for modification C:\Windows\SYSTEM.INI e575f75.exe File created C:\Windows\e57b016 e577b98.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e575f75.exee577b98.exepid process 1412 e575f75.exe 1412 e575f75.exe 1412 e575f75.exe 1412 e575f75.exe 332 e577b98.exe 332 e577b98.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e575f75.exedescription pid process Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe Token: SeDebugPrivilege 1412 e575f75.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee575f75.exee577b98.exedescription pid process target process PID 3336 wrote to memory of 4036 3336 rundll32.exe rundll32.exe PID 3336 wrote to memory of 4036 3336 rundll32.exe rundll32.exe PID 3336 wrote to memory of 4036 3336 rundll32.exe rundll32.exe PID 4036 wrote to memory of 1412 4036 rundll32.exe e575f75.exe PID 4036 wrote to memory of 1412 4036 rundll32.exe e575f75.exe PID 4036 wrote to memory of 1412 4036 rundll32.exe e575f75.exe PID 1412 wrote to memory of 800 1412 e575f75.exe fontdrvhost.exe PID 1412 wrote to memory of 804 1412 e575f75.exe fontdrvhost.exe PID 1412 wrote to memory of 380 1412 e575f75.exe dwm.exe PID 1412 wrote to memory of 2876 1412 e575f75.exe sihost.exe PID 1412 wrote to memory of 2968 1412 e575f75.exe svchost.exe PID 1412 wrote to memory of 3068 1412 e575f75.exe taskhostw.exe PID 1412 wrote to memory of 3436 1412 e575f75.exe Explorer.EXE PID 1412 wrote to memory of 3584 1412 e575f75.exe svchost.exe PID 1412 wrote to memory of 3792 1412 e575f75.exe DllHost.exe PID 1412 wrote to memory of 3892 1412 e575f75.exe StartMenuExperienceHost.exe PID 1412 wrote to memory of 3960 1412 e575f75.exe RuntimeBroker.exe PID 1412 wrote to memory of 4040 1412 e575f75.exe SearchApp.exe PID 1412 wrote to memory of 4188 1412 e575f75.exe RuntimeBroker.exe PID 1412 wrote to memory of 4616 1412 e575f75.exe RuntimeBroker.exe PID 1412 wrote to memory of 4052 1412 e575f75.exe TextInputHost.exe PID 1412 wrote to memory of 3336 1412 e575f75.exe rundll32.exe PID 1412 wrote to memory of 4036 1412 e575f75.exe rundll32.exe PID 1412 wrote to memory of 4036 1412 e575f75.exe rundll32.exe PID 4036 wrote to memory of 1560 4036 rundll32.exe e5760cd.exe PID 4036 wrote to memory of 1560 4036 rundll32.exe e5760cd.exe PID 4036 wrote to memory of 1560 4036 rundll32.exe e5760cd.exe PID 4036 wrote to memory of 2452 4036 rundll32.exe e577b79.exe PID 4036 wrote to memory of 2452 4036 rundll32.exe e577b79.exe PID 4036 wrote to memory of 2452 4036 rundll32.exe e577b79.exe PID 4036 wrote to memory of 332 4036 rundll32.exe e577b98.exe PID 4036 wrote to memory of 332 4036 rundll32.exe e577b98.exe PID 4036 wrote to memory of 332 4036 rundll32.exe e577b98.exe PID 1412 wrote to memory of 800 1412 e575f75.exe fontdrvhost.exe PID 1412 wrote to memory of 804 1412 e575f75.exe fontdrvhost.exe PID 1412 wrote to memory of 380 1412 e575f75.exe dwm.exe PID 1412 wrote to memory of 2876 1412 e575f75.exe sihost.exe PID 1412 wrote to memory of 2968 1412 e575f75.exe svchost.exe PID 1412 wrote to memory of 3068 1412 e575f75.exe taskhostw.exe PID 1412 wrote to memory of 3436 1412 e575f75.exe Explorer.EXE PID 1412 wrote to memory of 3584 1412 e575f75.exe svchost.exe PID 1412 wrote to memory of 3792 1412 e575f75.exe DllHost.exe PID 1412 wrote to memory of 3892 1412 e575f75.exe StartMenuExperienceHost.exe PID 1412 wrote to memory of 3960 1412 e575f75.exe RuntimeBroker.exe PID 1412 wrote to memory of 4040 1412 e575f75.exe SearchApp.exe PID 1412 wrote to memory of 4188 1412 e575f75.exe RuntimeBroker.exe PID 1412 wrote to memory of 4616 1412 e575f75.exe RuntimeBroker.exe PID 1412 wrote to memory of 4052 1412 e575f75.exe TextInputHost.exe PID 1412 wrote to memory of 1560 1412 e575f75.exe e5760cd.exe PID 1412 wrote to memory of 1560 1412 e575f75.exe e5760cd.exe PID 1412 wrote to memory of 2452 1412 e575f75.exe e577b79.exe PID 1412 wrote to memory of 2452 1412 e575f75.exe e577b79.exe PID 1412 wrote to memory of 332 1412 e575f75.exe e577b98.exe PID 1412 wrote to memory of 332 1412 e575f75.exe e577b98.exe PID 332 wrote to memory of 800 332 e577b98.exe fontdrvhost.exe PID 332 wrote to memory of 804 332 e577b98.exe fontdrvhost.exe PID 332 wrote to memory of 380 332 e577b98.exe dwm.exe PID 332 wrote to memory of 2876 332 e577b98.exe sihost.exe PID 332 wrote to memory of 2968 332 e577b98.exe svchost.exe PID 332 wrote to memory of 3068 332 e577b98.exe taskhostw.exe PID 332 wrote to memory of 3436 332 e577b98.exe Explorer.EXE PID 332 wrote to memory of 3584 332 e577b98.exe svchost.exe PID 332 wrote to memory of 3792 332 e577b98.exe DllHost.exe PID 332 wrote to memory of 3892 332 e577b98.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e575f75.exee577b98.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575f75.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577b98.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\900c46691b48d7632d00410e41bcb64379ebff3d59af95be5463ce66fbfc9be9_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e575f75.exeC:\Users\Admin\AppData\Local\Temp\e575f75.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5760cd.exeC:\Users\Admin\AppData\Local\Temp\e5760cd.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e577b79.exeC:\Users\Admin\AppData\Local\Temp\e577b79.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e577b98.exeC:\Users\Admin\AppData\Local\Temp\e577b98.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575f75.exeFilesize
97KB
MD5e073d86fde40b6f3b71fc3386fed72cb
SHA19757aec5768c457ecf5adba97f9d3b172521a23b
SHA25638b8f22c36a6570d995325da15e35bc241ea5e3fa2bab7435fb5ea7a72b8a8b0
SHA51294ddf415933ce6fa1387954e150e22731eafb0f6b263ddfede1d31f4b3186b643d2344eba3b4c07cb1913a2d200dfc34a5114290f461948b534074ce57f10988
-
C:\Windows\SYSTEM.INIFilesize
257B
MD59ce61ed88100dd73aed8edfbf3fafc53
SHA1b1cfa039ab160644e8dba369012825d997692ed8
SHA256b7601ca5c2f92099bac562c7a5a4427519ae9b787a9287ccd21537ca7d74e445
SHA512068f1c1cae90365a6007e09a7016016992fac8d778b7f9e34272cd8aa99fa9eb10949338f69671f2c6479edb34e4844357f3bb461c3cd03928fa500f8fd32993
-
memory/332-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/332-167-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/332-166-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/332-137-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/332-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/332-68-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1412-77-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-90-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-29-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1412-10-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-8-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-23-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/1412-9-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-17-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-19-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-35-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-30-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-36-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-37-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-38-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-39-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-40-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-42-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-43-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-116-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1412-33-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/1412-57-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-59-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-60-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-103-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/1412-97-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-18-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-96-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-94-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-11-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-93-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-31-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/1412-75-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-76-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-84-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1412-80-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1560-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1560-128-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1560-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1560-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2452-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2452-66-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2452-69-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2452-50-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2452-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4036-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4036-20-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/4036-24-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/4036-27-0x0000000003FA0000-0x0000000003FA1000-memory.dmpFilesize
4KB
-
memory/4036-28-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB