Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll
Resource
win7-20231129-en
General
-
Target
9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll
-
Size
120KB
-
MD5
f7034aba512b664377a6ca35e0fd8570
-
SHA1
daf966ae376e9ed81752a153c6632f77385787ad
-
SHA256
9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5
-
SHA512
6adbd5e8d5c54125c31f7b33465cdaf52a236dc39ba7e927e911ab7105cd7c1757285d24a2aa642a5c01995d05f98c422715376088b2a7d94ca293f3f43a8f3d
-
SSDEEP
3072:mBCP/9/mpCwXg8Uxumn9QcfGXtQoFzNelJ8xHW:Qi/ZmBNfmySgNelJM
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e574a38.exee57470b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574a38.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57470b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57470b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574a38.exe -
Processes:
e57470b.exee574a38.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574a38.exe -
Processes:
e57470b.exee574a38.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57470b.exe -
Executes dropped EXE 3 IoCs
Processes:
e57470b.exee574a38.exee57685f.exepid process 3868 e57470b.exe 4320 e574a38.exe 1860 e57685f.exe -
Processes:
resource yara_rule behavioral2/memory/3868-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-20-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-19-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-21-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-42-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-43-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-46-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-54-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-55-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-67-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-70-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-72-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-74-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-77-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-86-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-88-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3868-92-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4320-124-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4320-137-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Processes:
e574a38.exee57470b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574a38.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57470b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574a38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574a38.exe -
Processes:
e57470b.exee574a38.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574a38.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e57470b.exedescription ioc process File opened (read-only) \??\M: e57470b.exe File opened (read-only) \??\E: e57470b.exe File opened (read-only) \??\H: e57470b.exe File opened (read-only) \??\J: e57470b.exe File opened (read-only) \??\L: e57470b.exe File opened (read-only) \??\P: e57470b.exe File opened (read-only) \??\I: e57470b.exe File opened (read-only) \??\N: e57470b.exe File opened (read-only) \??\O: e57470b.exe File opened (read-only) \??\Q: e57470b.exe File opened (read-only) \??\R: e57470b.exe File opened (read-only) \??\G: e57470b.exe File opened (read-only) \??\K: e57470b.exe File opened (read-only) \??\S: e57470b.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e57470b.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zG.exe e57470b.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57470b.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57470b.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57470b.exe -
Drops file in Windows directory 3 IoCs
Processes:
e57470b.exee574a38.exedescription ioc process File created C:\Windows\e574759 e57470b.exe File opened for modification C:\Windows\SYSTEM.INI e57470b.exe File created C:\Windows\e5798b6 e574a38.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e57470b.exee574a38.exepid process 3868 e57470b.exe 3868 e57470b.exe 3868 e57470b.exe 3868 e57470b.exe 4320 e574a38.exe 4320 e574a38.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e57470b.exedescription pid process Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe Token: SeDebugPrivilege 3868 e57470b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee57470b.exee574a38.exedescription pid process target process PID 100 wrote to memory of 1020 100 rundll32.exe rundll32.exe PID 100 wrote to memory of 1020 100 rundll32.exe rundll32.exe PID 100 wrote to memory of 1020 100 rundll32.exe rundll32.exe PID 1020 wrote to memory of 3868 1020 rundll32.exe e57470b.exe PID 1020 wrote to memory of 3868 1020 rundll32.exe e57470b.exe PID 1020 wrote to memory of 3868 1020 rundll32.exe e57470b.exe PID 3868 wrote to memory of 764 3868 e57470b.exe fontdrvhost.exe PID 3868 wrote to memory of 772 3868 e57470b.exe fontdrvhost.exe PID 3868 wrote to memory of 316 3868 e57470b.exe dwm.exe PID 3868 wrote to memory of 2380 3868 e57470b.exe sihost.exe PID 3868 wrote to memory of 2456 3868 e57470b.exe svchost.exe PID 3868 wrote to memory of 2772 3868 e57470b.exe taskhostw.exe PID 3868 wrote to memory of 3420 3868 e57470b.exe Explorer.EXE PID 3868 wrote to memory of 3572 3868 e57470b.exe svchost.exe PID 3868 wrote to memory of 3760 3868 e57470b.exe DllHost.exe PID 3868 wrote to memory of 3852 3868 e57470b.exe StartMenuExperienceHost.exe PID 3868 wrote to memory of 3912 3868 e57470b.exe RuntimeBroker.exe PID 3868 wrote to memory of 4004 3868 e57470b.exe SearchApp.exe PID 3868 wrote to memory of 4060 3868 e57470b.exe RuntimeBroker.exe PID 3868 wrote to memory of 1988 3868 e57470b.exe TextInputHost.exe PID 3868 wrote to memory of 1464 3868 e57470b.exe RuntimeBroker.exe PID 3868 wrote to memory of 544 3868 e57470b.exe backgroundTaskHost.exe PID 3868 wrote to memory of 4428 3868 e57470b.exe backgroundTaskHost.exe PID 3868 wrote to memory of 100 3868 e57470b.exe rundll32.exe PID 3868 wrote to memory of 1020 3868 e57470b.exe rundll32.exe PID 3868 wrote to memory of 1020 3868 e57470b.exe rundll32.exe PID 1020 wrote to memory of 4320 1020 rundll32.exe e574a38.exe PID 1020 wrote to memory of 4320 1020 rundll32.exe e574a38.exe PID 1020 wrote to memory of 4320 1020 rundll32.exe e574a38.exe PID 1020 wrote to memory of 1860 1020 rundll32.exe e57685f.exe PID 1020 wrote to memory of 1860 1020 rundll32.exe e57685f.exe PID 1020 wrote to memory of 1860 1020 rundll32.exe e57685f.exe PID 3868 wrote to memory of 764 3868 e57470b.exe fontdrvhost.exe PID 3868 wrote to memory of 772 3868 e57470b.exe fontdrvhost.exe PID 3868 wrote to memory of 316 3868 e57470b.exe dwm.exe PID 3868 wrote to memory of 2380 3868 e57470b.exe sihost.exe PID 3868 wrote to memory of 2456 3868 e57470b.exe svchost.exe PID 3868 wrote to memory of 2772 3868 e57470b.exe taskhostw.exe PID 3868 wrote to memory of 3420 3868 e57470b.exe Explorer.EXE PID 3868 wrote to memory of 3572 3868 e57470b.exe svchost.exe PID 3868 wrote to memory of 3760 3868 e57470b.exe DllHost.exe PID 3868 wrote to memory of 3852 3868 e57470b.exe StartMenuExperienceHost.exe PID 3868 wrote to memory of 3912 3868 e57470b.exe RuntimeBroker.exe PID 3868 wrote to memory of 4004 3868 e57470b.exe SearchApp.exe PID 3868 wrote to memory of 4060 3868 e57470b.exe RuntimeBroker.exe PID 3868 wrote to memory of 1988 3868 e57470b.exe TextInputHost.exe PID 3868 wrote to memory of 1464 3868 e57470b.exe RuntimeBroker.exe PID 3868 wrote to memory of 544 3868 e57470b.exe backgroundTaskHost.exe PID 3868 wrote to memory of 4320 3868 e57470b.exe e574a38.exe PID 3868 wrote to memory of 4320 3868 e57470b.exe e574a38.exe PID 3868 wrote to memory of 2072 3868 e57470b.exe RuntimeBroker.exe PID 3868 wrote to memory of 548 3868 e57470b.exe RuntimeBroker.exe PID 3868 wrote to memory of 1860 3868 e57470b.exe e57685f.exe PID 3868 wrote to memory of 1860 3868 e57470b.exe e57685f.exe PID 4320 wrote to memory of 764 4320 e574a38.exe fontdrvhost.exe PID 4320 wrote to memory of 772 4320 e574a38.exe fontdrvhost.exe PID 4320 wrote to memory of 316 4320 e574a38.exe dwm.exe PID 4320 wrote to memory of 2380 4320 e574a38.exe sihost.exe PID 4320 wrote to memory of 2456 4320 e574a38.exe svchost.exe PID 4320 wrote to memory of 2772 4320 e574a38.exe taskhostw.exe PID 4320 wrote to memory of 3420 4320 e574a38.exe Explorer.EXE PID 4320 wrote to memory of 3572 4320 e574a38.exe svchost.exe PID 4320 wrote to memory of 3760 4320 e574a38.exe DllHost.exe PID 4320 wrote to memory of 3852 4320 e574a38.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e57470b.exee574a38.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57470b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574a38.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57470b.exeC:\Users\Admin\AppData\Local\Temp\e57470b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574a38.exeC:\Users\Admin\AppData\Local\Temp\e574a38.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57685f.exeC:\Users\Admin\AppData\Local\Temp\e57685f.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57470b.exeFilesize
97KB
MD5259decd41726009f38c40ab06e588f88
SHA11df5aac5cb896807993d214dfcc61446ba03e33e
SHA2568a5574393224648cb825d54f69c4352d49d441f4695b58c5b1498f35585430bd
SHA512e298a689443ed4e9b97848e43186cd682899696d06c8b5558867797cf86a7dc44e1c21f72300b68ad5c6900dfe3a6e7bbf539721ef9bbe74dc2551213d4fffba
-
C:\Windows\SYSTEM.INIFilesize
257B
MD590c94e6d44e9cf19c6614a18e7fd79b2
SHA1aad66aeff28356af75e7a5840d3065e22c563f3a
SHA256f4206e614ff0709cb638c3fabb5869688bf932050be6edfc098631a92d44b8ae
SHA5129778821bd8880db3b6d58ad9e32200c45c812dca7bee38b3cee59a519915552dcc9bed89633b2ef2847b18ae951455f8a399a04d30c6bf40f79296c1310f4810
-
memory/1020-34-0x0000000001210000-0x0000000001212000-memory.dmpFilesize
8KB
-
memory/1020-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1020-22-0x0000000001210000-0x0000000001212000-memory.dmpFilesize
8KB
-
memory/1020-26-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/1020-31-0x0000000001210000-0x0000000001212000-memory.dmpFilesize
8KB
-
memory/1860-142-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1860-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1860-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1860-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1860-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3868-42-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-6-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-28-0x00000000037A0000-0x00000000037A2000-memory.dmpFilesize
8KB
-
memory/3868-19-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-29-0x00000000037A0000-0x00000000037A2000-memory.dmpFilesize
8KB
-
memory/3868-21-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-20-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-25-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/3868-13-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-36-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-37-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-38-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-39-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-40-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-9-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-43-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-46-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-12-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-54-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-55-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-11-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3868-10-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-107-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3868-92-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-8-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-65-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-67-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-70-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-72-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-74-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-75-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-77-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-86-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-88-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3868-95-0x00000000037A0000-0x00000000037A2000-memory.dmpFilesize
8KB
-
memory/4320-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4320-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4320-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4320-124-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4320-137-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4320-138-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4320-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB