sality | 9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll
Size

120KB
MD5

f7034aba512b664377a6ca35e0fd8570
SHA1

daf966ae376e9ed81752a153c6632f77385787ad
SHA256

9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5
SHA512

6adbd5e8d5c54125c31f7b33465cdaf52a236dc39ba7e927e911ab7105cd7c1757285d24a2aa642a5c01995d05f98c422715376088b2a7d94ca293f3f43a8f3d
SSDEEP

3072:mBCP/9/mpCwXg8Uxumn9QcfGXtQoFzNelJ8xHW:Qi/ZmBNfmySgNelJM

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e574a38.exee57470b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e574a38.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57470b.exee574a38.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574a38.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57470b.exee574a38.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57470b.exe

Executes dropped EXE 3 IoCs

Processes:

e57470b.exee574a38.exee57685f.exe

pid process

3868 e57470b.exe
4320 e574a38.exe
1860 e57685f.exe

pid	process
3868	e57470b.exe
4320	e574a38.exe
1860	e57685f.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3868-10-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-8-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-6-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-11-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-12-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-9-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-13-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-20-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-19-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-21-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-36-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-37-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-38-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-39-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-40-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-42-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-43-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-46-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-54-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-55-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-65-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-67-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-70-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-72-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-74-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-75-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-77-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-86-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-88-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3868-92-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/4320-124-0x0000000000B30000-0x0000000001BEA000-memory.dmp	upx
behavioral2/memory/4320-137-0x0000000000B30000-0x0000000001BEA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574a38.exee57470b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574a38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57470b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574a38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574a38.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e57470b.exee574a38.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574a38.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e57470b.exe

description	ioc	process
File opened (read-only)	\??\M:	e57470b.exe
File opened (read-only)	\??\E:	e57470b.exe
File opened (read-only)	\??\H:	e57470b.exe
File opened (read-only)	\??\J:	e57470b.exe
File opened (read-only)	\??\L:	e57470b.exe
File opened (read-only)	\??\P:	e57470b.exe
File opened (read-only)	\??\I:	e57470b.exe
File opened (read-only)	\??\N:	e57470b.exe
File opened (read-only)	\??\O:	e57470b.exe
File opened (read-only)	\??\Q:	e57470b.exe
File opened (read-only)	\??\R:	e57470b.exe
File opened (read-only)	\??\G:	e57470b.exe
File opened (read-only)	\??\K:	e57470b.exe
File opened (read-only)	\??\S:	e57470b.exe

Drops file in Program Files directory 4 IoCs

Processes:

e57470b.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e57470b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e57470b.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e57470b.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e57470b.exe

Drops file in Windows directory 3 IoCs

Processes:

e57470b.exee574a38.exe

description ioc process

File created C:\Windows\e574759 e57470b.exe
File opened for modification C:\Windows\SYSTEM.INI e57470b.exe
File created C:\Windows\e5798b6 e574a38.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e57470b.exee574a38.exe

pid process

3868 e57470b.exe
3868 e57470b.exe
3868 e57470b.exe
3868 e57470b.exe
4320 e574a38.exe
4320 e574a38.exe

description	ioc	process
File created	C:\Windows\e574759	e57470b.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57470b.exe
File created	C:\Windows\e5798b6	e574a38.exe

pid	process
3868	e57470b.exe
3868	e57470b.exe
3868	e57470b.exe
3868	e57470b.exe
4320	e574a38.exe
4320	e574a38.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57470b.exe

description	pid	process
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe
Token: SeDebugPrivilege	3868	e57470b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee57470b.exee574a38.exe

description	pid	process	target process
PID 100 wrote to memory of 1020	100	rundll32.exe	rundll32.exe
PID 100 wrote to memory of 1020	100	rundll32.exe	rundll32.exe
PID 100 wrote to memory of 1020	100	rundll32.exe	rundll32.exe
PID 1020 wrote to memory of 3868	1020	rundll32.exe	e57470b.exe
PID 1020 wrote to memory of 3868	1020	rundll32.exe	e57470b.exe
PID 1020 wrote to memory of 3868	1020	rundll32.exe	e57470b.exe
PID 3868 wrote to memory of 764	3868	e57470b.exe	fontdrvhost.exe
PID 3868 wrote to memory of 772	3868	e57470b.exe	fontdrvhost.exe
PID 3868 wrote to memory of 316	3868	e57470b.exe	dwm.exe
PID 3868 wrote to memory of 2380	3868	e57470b.exe	sihost.exe
PID 3868 wrote to memory of 2456	3868	e57470b.exe	svchost.exe
PID 3868 wrote to memory of 2772	3868	e57470b.exe	taskhostw.exe
PID 3868 wrote to memory of 3420	3868	e57470b.exe	Explorer.EXE
PID 3868 wrote to memory of 3572	3868	e57470b.exe	svchost.exe
PID 3868 wrote to memory of 3760	3868	e57470b.exe	DllHost.exe
PID 3868 wrote to memory of 3852	3868	e57470b.exe	StartMenuExperienceHost.exe
PID 3868 wrote to memory of 3912	3868	e57470b.exe	RuntimeBroker.exe
PID 3868 wrote to memory of 4004	3868	e57470b.exe	SearchApp.exe
PID 3868 wrote to memory of 4060	3868	e57470b.exe	RuntimeBroker.exe
PID 3868 wrote to memory of 1988	3868	e57470b.exe	TextInputHost.exe
PID 3868 wrote to memory of 1464	3868	e57470b.exe	RuntimeBroker.exe
PID 3868 wrote to memory of 544	3868	e57470b.exe	backgroundTaskHost.exe
PID 3868 wrote to memory of 4428	3868	e57470b.exe	backgroundTaskHost.exe
PID 3868 wrote to memory of 100	3868	e57470b.exe	rundll32.exe
PID 3868 wrote to memory of 1020	3868	e57470b.exe	rundll32.exe
PID 3868 wrote to memory of 1020	3868	e57470b.exe	rundll32.exe
PID 1020 wrote to memory of 4320	1020	rundll32.exe	e574a38.exe
PID 1020 wrote to memory of 4320	1020	rundll32.exe	e574a38.exe
PID 1020 wrote to memory of 4320	1020	rundll32.exe	e574a38.exe
PID 1020 wrote to memory of 1860	1020	rundll32.exe	e57685f.exe
PID 1020 wrote to memory of 1860	1020	rundll32.exe	e57685f.exe
PID 1020 wrote to memory of 1860	1020	rundll32.exe	e57685f.exe
PID 3868 wrote to memory of 764	3868	e57470b.exe	fontdrvhost.exe
PID 3868 wrote to memory of 772	3868	e57470b.exe	fontdrvhost.exe
PID 3868 wrote to memory of 316	3868	e57470b.exe	dwm.exe
PID 3868 wrote to memory of 2380	3868	e57470b.exe	sihost.exe
PID 3868 wrote to memory of 2456	3868	e57470b.exe	svchost.exe
PID 3868 wrote to memory of 2772	3868	e57470b.exe	taskhostw.exe
PID 3868 wrote to memory of 3420	3868	e57470b.exe	Explorer.EXE
PID 3868 wrote to memory of 3572	3868	e57470b.exe	svchost.exe
PID 3868 wrote to memory of 3760	3868	e57470b.exe	DllHost.exe
PID 3868 wrote to memory of 3852	3868	e57470b.exe	StartMenuExperienceHost.exe
PID 3868 wrote to memory of 3912	3868	e57470b.exe	RuntimeBroker.exe
PID 3868 wrote to memory of 4004	3868	e57470b.exe	SearchApp.exe
PID 3868 wrote to memory of 4060	3868	e57470b.exe	RuntimeBroker.exe
PID 3868 wrote to memory of 1988	3868	e57470b.exe	TextInputHost.exe
PID 3868 wrote to memory of 1464	3868	e57470b.exe	RuntimeBroker.exe
PID 3868 wrote to memory of 544	3868	e57470b.exe	backgroundTaskHost.exe
PID 3868 wrote to memory of 4320	3868	e57470b.exe	e574a38.exe
PID 3868 wrote to memory of 4320	3868	e57470b.exe	e574a38.exe
PID 3868 wrote to memory of 2072	3868	e57470b.exe	RuntimeBroker.exe
PID 3868 wrote to memory of 548	3868	e57470b.exe	RuntimeBroker.exe
PID 3868 wrote to memory of 1860	3868	e57470b.exe	e57685f.exe
PID 3868 wrote to memory of 1860	3868	e57470b.exe	e57685f.exe
PID 4320 wrote to memory of 764	4320	e574a38.exe	fontdrvhost.exe
PID 4320 wrote to memory of 772	4320	e574a38.exe	fontdrvhost.exe
PID 4320 wrote to memory of 316	4320	e574a38.exe	dwm.exe
PID 4320 wrote to memory of 2380	4320	e574a38.exe	sihost.exe
PID 4320 wrote to memory of 2456	4320	e574a38.exe	svchost.exe
PID 4320 wrote to memory of 2772	4320	e574a38.exe	taskhostw.exe
PID 4320 wrote to memory of 3420	4320	e574a38.exe	Explorer.EXE
PID 4320 wrote to memory of 3572	4320	e574a38.exe	svchost.exe
PID 4320 wrote to memory of 3760	4320	e574a38.exe	DllHost.exe
PID 4320 wrote to memory of 3852	4320	e574a38.exe	StartMenuExperienceHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e57470b.exee574a38.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57470b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574a38.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2456

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2772

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9caaa5c0ae153ce2735159f38886173433f3fecb5294a7dd074cefa4ed20bfb5_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\e57470b.exe
C:\Users\Admin\AppData\Local\Temp\e57470b.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3868

C:\Users\Admin\AppData\Local\Temp\e574a38.exe
C:\Users\Admin\AppData\Local\Temp\e574a38.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4320

C:\Users\Admin\AppData\Local\Temp\e57685f.exe
C:\Users\Admin\AppData\Local\Temp\e57685f.exe
4⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4060

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1464

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:544

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57470b.exe
Filesize
97KB

MD5
259decd41726009f38c40ab06e588f88

SHA1
1df5aac5cb896807993d214dfcc61446ba03e33e

SHA256
8a5574393224648cb825d54f69c4352d49d441f4695b58c5b1498f35585430bd

SHA512
e298a689443ed4e9b97848e43186cd682899696d06c8b5558867797cf86a7dc44e1c21f72300b68ad5c6900dfe3a6e7bbf539721ef9bbe74dc2551213d4fffba

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
90c94e6d44e9cf19c6614a18e7fd79b2

SHA1
aad66aeff28356af75e7a5840d3065e22c563f3a

SHA256
f4206e614ff0709cb638c3fabb5869688bf932050be6edfc098631a92d44b8ae

SHA512
9778821bd8880db3b6d58ad9e32200c45c812dca7bee38b3cee59a519915552dcc9bed89633b2ef2847b18ae951455f8a399a04d30c6bf40f79296c1310f4810

Download Submit
memory/1020-34-0x0000000001210000-0x0000000001212000-memory.dmp

Filesize
8KB

Download
memory/1020-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1020-22-0x0000000001210000-0x0000000001212000-memory.dmp

Filesize
8KB

Download
memory/1020-26-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1020-31-0x0000000001210000-0x0000000001212000-memory.dmp

Filesize
8KB

Download
memory/1860-142-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1860-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1860-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1860-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1860-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3868-42-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-6-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-28-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/3868-19-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-29-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/3868-21-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-20-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-25-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/3868-13-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-36-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-37-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-38-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-39-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-40-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-9-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-43-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-46-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-12-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-54-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-55-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-11-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3868-10-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-107-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3868-92-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-8-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-65-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-67-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-70-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-72-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-74-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-75-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-77-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-86-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-88-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3868-95-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/4320-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4320-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4320-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4320-124-0x0000000000B30000-0x0000000001BEA000-memory.dmp

Filesize
16.7MB

Download
memory/4320-137-0x0000000000B30000-0x0000000001BEA000-memory.dmp

Filesize
16.7MB

Download
memory/4320-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4320-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download