Analysis
-
max time kernel
138s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 09:47
Static task
static1
Behavioral task
behavioral1
Sample
998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d_NeikiAnalytics.dll
-
Size
120KB
-
MD5
cb43ee16e84583a178e1eecf5b424e20
-
SHA1
88c752852077d9fd71352e6bc87898eef338a704
-
SHA256
998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d
-
SHA512
196727687d1e3723ed26f29ed407f730be7f7e6550e3c9c3a40335c6ee66dbede3ff70427ee1caea99d23e1d655042d4b956ae95cc7c93a27d500877a137e500
-
SSDEEP
3072:2yPVVGK15FqjDrk0x4rm+HRGwzGQTGbd+AfCSVyd2yAHI:90YoQDrmqRQpoAfCaE
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e572fda.exee574dc2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e572fda.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e572fda.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574dc2.exe -
Processes:
e572fda.exee574dc2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574dc2.exe -
Processes:
e574dc2.exee572fda.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574dc2.exe -
Executes dropped EXE 3 IoCs
Processes:
e572fda.exee573151.exee574dc2.exepid process 3976 e572fda.exe 316 e573151.exe 3792 e574dc2.exe -
Processes:
resource yara_rule behavioral2/memory/3976-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-28-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-33-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-29-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-19-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-34-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-42-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-50-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-51-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-52-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-62-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-68-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-72-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-73-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-76-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-78-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-79-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-80-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3976-83-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3792-124-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e574dc2.exee572fda.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574dc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574dc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572fda.exe -
Processes:
e572fda.exee574dc2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572fda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574dc2.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e572fda.exedescription ioc process File opened (read-only) \??\H: e572fda.exe File opened (read-only) \??\I: e572fda.exe File opened (read-only) \??\O: e572fda.exe File opened (read-only) \??\J: e572fda.exe File opened (read-only) \??\K: e572fda.exe File opened (read-only) \??\M: e572fda.exe File opened (read-only) \??\N: e572fda.exe File opened (read-only) \??\Q: e572fda.exe File opened (read-only) \??\L: e572fda.exe File opened (read-only) \??\E: e572fda.exe File opened (read-only) \??\G: e572fda.exe File opened (read-only) \??\P: e572fda.exe File opened (read-only) \??\R: e572fda.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e572fda.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e572fda.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e572fda.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e572fda.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e572fda.exe -
Drops file in Windows directory 3 IoCs
Processes:
e572fda.exee574dc2.exedescription ioc process File created C:\Windows\e573047 e572fda.exe File opened for modification C:\Windows\SYSTEM.INI e572fda.exe File created C:\Windows\e579c4f e574dc2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e572fda.exepid process 3976 e572fda.exe 3976 e572fda.exe 3976 e572fda.exe 3976 e572fda.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e572fda.exedescription pid process Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe Token: SeDebugPrivilege 3976 e572fda.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
rundll32.exerundll32.exee572fda.exedescription pid process target process PID 2320 wrote to memory of 3964 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 3964 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 3964 2320 rundll32.exe rundll32.exe PID 3964 wrote to memory of 3976 3964 rundll32.exe e572fda.exe PID 3964 wrote to memory of 3976 3964 rundll32.exe e572fda.exe PID 3964 wrote to memory of 3976 3964 rundll32.exe e572fda.exe PID 3976 wrote to memory of 788 3976 e572fda.exe fontdrvhost.exe PID 3976 wrote to memory of 796 3976 e572fda.exe fontdrvhost.exe PID 3976 wrote to memory of 380 3976 e572fda.exe dwm.exe PID 3976 wrote to memory of 2512 3976 e572fda.exe sihost.exe PID 3976 wrote to memory of 664 3976 e572fda.exe svchost.exe PID 3976 wrote to memory of 3092 3976 e572fda.exe taskhostw.exe PID 3976 wrote to memory of 3420 3976 e572fda.exe Explorer.EXE PID 3976 wrote to memory of 3568 3976 e572fda.exe svchost.exe PID 3976 wrote to memory of 3776 3976 e572fda.exe DllHost.exe PID 3976 wrote to memory of 3864 3976 e572fda.exe StartMenuExperienceHost.exe PID 3976 wrote to memory of 3924 3976 e572fda.exe RuntimeBroker.exe PID 3976 wrote to memory of 4012 3976 e572fda.exe SearchApp.exe PID 3976 wrote to memory of 3440 3976 e572fda.exe RuntimeBroker.exe PID 3976 wrote to memory of 4456 3976 e572fda.exe RuntimeBroker.exe PID 3976 wrote to memory of 3448 3976 e572fda.exe TextInputHost.exe PID 3976 wrote to memory of 4856 3976 e572fda.exe backgroundTaskHost.exe PID 3976 wrote to memory of 720 3976 e572fda.exe backgroundTaskHost.exe PID 3976 wrote to memory of 2320 3976 e572fda.exe rundll32.exe PID 3976 wrote to memory of 3964 3976 e572fda.exe rundll32.exe PID 3976 wrote to memory of 3964 3976 e572fda.exe rundll32.exe PID 3964 wrote to memory of 316 3964 rundll32.exe e573151.exe PID 3964 wrote to memory of 316 3964 rundll32.exe e573151.exe PID 3964 wrote to memory of 316 3964 rundll32.exe e573151.exe PID 3964 wrote to memory of 3792 3964 rundll32.exe e574dc2.exe PID 3964 wrote to memory of 3792 3964 rundll32.exe e574dc2.exe PID 3964 wrote to memory of 3792 3964 rundll32.exe e574dc2.exe PID 3976 wrote to memory of 788 3976 e572fda.exe fontdrvhost.exe PID 3976 wrote to memory of 796 3976 e572fda.exe fontdrvhost.exe PID 3976 wrote to memory of 380 3976 e572fda.exe dwm.exe PID 3976 wrote to memory of 2512 3976 e572fda.exe sihost.exe PID 3976 wrote to memory of 664 3976 e572fda.exe svchost.exe PID 3976 wrote to memory of 3092 3976 e572fda.exe taskhostw.exe PID 3976 wrote to memory of 3420 3976 e572fda.exe Explorer.EXE PID 3976 wrote to memory of 3568 3976 e572fda.exe svchost.exe PID 3976 wrote to memory of 3776 3976 e572fda.exe DllHost.exe PID 3976 wrote to memory of 3864 3976 e572fda.exe StartMenuExperienceHost.exe PID 3976 wrote to memory of 3924 3976 e572fda.exe RuntimeBroker.exe PID 3976 wrote to memory of 4012 3976 e572fda.exe SearchApp.exe PID 3976 wrote to memory of 3440 3976 e572fda.exe RuntimeBroker.exe PID 3976 wrote to memory of 4456 3976 e572fda.exe RuntimeBroker.exe PID 3976 wrote to memory of 3448 3976 e572fda.exe TextInputHost.exe PID 3976 wrote to memory of 4856 3976 e572fda.exe backgroundTaskHost.exe PID 3976 wrote to memory of 316 3976 e572fda.exe e573151.exe PID 3976 wrote to memory of 316 3976 e572fda.exe e573151.exe PID 3976 wrote to memory of 2776 3976 e572fda.exe RuntimeBroker.exe PID 3976 wrote to memory of 2020 3976 e572fda.exe RuntimeBroker.exe PID 3976 wrote to memory of 3792 3976 e572fda.exe e574dc2.exe PID 3976 wrote to memory of 3792 3976 e572fda.exe e574dc2.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e574dc2.exee572fda.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574dc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572fda.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e572fda.exeC:\Users\Admin\AppData\Local\Temp\e572fda.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573151.exeC:\Users\Admin\AppData\Local\Temp\e573151.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e574dc2.exeC:\Users\Admin\AppData\Local\Temp\e574dc2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e572fda.exeFilesize
97KB
MD5f6f4ddc11a7ed68799c10aca8c5356e2
SHA10c024c028768837f4af8f405b5d121470f78eb77
SHA256b505cd7ea28a4295268d1e6daf01abe4f2e943017d062351281601700bbdcb57
SHA5123500ce4399eee2c298ff8d82d74c465031fc4cdc259129634fc4756a089ab04dc3fee9a2795220f6fc1254a35866f89020bddb93c36eafaece3fe7a4a3f1b2fd
-
C:\Windows\SYSTEM.INIFilesize
257B
MD50581693be84b89f6a5b893b16f9f1f8d
SHA131316b0f63052f0d398e137f7722c4e63c07e6e7
SHA2567266eae0ddda313fb8ebaa29c736b1452afbecda001963b4089b344bb947b3e2
SHA512d21817075ba563670911f714bb44b5d4f191501caa2a03147f50f17e2bf23758eebc9857bacf37bdd48475f3296c9c2a75f92e90102746e9ea13e5d0e1a78931
-
memory/316-31-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/316-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/316-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/316-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/316-103-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3792-57-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3792-124-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3792-126-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3792-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3792-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3964-13-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/3964-32-0x0000000001150000-0x0000000001152000-memory.dmpFilesize
8KB
-
memory/3964-16-0x0000000001150000-0x0000000001152000-memory.dmpFilesize
8KB
-
memory/3964-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3964-12-0x0000000001150000-0x0000000001152000-memory.dmpFilesize
8KB
-
memory/3976-42-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-62-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-6-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-34-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-37-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-36-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-38-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-39-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-40-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-25-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/3976-50-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-51-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-52-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-15-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/3976-10-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-11-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-35-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-30-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/3976-29-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-19-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-65-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-66-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-68-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-72-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-73-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-75-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-76-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-78-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-79-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-80-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-92-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/3976-83-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-99-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3976-33-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-28-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-9-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3976-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB