sality | 998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d

Analysis

max time kernel
138s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d_NeikiAnalytics.dll
Size

120KB
MD5

cb43ee16e84583a178e1eecf5b424e20
SHA1

88c752852077d9fd71352e6bc87898eef338a704
SHA256

998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d
SHA512

196727687d1e3723ed26f29ed407f730be7f7e6550e3c9c3a40335c6ee66dbede3ff70427ee1caea99d23e1d655042d4b956ae95cc7c93a27d500877a137e500
SSDEEP

3072:2yPVVGK15FqjDrk0x4rm+HRGwzGQTGbd+AfCSVyd2yAHI:90YoQDrmqRQpoAfCaE

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e572fda.exee574dc2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e574dc2.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e572fda.exee574dc2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574dc2.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574dc2.exee572fda.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574dc2.exe

Executes dropped EXE 3 IoCs

Processes:

e572fda.exee573151.exee574dc2.exe

pid process

3976 e572fda.exe
316 e573151.exe
3792 e574dc2.exe

pid	process
3976	e572fda.exe
316	e573151.exe
3792	e574dc2.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3976-9-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-28-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-33-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-29-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-35-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-11-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-10-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-19-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-6-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-34-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-37-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-36-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-38-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-39-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-40-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-42-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-50-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-51-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-52-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-62-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-65-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-66-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-68-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-72-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-73-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-75-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-76-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-78-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-79-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-80-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3976-83-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3792-124-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574dc2.exee572fda.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574dc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574dc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e572fda.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e572fda.exee574dc2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e572fda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574dc2.exe

Enumerates connected drives 3 TTPs 13 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e572fda.exe

description	ioc	process
File opened (read-only)	\??\H:	e572fda.exe
File opened (read-only)	\??\I:	e572fda.exe
File opened (read-only)	\??\O:	e572fda.exe
File opened (read-only)	\??\J:	e572fda.exe
File opened (read-only)	\??\K:	e572fda.exe
File opened (read-only)	\??\M:	e572fda.exe
File opened (read-only)	\??\N:	e572fda.exe
File opened (read-only)	\??\Q:	e572fda.exe
File opened (read-only)	\??\L:	e572fda.exe
File opened (read-only)	\??\E:	e572fda.exe
File opened (read-only)	\??\G:	e572fda.exe
File opened (read-only)	\??\P:	e572fda.exe
File opened (read-only)	\??\R:	e572fda.exe

Drops file in Program Files directory 4 IoCs

Processes:

e572fda.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e572fda.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e572fda.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e572fda.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e572fda.exe

Drops file in Windows directory 3 IoCs

Processes:

e572fda.exee574dc2.exe

description ioc process

File created C:\Windows\e573047 e572fda.exe
File opened for modification C:\Windows\SYSTEM.INI e572fda.exe
File created C:\Windows\e579c4f e574dc2.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e572fda.exe

pid process

3976 e572fda.exe
3976 e572fda.exe
3976 e572fda.exe
3976 e572fda.exe

description	ioc	process
File created	C:\Windows\e573047	e572fda.exe
File opened for modification	C:\Windows\SYSTEM.INI	e572fda.exe
File created	C:\Windows\e579c4f	e574dc2.exe

pid	process
3976	e572fda.exe
3976	e572fda.exe
3976	e572fda.exe
3976	e572fda.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e572fda.exe

description	pid	process
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe
Token: SeDebugPrivilege	3976	e572fda.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

rundll32.exerundll32.exee572fda.exe

description	pid	process	target process
PID 2320 wrote to memory of 3964	2320	rundll32.exe	rundll32.exe
PID 2320 wrote to memory of 3964	2320	rundll32.exe	rundll32.exe
PID 2320 wrote to memory of 3964	2320	rundll32.exe	rundll32.exe
PID 3964 wrote to memory of 3976	3964	rundll32.exe	e572fda.exe
PID 3964 wrote to memory of 3976	3964	rundll32.exe	e572fda.exe
PID 3964 wrote to memory of 3976	3964	rundll32.exe	e572fda.exe
PID 3976 wrote to memory of 788	3976	e572fda.exe	fontdrvhost.exe
PID 3976 wrote to memory of 796	3976	e572fda.exe	fontdrvhost.exe
PID 3976 wrote to memory of 380	3976	e572fda.exe	dwm.exe
PID 3976 wrote to memory of 2512	3976	e572fda.exe	sihost.exe
PID 3976 wrote to memory of 664	3976	e572fda.exe	svchost.exe
PID 3976 wrote to memory of 3092	3976	e572fda.exe	taskhostw.exe
PID 3976 wrote to memory of 3420	3976	e572fda.exe	Explorer.EXE
PID 3976 wrote to memory of 3568	3976	e572fda.exe	svchost.exe
PID 3976 wrote to memory of 3776	3976	e572fda.exe	DllHost.exe
PID 3976 wrote to memory of 3864	3976	e572fda.exe	StartMenuExperienceHost.exe
PID 3976 wrote to memory of 3924	3976	e572fda.exe	RuntimeBroker.exe
PID 3976 wrote to memory of 4012	3976	e572fda.exe	SearchApp.exe
PID 3976 wrote to memory of 3440	3976	e572fda.exe	RuntimeBroker.exe
PID 3976 wrote to memory of 4456	3976	e572fda.exe	RuntimeBroker.exe
PID 3976 wrote to memory of 3448	3976	e572fda.exe	TextInputHost.exe
PID 3976 wrote to memory of 4856	3976	e572fda.exe	backgroundTaskHost.exe
PID 3976 wrote to memory of 720	3976	e572fda.exe	backgroundTaskHost.exe
PID 3976 wrote to memory of 2320	3976	e572fda.exe	rundll32.exe
PID 3976 wrote to memory of 3964	3976	e572fda.exe	rundll32.exe
PID 3976 wrote to memory of 3964	3976	e572fda.exe	rundll32.exe
PID 3964 wrote to memory of 316	3964	rundll32.exe	e573151.exe
PID 3964 wrote to memory of 316	3964	rundll32.exe	e573151.exe
PID 3964 wrote to memory of 316	3964	rundll32.exe	e573151.exe
PID 3964 wrote to memory of 3792	3964	rundll32.exe	e574dc2.exe
PID 3964 wrote to memory of 3792	3964	rundll32.exe	e574dc2.exe
PID 3964 wrote to memory of 3792	3964	rundll32.exe	e574dc2.exe
PID 3976 wrote to memory of 788	3976	e572fda.exe	fontdrvhost.exe
PID 3976 wrote to memory of 796	3976	e572fda.exe	fontdrvhost.exe
PID 3976 wrote to memory of 380	3976	e572fda.exe	dwm.exe
PID 3976 wrote to memory of 2512	3976	e572fda.exe	sihost.exe
PID 3976 wrote to memory of 664	3976	e572fda.exe	svchost.exe
PID 3976 wrote to memory of 3092	3976	e572fda.exe	taskhostw.exe
PID 3976 wrote to memory of 3420	3976	e572fda.exe	Explorer.EXE
PID 3976 wrote to memory of 3568	3976	e572fda.exe	svchost.exe
PID 3976 wrote to memory of 3776	3976	e572fda.exe	DllHost.exe
PID 3976 wrote to memory of 3864	3976	e572fda.exe	StartMenuExperienceHost.exe
PID 3976 wrote to memory of 3924	3976	e572fda.exe	RuntimeBroker.exe
PID 3976 wrote to memory of 4012	3976	e572fda.exe	SearchApp.exe
PID 3976 wrote to memory of 3440	3976	e572fda.exe	RuntimeBroker.exe
PID 3976 wrote to memory of 4456	3976	e572fda.exe	RuntimeBroker.exe
PID 3976 wrote to memory of 3448	3976	e572fda.exe	TextInputHost.exe
PID 3976 wrote to memory of 4856	3976	e572fda.exe	backgroundTaskHost.exe
PID 3976 wrote to memory of 316	3976	e572fda.exe	e573151.exe
PID 3976 wrote to memory of 316	3976	e572fda.exe	e573151.exe
PID 3976 wrote to memory of 2776	3976	e572fda.exe	RuntimeBroker.exe
PID 3976 wrote to memory of 2020	3976	e572fda.exe	RuntimeBroker.exe
PID 3976 wrote to memory of 3792	3976	e572fda.exe	e574dc2.exe
PID 3976 wrote to memory of 3792	3976	e572fda.exe	e574dc2.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e574dc2.exee572fda.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574dc2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e572fda.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:664

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\998868d83112ec4357a8d36cf81118af7b5772e9e7db82299cb3ba336fecdb9d_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\e572fda.exe
C:\Users\Admin\AppData\Local\Temp\e572fda.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3976

C:\Users\Admin\AppData\Local\Temp\e573151.exe
C:\Users\Admin\AppData\Local\Temp\e573151.exe
4⤵
- Executes dropped EXE
PID:316

C:\Users\Admin\AppData\Local\Temp\e574dc2.exe
C:\Users\Admin\AppData\Local\Temp\e574dc2.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:3792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3440

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4456

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4856

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:720

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e572fda.exe
Filesize
97KB

MD5
f6f4ddc11a7ed68799c10aca8c5356e2

SHA1
0c024c028768837f4af8f405b5d121470f78eb77

SHA256
b505cd7ea28a4295268d1e6daf01abe4f2e943017d062351281601700bbdcb57

SHA512
3500ce4399eee2c298ff8d82d74c465031fc4cdc259129634fc4756a089ab04dc3fee9a2795220f6fc1254a35866f89020bddb93c36eafaece3fe7a4a3f1b2fd

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
0581693be84b89f6a5b893b16f9f1f8d

SHA1
31316b0f63052f0d398e137f7722c4e63c07e6e7

SHA256
7266eae0ddda313fb8ebaa29c736b1452afbecda001963b4089b344bb947b3e2

SHA512
d21817075ba563670911f714bb44b5d4f191501caa2a03147f50f17e2bf23758eebc9857bacf37bdd48475f3296c9c2a75f92e90102746e9ea13e5d0e1a78931

Download Submit
memory/316-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/316-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/316-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/316-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/316-103-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3792-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3792-124-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Filesize
16.7MB

Download
memory/3792-126-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3792-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3792-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3964-13-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/3964-32-0x0000000001150000-0x0000000001152000-memory.dmp

Filesize
8KB

Download
memory/3964-16-0x0000000001150000-0x0000000001152000-memory.dmp

Filesize
8KB

Download
memory/3964-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3964-12-0x0000000001150000-0x0000000001152000-memory.dmp

Filesize
8KB

Download
memory/3976-42-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-62-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-6-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-34-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-37-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-36-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-38-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-39-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-40-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-25-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/3976-50-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-51-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-52-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-15-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/3976-10-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-11-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-35-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-30-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/3976-29-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-19-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-65-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-66-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-68-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-72-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-73-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-75-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-76-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-78-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-79-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-80-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-92-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/3976-83-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-99-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3976-33-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-28-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-9-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3976-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download