Analysis
-
max time kernel
129s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 11:01
Static task
static1
Behavioral task
behavioral1
Sample
a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6_NeikiAnalytics.dll
-
Size
120KB
-
MD5
f88fbb5fe11567493f4f8a4821de8750
-
SHA1
07ece08820298e4213f9f51941be61f42dfdf853
-
SHA256
a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6
-
SHA512
bf62e728c0c97bdef67462a6650e048f47e00727182e4738ffbe6216ad07536ff898a31d6c5a4aa4aff626ec7e9b56033279af7ce965f5c389616fb89e195bf2
-
SSDEEP
1536:u2jK33ff/GCsfVxEwcVVy2ydsMCe/baKm7WzV+nJGuOvxAe//8A6CFZuZXcsVuSu:u2cfeC0TgesDkJz8GxB/REcsVh0fWG
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e57378b.exee575813.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57378b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575813.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575813.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57378b.exe -
Processes:
e57378b.exee575813.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575813.exe -
Processes:
e57378b.exee575813.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575813.exe -
Executes dropped EXE 3 IoCs
Processes:
e57378b.exee5738d3.exee575813.exepid process 2312 e57378b.exe 4040 e5738d3.exe 664 e575813.exe -
Processes:
resource yara_rule behavioral2/memory/2312-6-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-34-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-22-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-33-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-35-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-21-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-40-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-41-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-39-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-43-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-52-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-53-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-63-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-64-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-66-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-69-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-71-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-72-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-74-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-75-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-76-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-83-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-85-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2312-86-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/664-120-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx behavioral2/memory/664-154-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx -
Processes:
e57378b.exee575813.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575813.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575813.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57378b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57378b.exe -
Processes:
e57378b.exee575813.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575813.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e57378b.exee575813.exedescription ioc process File opened (read-only) \??\P: e57378b.exe File opened (read-only) \??\J: e57378b.exe File opened (read-only) \??\M: e57378b.exe File opened (read-only) \??\E: e575813.exe File opened (read-only) \??\H: e575813.exe File opened (read-only) \??\E: e57378b.exe File opened (read-only) \??\N: e57378b.exe File opened (read-only) \??\Q: e57378b.exe File opened (read-only) \??\G: e57378b.exe File opened (read-only) \??\H: e57378b.exe File opened (read-only) \??\I: e57378b.exe File opened (read-only) \??\K: e57378b.exe File opened (read-only) \??\L: e57378b.exe File opened (read-only) \??\O: e57378b.exe File opened (read-only) \??\G: e575813.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e57378b.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e57378b.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57378b.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57378b.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57378b.exe -
Drops file in Windows directory 3 IoCs
Processes:
e57378b.exee575813.exedescription ioc process File created C:\Windows\e5737e8 e57378b.exe File opened for modification C:\Windows\SYSTEM.INI e57378b.exe File created C:\Windows\e57884a e575813.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e57378b.exee575813.exepid process 2312 e57378b.exe 2312 e57378b.exe 2312 e57378b.exe 2312 e57378b.exe 664 e575813.exe 664 e575813.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e57378b.exedescription pid process Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe Token: SeDebugPrivilege 2312 e57378b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee57378b.exee575813.exedescription pid process target process PID 2220 wrote to memory of 460 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 460 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 460 2220 rundll32.exe rundll32.exe PID 460 wrote to memory of 2312 460 rundll32.exe e57378b.exe PID 460 wrote to memory of 2312 460 rundll32.exe e57378b.exe PID 460 wrote to memory of 2312 460 rundll32.exe e57378b.exe PID 2312 wrote to memory of 784 2312 e57378b.exe fontdrvhost.exe PID 2312 wrote to memory of 792 2312 e57378b.exe fontdrvhost.exe PID 2312 wrote to memory of 316 2312 e57378b.exe dwm.exe PID 2312 wrote to memory of 2916 2312 e57378b.exe sihost.exe PID 2312 wrote to memory of 3004 2312 e57378b.exe svchost.exe PID 2312 wrote to memory of 2584 2312 e57378b.exe taskhostw.exe PID 2312 wrote to memory of 3536 2312 e57378b.exe Explorer.EXE PID 2312 wrote to memory of 3652 2312 e57378b.exe svchost.exe PID 2312 wrote to memory of 3828 2312 e57378b.exe DllHost.exe PID 2312 wrote to memory of 3920 2312 e57378b.exe StartMenuExperienceHost.exe PID 2312 wrote to memory of 3980 2312 e57378b.exe RuntimeBroker.exe PID 2312 wrote to memory of 4068 2312 e57378b.exe SearchApp.exe PID 2312 wrote to memory of 4108 2312 e57378b.exe RuntimeBroker.exe PID 2312 wrote to memory of 3760 2312 e57378b.exe TextInputHost.exe PID 2312 wrote to memory of 3232 2312 e57378b.exe RuntimeBroker.exe PID 2312 wrote to memory of 2828 2312 e57378b.exe backgroundTaskHost.exe PID 2312 wrote to memory of 4708 2312 e57378b.exe backgroundTaskHost.exe PID 2312 wrote to memory of 2220 2312 e57378b.exe rundll32.exe PID 2312 wrote to memory of 460 2312 e57378b.exe rundll32.exe PID 2312 wrote to memory of 460 2312 e57378b.exe rundll32.exe PID 460 wrote to memory of 4040 460 rundll32.exe e5738d3.exe PID 460 wrote to memory of 4040 460 rundll32.exe e5738d3.exe PID 460 wrote to memory of 4040 460 rundll32.exe e5738d3.exe PID 460 wrote to memory of 664 460 rundll32.exe e575813.exe PID 460 wrote to memory of 664 460 rundll32.exe e575813.exe PID 460 wrote to memory of 664 460 rundll32.exe e575813.exe PID 2312 wrote to memory of 784 2312 e57378b.exe fontdrvhost.exe PID 2312 wrote to memory of 792 2312 e57378b.exe fontdrvhost.exe PID 2312 wrote to memory of 316 2312 e57378b.exe dwm.exe PID 2312 wrote to memory of 2916 2312 e57378b.exe sihost.exe PID 2312 wrote to memory of 3004 2312 e57378b.exe svchost.exe PID 2312 wrote to memory of 2584 2312 e57378b.exe taskhostw.exe PID 2312 wrote to memory of 3536 2312 e57378b.exe Explorer.EXE PID 2312 wrote to memory of 3652 2312 e57378b.exe svchost.exe PID 2312 wrote to memory of 3828 2312 e57378b.exe DllHost.exe PID 2312 wrote to memory of 3920 2312 e57378b.exe StartMenuExperienceHost.exe PID 2312 wrote to memory of 3980 2312 e57378b.exe RuntimeBroker.exe PID 2312 wrote to memory of 4068 2312 e57378b.exe SearchApp.exe PID 2312 wrote to memory of 4108 2312 e57378b.exe RuntimeBroker.exe PID 2312 wrote to memory of 3760 2312 e57378b.exe TextInputHost.exe PID 2312 wrote to memory of 3232 2312 e57378b.exe RuntimeBroker.exe PID 2312 wrote to memory of 2828 2312 e57378b.exe backgroundTaskHost.exe PID 2312 wrote to memory of 4040 2312 e57378b.exe e5738d3.exe PID 2312 wrote to memory of 4040 2312 e57378b.exe e5738d3.exe PID 2312 wrote to memory of 2780 2312 e57378b.exe RuntimeBroker.exe PID 2312 wrote to memory of 1652 2312 e57378b.exe RuntimeBroker.exe PID 2312 wrote to memory of 664 2312 e57378b.exe e575813.exe PID 2312 wrote to memory of 664 2312 e57378b.exe e575813.exe PID 664 wrote to memory of 784 664 e575813.exe fontdrvhost.exe PID 664 wrote to memory of 792 664 e575813.exe fontdrvhost.exe PID 664 wrote to memory of 316 664 e575813.exe dwm.exe PID 664 wrote to memory of 2916 664 e575813.exe sihost.exe PID 664 wrote to memory of 3004 664 e575813.exe svchost.exe PID 664 wrote to memory of 2584 664 e575813.exe taskhostw.exe PID 664 wrote to memory of 3536 664 e575813.exe Explorer.EXE PID 664 wrote to memory of 3652 664 e575813.exe svchost.exe PID 664 wrote to memory of 3828 664 e575813.exe DllHost.exe PID 664 wrote to memory of 3920 664 e575813.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e57378b.exee575813.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575813.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57378b.exeC:\Users\Admin\AppData\Local\Temp\e57378b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5738d3.exeC:\Users\Admin\AppData\Local\Temp\e5738d3.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e575813.exeC:\Users\Admin\AppData\Local\Temp\e575813.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57378b.exeFilesize
97KB
MD56b23c8d72561afa8da185adacf7ea3e7
SHA15f2e06fbfe724abbebe6c61a75cd7906db4e050a
SHA256c12d2b481416a2997ba3f814879e3c6f5d470d7c9a75298b9ab65f47e7bb7ff3
SHA512294f2b88d52a5b48a3ad14afe06cee7cc28520b507634667da9d2fb231edd4a2cc8b12c5b0646045ae049db954dd989fa5000ad1709efc7ea5bb172d70848cd5
-
C:\Windows\SYSTEM.INIFilesize
257B
MD562bd9c3cefd390f6f9a734ee982bb3d1
SHA1d2a668d1776badfd12f674f6dc913d8a22a13620
SHA256fd778dab400f8f665d52a70026677316ffc4f554277b93e4bdba0997e3c05d56
SHA5123ed7f1852b3f491d6635e55231de3e19990e90f847b566acf73e3a3fa1bd60eeb3e3fc4a9063c6b7ea6aa17abfc3eb3fc0196aece3fd845caa311b4275a238de
-
memory/460-17-0x00000000011F0000-0x00000000011F2000-memory.dmpFilesize
8KB
-
memory/460-24-0x00000000011F0000-0x00000000011F2000-memory.dmpFilesize
8KB
-
memory/460-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/460-13-0x00000000011F0000-0x00000000011F2000-memory.dmpFilesize
8KB
-
memory/460-23-0x0000000004450000-0x0000000004451000-memory.dmpFilesize
4KB
-
memory/664-155-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/664-120-0x0000000000B80000-0x0000000001C3A000-memory.dmpFilesize
16.7MB
-
memory/664-154-0x0000000000B80000-0x0000000001C3A000-memory.dmpFilesize
16.7MB
-
memory/664-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/664-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/664-59-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/664-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2312-39-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-11-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-21-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-28-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/2312-36-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/2312-12-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-10-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-37-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-38-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-40-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-41-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-35-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-43-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-33-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-52-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-53-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2312-16-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/2312-22-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-34-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-6-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-9-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-63-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-64-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-66-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-69-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-71-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-72-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-74-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-75-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-76-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-83-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-85-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-95-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/2312-86-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2312-104-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4040-108-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4040-27-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4040-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4040-56-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4040-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB