sality | a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6

Analysis

max time kernel
129s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6_NeikiAnalytics.dll
Size

120KB
MD5

f88fbb5fe11567493f4f8a4821de8750
SHA1

07ece08820298e4213f9f51941be61f42dfdf853
SHA256

a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6
SHA512

bf62e728c0c97bdef67462a6650e048f47e00727182e4738ffbe6216ad07536ff898a31d6c5a4aa4aff626ec7e9b56033279af7ce965f5c389616fb89e195bf2
SSDEEP

1536:u2jK33ff/GCsfVxEwcVVy2ydsMCe/baKm7WzV+nJGuOvxAe//8A6CFZuZXcsVuSu:u2cfeC0TgesDkJz8GxB/REcsVh0fWG

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e57378b.exee575813.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57378b.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57378b.exee575813.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575813.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57378b.exee575813.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575813.exe

Executes dropped EXE 3 IoCs

Processes:

e57378b.exee5738d3.exee575813.exe

pid process

2312 e57378b.exe
4040 e5738d3.exe
664 e575813.exe

pid	process
2312	e57378b.exe
4040	e5738d3.exe
664	e575813.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2312-6-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-9-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-11-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-34-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-22-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-33-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-35-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-21-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-12-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-10-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-37-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-38-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-40-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-41-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-39-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-43-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-52-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-53-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-63-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-64-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-66-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-69-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-71-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-72-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-74-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-75-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-76-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-83-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-85-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2312-86-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/664-120-0x0000000000B80000-0x0000000001C3A000-memory.dmp	upx
behavioral2/memory/664-154-0x0000000000B80000-0x0000000001C3A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57378b.exee575813.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575813.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57378b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57378b.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e57378b.exee575813.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575813.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e57378b.exee575813.exe

description	ioc	process
File opened (read-only)	\??\P:	e57378b.exe
File opened (read-only)	\??\J:	e57378b.exe
File opened (read-only)	\??\M:	e57378b.exe
File opened (read-only)	\??\E:	e575813.exe
File opened (read-only)	\??\H:	e575813.exe
File opened (read-only)	\??\E:	e57378b.exe
File opened (read-only)	\??\N:	e57378b.exe
File opened (read-only)	\??\Q:	e57378b.exe
File opened (read-only)	\??\G:	e57378b.exe
File opened (read-only)	\??\H:	e57378b.exe
File opened (read-only)	\??\I:	e57378b.exe
File opened (read-only)	\??\K:	e57378b.exe
File opened (read-only)	\??\L:	e57378b.exe
File opened (read-only)	\??\O:	e57378b.exe
File opened (read-only)	\??\G:	e575813.exe

Drops file in Program Files directory 4 IoCs

Processes:

e57378b.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e57378b.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e57378b.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e57378b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e57378b.exe

Drops file in Windows directory 3 IoCs

Processes:

e57378b.exee575813.exe

description ioc process

File created C:\Windows\e5737e8 e57378b.exe
File opened for modification C:\Windows\SYSTEM.INI e57378b.exe
File created C:\Windows\e57884a e575813.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e57378b.exee575813.exe

pid process

2312 e57378b.exe
2312 e57378b.exe
2312 e57378b.exe
2312 e57378b.exe
664 e575813.exe
664 e575813.exe

description	ioc	process
File created	C:\Windows\e5737e8	e57378b.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57378b.exe
File created	C:\Windows\e57884a	e575813.exe

pid	process
2312	e57378b.exe
2312	e57378b.exe
2312	e57378b.exe
2312	e57378b.exe
664	e575813.exe
664	e575813.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57378b.exe

description	pid	process
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe
Token: SeDebugPrivilege	2312	e57378b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee57378b.exee575813.exe

description	pid	process	target process
PID 2220 wrote to memory of 460	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 460	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 460	2220	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 2312	460	rundll32.exe	e57378b.exe
PID 460 wrote to memory of 2312	460	rundll32.exe	e57378b.exe
PID 460 wrote to memory of 2312	460	rundll32.exe	e57378b.exe
PID 2312 wrote to memory of 784	2312	e57378b.exe	fontdrvhost.exe
PID 2312 wrote to memory of 792	2312	e57378b.exe	fontdrvhost.exe
PID 2312 wrote to memory of 316	2312	e57378b.exe	dwm.exe
PID 2312 wrote to memory of 2916	2312	e57378b.exe	sihost.exe
PID 2312 wrote to memory of 3004	2312	e57378b.exe	svchost.exe
PID 2312 wrote to memory of 2584	2312	e57378b.exe	taskhostw.exe
PID 2312 wrote to memory of 3536	2312	e57378b.exe	Explorer.EXE
PID 2312 wrote to memory of 3652	2312	e57378b.exe	svchost.exe
PID 2312 wrote to memory of 3828	2312	e57378b.exe	DllHost.exe
PID 2312 wrote to memory of 3920	2312	e57378b.exe	StartMenuExperienceHost.exe
PID 2312 wrote to memory of 3980	2312	e57378b.exe	RuntimeBroker.exe
PID 2312 wrote to memory of 4068	2312	e57378b.exe	SearchApp.exe
PID 2312 wrote to memory of 4108	2312	e57378b.exe	RuntimeBroker.exe
PID 2312 wrote to memory of 3760	2312	e57378b.exe	TextInputHost.exe
PID 2312 wrote to memory of 3232	2312	e57378b.exe	RuntimeBroker.exe
PID 2312 wrote to memory of 2828	2312	e57378b.exe	backgroundTaskHost.exe
PID 2312 wrote to memory of 4708	2312	e57378b.exe	backgroundTaskHost.exe
PID 2312 wrote to memory of 2220	2312	e57378b.exe	rundll32.exe
PID 2312 wrote to memory of 460	2312	e57378b.exe	rundll32.exe
PID 2312 wrote to memory of 460	2312	e57378b.exe	rundll32.exe
PID 460 wrote to memory of 4040	460	rundll32.exe	e5738d3.exe
PID 460 wrote to memory of 4040	460	rundll32.exe	e5738d3.exe
PID 460 wrote to memory of 4040	460	rundll32.exe	e5738d3.exe
PID 460 wrote to memory of 664	460	rundll32.exe	e575813.exe
PID 460 wrote to memory of 664	460	rundll32.exe	e575813.exe
PID 460 wrote to memory of 664	460	rundll32.exe	e575813.exe
PID 2312 wrote to memory of 784	2312	e57378b.exe	fontdrvhost.exe
PID 2312 wrote to memory of 792	2312	e57378b.exe	fontdrvhost.exe
PID 2312 wrote to memory of 316	2312	e57378b.exe	dwm.exe
PID 2312 wrote to memory of 2916	2312	e57378b.exe	sihost.exe
PID 2312 wrote to memory of 3004	2312	e57378b.exe	svchost.exe
PID 2312 wrote to memory of 2584	2312	e57378b.exe	taskhostw.exe
PID 2312 wrote to memory of 3536	2312	e57378b.exe	Explorer.EXE
PID 2312 wrote to memory of 3652	2312	e57378b.exe	svchost.exe
PID 2312 wrote to memory of 3828	2312	e57378b.exe	DllHost.exe
PID 2312 wrote to memory of 3920	2312	e57378b.exe	StartMenuExperienceHost.exe
PID 2312 wrote to memory of 3980	2312	e57378b.exe	RuntimeBroker.exe
PID 2312 wrote to memory of 4068	2312	e57378b.exe	SearchApp.exe
PID 2312 wrote to memory of 4108	2312	e57378b.exe	RuntimeBroker.exe
PID 2312 wrote to memory of 3760	2312	e57378b.exe	TextInputHost.exe
PID 2312 wrote to memory of 3232	2312	e57378b.exe	RuntimeBroker.exe
PID 2312 wrote to memory of 2828	2312	e57378b.exe	backgroundTaskHost.exe
PID 2312 wrote to memory of 4040	2312	e57378b.exe	e5738d3.exe
PID 2312 wrote to memory of 4040	2312	e57378b.exe	e5738d3.exe
PID 2312 wrote to memory of 2780	2312	e57378b.exe	RuntimeBroker.exe
PID 2312 wrote to memory of 1652	2312	e57378b.exe	RuntimeBroker.exe
PID 2312 wrote to memory of 664	2312	e57378b.exe	e575813.exe
PID 2312 wrote to memory of 664	2312	e57378b.exe	e575813.exe
PID 664 wrote to memory of 784	664	e575813.exe	fontdrvhost.exe
PID 664 wrote to memory of 792	664	e575813.exe	fontdrvhost.exe
PID 664 wrote to memory of 316	664	e575813.exe	dwm.exe
PID 664 wrote to memory of 2916	664	e575813.exe	sihost.exe
PID 664 wrote to memory of 3004	664	e575813.exe	svchost.exe
PID 664 wrote to memory of 2584	664	e575813.exe	taskhostw.exe
PID 664 wrote to memory of 3536	664	e575813.exe	Explorer.EXE
PID 664 wrote to memory of 3652	664	e575813.exe	svchost.exe
PID 664 wrote to memory of 3828	664	e575813.exe	DllHost.exe
PID 664 wrote to memory of 3920	664	e575813.exe	StartMenuExperienceHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e57378b.exee575813.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57378b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575813.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3004

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2584

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a70d1f11a1df454d7beeecffa0955580cceee8d80a8159ac861e845886f89fc6_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\Temp\e57378b.exe
C:\Users\Admin\AppData\Local\Temp\e57378b.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2312

C:\Users\Admin\AppData\Local\Temp\e5738d3.exe
C:\Users\Admin\AppData\Local\Temp\e5738d3.exe
4⤵
- Executes dropped EXE
PID:4040

C:\Users\Admin\AppData\Local\Temp\e575813.exe
C:\Users\Admin\AppData\Local\Temp\e575813.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3980

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3232

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2828

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57378b.exe
Filesize
97KB

MD5
6b23c8d72561afa8da185adacf7ea3e7

SHA1
5f2e06fbfe724abbebe6c61a75cd7906db4e050a

SHA256
c12d2b481416a2997ba3f814879e3c6f5d470d7c9a75298b9ab65f47e7bb7ff3

SHA512
294f2b88d52a5b48a3ad14afe06cee7cc28520b507634667da9d2fb231edd4a2cc8b12c5b0646045ae049db954dd989fa5000ad1709efc7ea5bb172d70848cd5

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
62bd9c3cefd390f6f9a734ee982bb3d1

SHA1
d2a668d1776badfd12f674f6dc913d8a22a13620

SHA256
fd778dab400f8f665d52a70026677316ffc4f554277b93e4bdba0997e3c05d56

SHA512
3ed7f1852b3f491d6635e55231de3e19990e90f847b566acf73e3a3fa1bd60eeb3e3fc4a9063c6b7ea6aa17abfc3eb3fc0196aece3fd845caa311b4275a238de

Download Submit
memory/460-17-0x00000000011F0000-0x00000000011F2000-memory.dmp

Filesize
8KB

Download
memory/460-24-0x00000000011F0000-0x00000000011F2000-memory.dmp

Filesize
8KB

Download
memory/460-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/460-13-0x00000000011F0000-0x00000000011F2000-memory.dmp

Filesize
8KB

Download
memory/460-23-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/664-155-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/664-120-0x0000000000B80000-0x0000000001C3A000-memory.dmp

Filesize
16.7MB

Download
memory/664-154-0x0000000000B80000-0x0000000001C3A000-memory.dmp

Filesize
16.7MB

Download
memory/664-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/664-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/664-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/664-51-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2312-39-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-11-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-21-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-28-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/2312-36-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/2312-12-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-10-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-37-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-38-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-40-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-41-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-35-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-43-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-33-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-52-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-53-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2312-16-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2312-22-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-34-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-6-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-9-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-63-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-64-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-66-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-69-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-71-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-72-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-74-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-75-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-76-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-83-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-85-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-95-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/2312-86-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2312-104-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4040-108-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4040-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4040-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4040-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4040-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download