Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
ab0ce3e49a6900b334bd9fc5a6f95b5c908cde5ca852a8f7115603bd6a490429_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
ab0ce3e49a6900b334bd9fc5a6f95b5c908cde5ca852a8f7115603bd6a490429_NeikiAnalytics.dll
-
Size
120KB
-
MD5
74a2e1db441c489081c86822b6864cc0
-
SHA1
1291dd5e6d3fb40477e9910120c2bff9b3c50984
-
SHA256
ab0ce3e49a6900b334bd9fc5a6f95b5c908cde5ca852a8f7115603bd6a490429
-
SHA512
fac343eb2c93d036738ec9996d08714c9d6e22896c5b6ad66e9f5255b252fb6b8edf4b4adc8616f50d11b5f4af8d30c596ecbf7d23938a357878fec06eb0fad9
-
SSDEEP
1536:kK5cU0RrnqLTGDxFgo41AS1hi2xZqo5KRAWX1DzX9Rb+GYc4:EU0RGaAHZ/59W1zNRbgf
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e580d59.exee58178a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e580d59.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e580d59.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e58178a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e58178a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e58178a.exe -
Processes:
e580d59.exee58178a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58178a.exe -
Processes:
e58178a.exee580d59.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e580d59.exe -
Executes dropped EXE 4 IoCs
Processes:
e580d59.exee58143f.exee5816de.exee58178a.exepid process 2620 e580d59.exe 4108 e58143f.exe 4304 e5816de.exe 2424 e58178a.exe -
Processes:
resource yara_rule behavioral2/memory/2620-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-14-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-15-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-16-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-13-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-46-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-49-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-51-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-50-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-53-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-54-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-56-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-57-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-60-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-74-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-76-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-79-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-80-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-82-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-85-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-87-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-89-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-91-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2424-117-0x0000000000BD0000-0x0000000001C8A000-memory.dmp upx behavioral2/memory/2424-147-0x0000000000BD0000-0x0000000001C8A000-memory.dmp upx -
Processes:
e580d59.exee58178a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e58178a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e580d59.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e58178a.exe -
Processes:
e580d59.exee58178a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580d59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58178a.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e580d59.exedescription ioc process File opened (read-only) \??\H: e580d59.exe File opened (read-only) \??\K: e580d59.exe File opened (read-only) \??\N: e580d59.exe File opened (read-only) \??\J: e580d59.exe File opened (read-only) \??\E: e580d59.exe File opened (read-only) \??\G: e580d59.exe File opened (read-only) \??\I: e580d59.exe File opened (read-only) \??\M: e580d59.exe File opened (read-only) \??\R: e580d59.exe File opened (read-only) \??\L: e580d59.exe File opened (read-only) \??\O: e580d59.exe File opened (read-only) \??\P: e580d59.exe File opened (read-only) \??\Q: e580d59.exe -
Drops file in Windows directory 3 IoCs
Processes:
e580d59.exee58178a.exedescription ioc process File created C:\Windows\e58118f e580d59.exe File opened for modification C:\Windows\SYSTEM.INI e580d59.exe File created C:\Windows\e5864b0 e58178a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e580d59.exee58178a.exepid process 2620 e580d59.exe 2620 e580d59.exe 2620 e580d59.exe 2620 e580d59.exe 2424 e58178a.exe 2424 e58178a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e580d59.exedescription pid process Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe Token: SeDebugPrivilege 2620 e580d59.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee580d59.exedescription pid process target process PID 1596 wrote to memory of 1588 1596 rundll32.exe rundll32.exe PID 1596 wrote to memory of 1588 1596 rundll32.exe rundll32.exe PID 1596 wrote to memory of 1588 1596 rundll32.exe rundll32.exe PID 1588 wrote to memory of 2620 1588 rundll32.exe e580d59.exe PID 1588 wrote to memory of 2620 1588 rundll32.exe e580d59.exe PID 1588 wrote to memory of 2620 1588 rundll32.exe e580d59.exe PID 2620 wrote to memory of 788 2620 e580d59.exe fontdrvhost.exe PID 2620 wrote to memory of 792 2620 e580d59.exe fontdrvhost.exe PID 2620 wrote to memory of 332 2620 e580d59.exe dwm.exe PID 2620 wrote to memory of 2504 2620 e580d59.exe sihost.exe PID 2620 wrote to memory of 2556 2620 e580d59.exe svchost.exe PID 2620 wrote to memory of 2832 2620 e580d59.exe taskhostw.exe PID 2620 wrote to memory of 3164 2620 e580d59.exe Explorer.EXE PID 2620 wrote to memory of 3460 2620 e580d59.exe svchost.exe PID 2620 wrote to memory of 3696 2620 e580d59.exe DllHost.exe PID 2620 wrote to memory of 3792 2620 e580d59.exe StartMenuExperienceHost.exe PID 2620 wrote to memory of 3856 2620 e580d59.exe RuntimeBroker.exe PID 2620 wrote to memory of 3940 2620 e580d59.exe SearchApp.exe PID 2620 wrote to memory of 3076 2620 e580d59.exe RuntimeBroker.exe PID 2620 wrote to memory of 4452 2620 e580d59.exe RuntimeBroker.exe PID 2620 wrote to memory of 4756 2620 e580d59.exe TextInputHost.exe PID 2620 wrote to memory of 5044 2620 e580d59.exe RuntimeBroker.exe PID 2620 wrote to memory of 1772 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 4572 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 3336 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 4280 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 4172 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 4272 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 2984 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 1596 2620 e580d59.exe rundll32.exe PID 2620 wrote to memory of 1588 2620 e580d59.exe rundll32.exe PID 2620 wrote to memory of 1588 2620 e580d59.exe rundll32.exe PID 1588 wrote to memory of 4108 1588 rundll32.exe e58143f.exe PID 1588 wrote to memory of 4108 1588 rundll32.exe e58143f.exe PID 1588 wrote to memory of 4108 1588 rundll32.exe e58143f.exe PID 1588 wrote to memory of 4304 1588 rundll32.exe e5816de.exe PID 1588 wrote to memory of 4304 1588 rundll32.exe e5816de.exe PID 1588 wrote to memory of 4304 1588 rundll32.exe e5816de.exe PID 1588 wrote to memory of 2424 1588 rundll32.exe e58178a.exe PID 1588 wrote to memory of 2424 1588 rundll32.exe e58178a.exe PID 1588 wrote to memory of 2424 1588 rundll32.exe e58178a.exe PID 2620 wrote to memory of 788 2620 e580d59.exe fontdrvhost.exe PID 2620 wrote to memory of 792 2620 e580d59.exe fontdrvhost.exe PID 2620 wrote to memory of 332 2620 e580d59.exe dwm.exe PID 2620 wrote to memory of 2504 2620 e580d59.exe sihost.exe PID 2620 wrote to memory of 2556 2620 e580d59.exe svchost.exe PID 2620 wrote to memory of 2832 2620 e580d59.exe taskhostw.exe PID 2620 wrote to memory of 3164 2620 e580d59.exe Explorer.EXE PID 2620 wrote to memory of 3460 2620 e580d59.exe svchost.exe PID 2620 wrote to memory of 3696 2620 e580d59.exe DllHost.exe PID 2620 wrote to memory of 3792 2620 e580d59.exe StartMenuExperienceHost.exe PID 2620 wrote to memory of 3856 2620 e580d59.exe RuntimeBroker.exe PID 2620 wrote to memory of 3940 2620 e580d59.exe SearchApp.exe PID 2620 wrote to memory of 3076 2620 e580d59.exe RuntimeBroker.exe PID 2620 wrote to memory of 4452 2620 e580d59.exe RuntimeBroker.exe PID 2620 wrote to memory of 4756 2620 e580d59.exe TextInputHost.exe PID 2620 wrote to memory of 5044 2620 e580d59.exe RuntimeBroker.exe PID 2620 wrote to memory of 1772 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 4572 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 3336 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 4280 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 4172 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 4272 2620 e580d59.exe msedge.exe PID 2620 wrote to memory of 2984 2620 e580d59.exe msedge.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e58178a.exee580d59.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58178a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580d59.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab0ce3e49a6900b334bd9fc5a6f95b5c908cde5ca852a8f7115603bd6a490429_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab0ce3e49a6900b334bd9fc5a6f95b5c908cde5ca852a8f7115603bd6a490429_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e580d59.exeC:\Users\Admin\AppData\Local\Temp\e580d59.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e58143f.exeC:\Users\Admin\AppData\Local\Temp\e58143f.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5816de.exeC:\Users\Admin\AppData\Local\Temp\e5816de.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e58178a.exeC:\Users\Admin\AppData\Local\Temp\e58178a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x240,0x244,0x248,0x23c,0x2ac,0x7ffbe8ef2e98,0x7ffbe8ef2ea4,0x7ffbe8ef2eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2232 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3256 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3348 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5240 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5308 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3496 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e580d59.exeFilesize
97KB
MD57d2fcd915628113d800723860116cdb9
SHA113b3a17cf161f9848f89f4a83c6afdc9e69a7ade
SHA256991d0a472d7df4f427cec535f5e67458a6bd31d7d514626917a2888d59a6be24
SHA512a0a6861535e487663641db9e7b797aaf51bfb074cdfbb68b1c215e7b7db3adbd5c55bc68735c6edaac4e88917a1bcde6a187800e7711242d2761cf50d34ca31b
-
C:\Windows\SYSTEM.INIFilesize
256B
MD5c5543ca2498610abac877093ea8e92c0
SHA1d7bfd0333999205938d73cc3f9a265720a87dfbe
SHA25614028642e6320835dd86198f0a32e4c0d43ac224e76b220b03d78175d7ced858
SHA512fa1ad651e23794faaa88e41e07dc7f6cb717ad50ad067073b7e5b32e5fd3b7adb9330133a74b96bed40630c3de6769e655c88a6ecd4180be7e855fac7af18088
-
memory/1588-24-0x0000000003D60000-0x0000000003D61000-memory.dmpFilesize
4KB
-
memory/1588-23-0x0000000000C00000-0x0000000000C02000-memory.dmpFilesize
8KB
-
memory/1588-22-0x0000000000C00000-0x0000000000C02000-memory.dmpFilesize
8KB
-
memory/1588-30-0x0000000000C00000-0x0000000000C02000-memory.dmpFilesize
8KB
-
memory/1588-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2424-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2424-147-0x0000000000BD0000-0x0000000001C8A000-memory.dmpFilesize
16.7MB
-
memory/2424-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2424-117-0x0000000000BD0000-0x0000000001C8A000-memory.dmpFilesize
16.7MB
-
memory/2424-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2424-69-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2424-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2620-54-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-82-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-31-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/2620-29-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/2620-26-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/2620-13-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2620-15-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-40-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-46-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-49-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-51-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-50-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-53-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-14-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-56-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-57-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-60-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-10-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-11-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-6-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-8-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-9-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-91-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-12-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-97-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/2620-109-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2620-74-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-76-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-79-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-80-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-16-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-85-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-87-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2620-89-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/4108-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4108-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4108-66-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4108-125-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4304-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4304-65-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4304-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4304-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4304-38-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB