Analysis
-
max time kernel
130s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
ae7978c00e28886c82186caf38cc76736d9057da7460e5028447fbf1bb88fed0_NeikiAnalytics.dll
Resource
win7-20240419-en
General
-
Target
ae7978c00e28886c82186caf38cc76736d9057da7460e5028447fbf1bb88fed0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
179d5d4f5affdefb5ffad8382fa8b290
-
SHA1
4bd5d3fd78484c4da56b65361bbd62434d301787
-
SHA256
ae7978c00e28886c82186caf38cc76736d9057da7460e5028447fbf1bb88fed0
-
SHA512
54db8879128f6785ce1d0a0e44b6bd04dc2d3210eed44e7468f5a9a6e77768ef8fde19403142dc5d4867c00b2367b339834887473bcaa071eca05749594f62ad
-
SSDEEP
1536:alDY15pYhNgS+iVZi3ntSxHfauJNKytvzcVIzjkj0THEFqMprvTn2:X5yhNgS+iV2MxHfauTTvzcuzQwkbDb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e573894.exee573642.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573894.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573894.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573642.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573642.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573642.exe -
Processes:
e573894.exee573642.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573642.exe -
Processes:
e573894.exee573642.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573894.exe -
Executes dropped EXE 4 IoCs
Processes:
e573642.exee573894.exee5757b5.exee5757c5.exepid process 732 e573642.exe 2432 e573894.exe 3372 e5757b5.exe 4092 e5757c5.exe -
Processes:
resource yara_rule behavioral2/memory/732-6-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-10-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-12-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-13-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-21-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-15-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-11-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-9-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-14-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-22-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-36-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-37-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-38-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-39-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-40-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-55-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-56-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-70-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-71-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-73-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-75-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-77-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-78-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-80-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-81-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-82-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-88-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-89-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/732-94-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/2432-122-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/2432-140-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Processes:
e573642.exee573894.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573894.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573642.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573642.exe -
Processes:
e573642.exee573894.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573894.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573642.exedescription ioc process File opened (read-only) \??\E: e573642.exe File opened (read-only) \??\G: e573642.exe File opened (read-only) \??\I: e573642.exe File opened (read-only) \??\L: e573642.exe File opened (read-only) \??\M: e573642.exe File opened (read-only) \??\O: e573642.exe File opened (read-only) \??\H: e573642.exe File opened (read-only) \??\J: e573642.exe File opened (read-only) \??\K: e573642.exe File opened (read-only) \??\N: e573642.exe File opened (read-only) \??\P: e573642.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e573642.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e573642.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573642.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573642.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e573642.exe -
Drops file in Windows directory 3 IoCs
Processes:
e573894.exee573642.exedescription ioc process File created C:\Windows\e578712 e573894.exe File created C:\Windows\e573691 e573642.exe File opened for modification C:\Windows\SYSTEM.INI e573642.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e573642.exee573894.exepid process 732 e573642.exe 732 e573642.exe 732 e573642.exe 732 e573642.exe 2432 e573894.exe 2432 e573894.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573642.exedescription pid process Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe Token: SeDebugPrivilege 732 e573642.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee573642.exee573894.exedescription pid process target process PID 388 wrote to memory of 5068 388 rundll32.exe rundll32.exe PID 388 wrote to memory of 5068 388 rundll32.exe rundll32.exe PID 388 wrote to memory of 5068 388 rundll32.exe rundll32.exe PID 5068 wrote to memory of 732 5068 rundll32.exe e573642.exe PID 5068 wrote to memory of 732 5068 rundll32.exe e573642.exe PID 5068 wrote to memory of 732 5068 rundll32.exe e573642.exe PID 732 wrote to memory of 804 732 e573642.exe fontdrvhost.exe PID 732 wrote to memory of 812 732 e573642.exe fontdrvhost.exe PID 732 wrote to memory of 396 732 e573642.exe dwm.exe PID 732 wrote to memory of 2684 732 e573642.exe sihost.exe PID 732 wrote to memory of 2712 732 e573642.exe svchost.exe PID 732 wrote to memory of 2844 732 e573642.exe taskhostw.exe PID 732 wrote to memory of 3572 732 e573642.exe Explorer.EXE PID 732 wrote to memory of 3724 732 e573642.exe svchost.exe PID 732 wrote to memory of 3904 732 e573642.exe DllHost.exe PID 732 wrote to memory of 4004 732 e573642.exe StartMenuExperienceHost.exe PID 732 wrote to memory of 4068 732 e573642.exe RuntimeBroker.exe PID 732 wrote to memory of 676 732 e573642.exe SearchApp.exe PID 732 wrote to memory of 4232 732 e573642.exe RuntimeBroker.exe PID 732 wrote to memory of 1492 732 e573642.exe TextInputHost.exe PID 732 wrote to memory of 3788 732 e573642.exe RuntimeBroker.exe PID 732 wrote to memory of 1560 732 e573642.exe backgroundTaskHost.exe PID 732 wrote to memory of 4756 732 e573642.exe backgroundTaskHost.exe PID 732 wrote to memory of 388 732 e573642.exe rundll32.exe PID 732 wrote to memory of 5068 732 e573642.exe rundll32.exe PID 732 wrote to memory of 5068 732 e573642.exe rundll32.exe PID 5068 wrote to memory of 2432 5068 rundll32.exe e573894.exe PID 5068 wrote to memory of 2432 5068 rundll32.exe e573894.exe PID 5068 wrote to memory of 2432 5068 rundll32.exe e573894.exe PID 5068 wrote to memory of 3372 5068 rundll32.exe e5757b5.exe PID 5068 wrote to memory of 3372 5068 rundll32.exe e5757b5.exe PID 5068 wrote to memory of 3372 5068 rundll32.exe e5757b5.exe PID 5068 wrote to memory of 4092 5068 rundll32.exe e5757c5.exe PID 5068 wrote to memory of 4092 5068 rundll32.exe e5757c5.exe PID 5068 wrote to memory of 4092 5068 rundll32.exe e5757c5.exe PID 732 wrote to memory of 804 732 e573642.exe fontdrvhost.exe PID 732 wrote to memory of 812 732 e573642.exe fontdrvhost.exe PID 732 wrote to memory of 396 732 e573642.exe dwm.exe PID 732 wrote to memory of 2684 732 e573642.exe sihost.exe PID 732 wrote to memory of 2712 732 e573642.exe svchost.exe PID 732 wrote to memory of 2844 732 e573642.exe taskhostw.exe PID 732 wrote to memory of 3572 732 e573642.exe Explorer.EXE PID 732 wrote to memory of 3724 732 e573642.exe svchost.exe PID 732 wrote to memory of 3904 732 e573642.exe DllHost.exe PID 732 wrote to memory of 4004 732 e573642.exe StartMenuExperienceHost.exe PID 732 wrote to memory of 4068 732 e573642.exe RuntimeBroker.exe PID 732 wrote to memory of 676 732 e573642.exe SearchApp.exe PID 732 wrote to memory of 4232 732 e573642.exe RuntimeBroker.exe PID 732 wrote to memory of 1492 732 e573642.exe TextInputHost.exe PID 732 wrote to memory of 3788 732 e573642.exe RuntimeBroker.exe PID 732 wrote to memory of 1560 732 e573642.exe backgroundTaskHost.exe PID 732 wrote to memory of 4756 732 e573642.exe backgroundTaskHost.exe PID 732 wrote to memory of 2432 732 e573642.exe e573894.exe PID 732 wrote to memory of 2432 732 e573642.exe e573894.exe PID 732 wrote to memory of 2984 732 e573642.exe RuntimeBroker.exe PID 732 wrote to memory of 3488 732 e573642.exe RuntimeBroker.exe PID 732 wrote to memory of 3372 732 e573642.exe e5757b5.exe PID 732 wrote to memory of 3372 732 e573642.exe e5757b5.exe PID 732 wrote to memory of 4092 732 e573642.exe e5757c5.exe PID 732 wrote to memory of 4092 732 e573642.exe e5757c5.exe PID 2432 wrote to memory of 804 2432 e573894.exe fontdrvhost.exe PID 2432 wrote to memory of 812 2432 e573894.exe fontdrvhost.exe PID 2432 wrote to memory of 396 2432 e573894.exe dwm.exe PID 2432 wrote to memory of 2684 2432 e573894.exe sihost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e573642.exee573894.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573642.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573894.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae7978c00e28886c82186caf38cc76736d9057da7460e5028447fbf1bb88fed0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae7978c00e28886c82186caf38cc76736d9057da7460e5028447fbf1bb88fed0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573642.exeC:\Users\Admin\AppData\Local\Temp\e573642.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573894.exeC:\Users\Admin\AppData\Local\Temp\e573894.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5757b5.exeC:\Users\Admin\AppData\Local\Temp\e5757b5.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5757c5.exeC:\Users\Admin\AppData\Local\Temp\e5757c5.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573642.exeFilesize
97KB
MD5ba74bb0a05086497e54ebe9cd11ceab7
SHA1279cdbd430df62cd1935a8a570e3f4cf3247ac72
SHA256b9bdee6845d729f002727a6fdd432284a6fc48ceb8dda87fa02f36aff3f67c62
SHA512f028f798f39d9afed231635eedf52f94fde0ab57435fa4679b32d5012521f5ce2cf780dc9ad80e8cc82795e551177dc52137f5f9fcc16746deed9a8f97ae6b93
-
C:\Windows\SYSTEM.INIFilesize
257B
MD56ee54fcddbf4c476fa7e18ef07ea31e0
SHA1167aeefd3090198be36a933800404ae42254d7bd
SHA256a211253cae04040a3ca4dafa143707072b9a1f760c9c6784eb2c0245c18e31d7
SHA5124af3b003487659d73c1c15673c7ea1e0b3762f291cd2f6f51a516687e2159c92f76a3fce092c1c0c6377c22d14e79d2df844450b54fd43b933eb8926ad971b83
-
memory/732-37-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-30-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/732-39-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-12-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-13-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-21-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-78-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-38-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-77-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-34-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/732-75-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-26-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/732-80-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/732-15-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-11-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-9-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-14-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-22-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-36-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-73-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-6-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-10-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-40-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-110-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/732-94-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-97-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/732-55-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-56-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-71-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-70-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-81-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-89-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-88-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/732-82-0x0000000000890000-0x000000000194A000-memory.dmpFilesize
16.7MB
-
memory/2432-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2432-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2432-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2432-122-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/2432-140-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/2432-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2432-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3372-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3372-68-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3372-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3372-145-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4092-66-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4092-63-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/4092-149-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5068-51-0x0000000003A60000-0x0000000003A62000-memory.dmpFilesize
8KB
-
memory/5068-23-0x0000000003A60000-0x0000000003A62000-memory.dmpFilesize
8KB
-
memory/5068-24-0x0000000003A70000-0x0000000003A71000-memory.dmpFilesize
4KB
-
memory/5068-29-0x0000000000890000-0x00000000008A4000-memory.dmpFilesize
80KB
-
memory/5068-27-0x0000000003A60000-0x0000000003A62000-memory.dmpFilesize
8KB
-
memory/5068-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/5068-54-0x0000000000890000-0x00000000008A4000-memory.dmpFilesize
80KB