sality | b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll
Size

120KB
MD5

4f6a318372a7efc3a8011ba01e62ce50
SHA1

b30a09f9a9a57ada1c293b54b54dd8ba14945749
SHA256

b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d
SHA512

403403bd4c328cf932fd81efaaa5e3d8c3eeeaa267a2928475c031a8d2c8b182e4dd343ef5e1fa8deca25a81eb0a07d2bd768d002b2abf303bf9a3d1d53b6c8a
SSDEEP

3072:jos6XK3rgarAE3DJZ8vKZqSB/77XZkun2g:jolK7gNE3DMvK1XZ/2g

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e574e10.exee5769c6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5769c6.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574e10.exee5769c6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5769c6.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574e10.exee5769c6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5769c6.exe

Executes dropped EXE 4 IoCs

Processes:

e574e10.exee574f29.exee5769a7.exee5769c6.exe

pid process

2396 e574e10.exe
1636 e574f29.exe
1844 e5769a7.exe
4536 e5769c6.exe

pid	process
2396	e574e10.exe
1636	e574f29.exe
1844	e5769a7.exe
4536	e5769c6.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2396-9-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-10-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-13-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-31-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-26-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-34-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-18-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-28-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-8-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-6-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-36-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-37-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-38-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-39-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-40-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-42-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-43-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-57-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-59-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-60-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-72-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-77-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-80-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-82-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-84-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-87-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-89-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-91-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-93-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/2396-108-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/4536-135-0x0000000000B30000-0x0000000001BEA000-memory.dmp	upx
behavioral2/memory/4536-140-0x0000000000B30000-0x0000000001BEA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5769c6.exee574e10.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574e10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574e10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5769c6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5769c6.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e574e10.exee5769c6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5769c6.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e574e10.exe

description	ioc	process
File opened (read-only)	\??\I:	e574e10.exe
File opened (read-only)	\??\J:	e574e10.exe
File opened (read-only)	\??\R:	e574e10.exe
File opened (read-only)	\??\E:	e574e10.exe
File opened (read-only)	\??\L:	e574e10.exe
File opened (read-only)	\??\Q:	e574e10.exe
File opened (read-only)	\??\P:	e574e10.exe
File opened (read-only)	\??\S:	e574e10.exe
File opened (read-only)	\??\G:	e574e10.exe
File opened (read-only)	\??\H:	e574e10.exe
File opened (read-only)	\??\K:	e574e10.exe
File opened (read-only)	\??\M:	e574e10.exe
File opened (read-only)	\??\N:	e574e10.exe
File opened (read-only)	\??\O:	e574e10.exe

Drops file in Program Files directory 4 IoCs

Processes:

e574e10.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e574e10.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e574e10.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e574e10.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e574e10.exe

Drops file in Windows directory 3 IoCs

Processes:

e5769c6.exee574e10.exe

description ioc process

File created C:\Windows\e57b844 e5769c6.exe
File created C:\Windows\e574e4f e574e10.exe
File opened for modification C:\Windows\SYSTEM.INI e574e10.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e574e10.exe

pid process

2396 e574e10.exe
2396 e574e10.exe
2396 e574e10.exe
2396 e574e10.exe

description	ioc	process
File created	C:\Windows\e57b844	e5769c6.exe
File created	C:\Windows\e574e4f	e574e10.exe
File opened for modification	C:\Windows\SYSTEM.INI	e574e10.exe

pid	process
2396	e574e10.exe
2396	e574e10.exe
2396	e574e10.exe
2396	e574e10.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e574e10.exe

description	pid	process
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe
Token: SeDebugPrivilege	2396	e574e10.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

rundll32.exerundll32.exee574e10.exe

description	pid	process	target process
PID 4608 wrote to memory of 4816	4608	rundll32.exe	rundll32.exe
PID 4608 wrote to memory of 4816	4608	rundll32.exe	rundll32.exe
PID 4608 wrote to memory of 4816	4608	rundll32.exe	rundll32.exe
PID 4816 wrote to memory of 2396	4816	rundll32.exe	e574e10.exe
PID 4816 wrote to memory of 2396	4816	rundll32.exe	e574e10.exe
PID 4816 wrote to memory of 2396	4816	rundll32.exe	e574e10.exe
PID 2396 wrote to memory of 792	2396	e574e10.exe	fontdrvhost.exe
PID 2396 wrote to memory of 796	2396	e574e10.exe	fontdrvhost.exe
PID 2396 wrote to memory of 316	2396	e574e10.exe	dwm.exe
PID 2396 wrote to memory of 2564	2396	e574e10.exe	sihost.exe
PID 2396 wrote to memory of 2584	2396	e574e10.exe	svchost.exe
PID 2396 wrote to memory of 2744	2396	e574e10.exe	taskhostw.exe
PID 2396 wrote to memory of 3508	2396	e574e10.exe	Explorer.EXE
PID 2396 wrote to memory of 3644	2396	e574e10.exe	svchost.exe
PID 2396 wrote to memory of 3836	2396	e574e10.exe	DllHost.exe
PID 2396 wrote to memory of 3928	2396	e574e10.exe	StartMenuExperienceHost.exe
PID 2396 wrote to memory of 3996	2396	e574e10.exe	RuntimeBroker.exe
PID 2396 wrote to memory of 4076	2396	e574e10.exe	SearchApp.exe
PID 2396 wrote to memory of 3368	2396	e574e10.exe	RuntimeBroker.exe
PID 2396 wrote to memory of 64	2396	e574e10.exe	RuntimeBroker.exe
PID 2396 wrote to memory of 4116	2396	e574e10.exe	TextInputHost.exe
PID 2396 wrote to memory of 4608	2396	e574e10.exe	rundll32.exe
PID 2396 wrote to memory of 4816	2396	e574e10.exe	rundll32.exe
PID 2396 wrote to memory of 4816	2396	e574e10.exe	rundll32.exe
PID 4816 wrote to memory of 1636	4816	rundll32.exe	e574f29.exe
PID 4816 wrote to memory of 1636	4816	rundll32.exe	e574f29.exe
PID 4816 wrote to memory of 1636	4816	rundll32.exe	e574f29.exe
PID 4816 wrote to memory of 1844	4816	rundll32.exe	e5769a7.exe
PID 4816 wrote to memory of 1844	4816	rundll32.exe	e5769a7.exe
PID 4816 wrote to memory of 1844	4816	rundll32.exe	e5769a7.exe
PID 4816 wrote to memory of 4536	4816	rundll32.exe	e5769c6.exe
PID 4816 wrote to memory of 4536	4816	rundll32.exe	e5769c6.exe
PID 4816 wrote to memory of 4536	4816	rundll32.exe	e5769c6.exe
PID 2396 wrote to memory of 792	2396	e574e10.exe	fontdrvhost.exe
PID 2396 wrote to memory of 796	2396	e574e10.exe	fontdrvhost.exe
PID 2396 wrote to memory of 316	2396	e574e10.exe	dwm.exe
PID 2396 wrote to memory of 2564	2396	e574e10.exe	sihost.exe
PID 2396 wrote to memory of 2584	2396	e574e10.exe	svchost.exe
PID 2396 wrote to memory of 2744	2396	e574e10.exe	taskhostw.exe
PID 2396 wrote to memory of 3508	2396	e574e10.exe	Explorer.EXE
PID 2396 wrote to memory of 3644	2396	e574e10.exe	svchost.exe
PID 2396 wrote to memory of 3836	2396	e574e10.exe	DllHost.exe
PID 2396 wrote to memory of 3928	2396	e574e10.exe	StartMenuExperienceHost.exe
PID 2396 wrote to memory of 3996	2396	e574e10.exe	RuntimeBroker.exe
PID 2396 wrote to memory of 4076	2396	e574e10.exe	SearchApp.exe
PID 2396 wrote to memory of 3368	2396	e574e10.exe	RuntimeBroker.exe
PID 2396 wrote to memory of 64	2396	e574e10.exe	RuntimeBroker.exe
PID 2396 wrote to memory of 4116	2396	e574e10.exe	TextInputHost.exe
PID 2396 wrote to memory of 1636	2396	e574e10.exe	e574f29.exe
PID 2396 wrote to memory of 1636	2396	e574e10.exe	e574f29.exe
PID 2396 wrote to memory of 1844	2396	e574e10.exe	e5769a7.exe
PID 2396 wrote to memory of 1844	2396	e574e10.exe	e5769a7.exe
PID 2396 wrote to memory of 4536	2396	e574e10.exe	e5769c6.exe
PID 2396 wrote to memory of 4536	2396	e574e10.exe	e5769c6.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e574e10.exee5769c6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574e10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5769c6.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2584

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2744

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3508

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\Temp\e574e10.exe
C:\Users\Admin\AppData\Local\Temp\e574e10.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2396

C:\Users\Admin\AppData\Local\Temp\e574f29.exe
C:\Users\Admin\AppData\Local\Temp\e574f29.exe
4⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\e5769a7.exe
C:\Users\Admin\AppData\Local\Temp\e5769a7.exe
4⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\AppData\Local\Temp\e5769c6.exe
C:\Users\Admin\AppData\Local\Temp\e5769c6.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:64

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e574e10.exe
Filesize
97KB

MD5
f75dfaabcd6b714373ee7450d4cdf6ce

SHA1
09fd501fd05df80c6f58d178ffff84e76691f370

SHA256
4c6b9dd8d5e8a96ea20f9e924b357cb2c9f0bea9ae6246d7b90b4c6ade43ee69

SHA512
5844dfbbb405cf1a3c03146432d954b5585d24dcf940f16e85938ee957ae63de5bd6eb81ad92ac86ecfcae51862404b12d58ac0c79b411462893ec5126de484c

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
2ea646a2a0cc3eab72f4aee1d94f283f

SHA1
3044ed797c49ee63eaaf08e8ddd79d4c8aee0baf

SHA256
e52ff3240bf4888e7f1dbf3fea6fe7033d1b72226e69c45711f0e17d9ab078b1

SHA512
3fd0cf1ff6c4da0f33afec84d1fc4f26a35791d3090acd00c867bae2083cae05ffd7e74b9fc35701dd670685217998231cc75bfcae19002181fa21377e4b76e5

Download Submit
memory/1636-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1636-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1636-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1636-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1636-63-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1844-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1844-121-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1844-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1844-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1844-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2396-82-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-84-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-28-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2396-9-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-23-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/2396-108-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-8-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-6-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-36-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-37-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-38-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-39-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-40-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-42-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-43-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-113-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2396-18-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-57-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-59-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-60-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-32-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/2396-93-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-91-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-34-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-72-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-26-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-31-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-89-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-87-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-13-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-77-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-80-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-10-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/2396-27-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/2396-86-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/4536-67-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4536-74-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4536-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4536-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4536-135-0x0000000000B30000-0x0000000001BEA000-memory.dmp

Filesize
16.7MB

Download
memory/4536-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4536-140-0x0000000000B30000-0x0000000001BEA000-memory.dmp

Filesize
16.7MB

Download
memory/4816-35-0x00000000011B0000-0x00000000011B2000-memory.dmp

Filesize
8KB

Download
memory/4816-19-0x00000000011B0000-0x00000000011B2000-memory.dmp

Filesize
8KB

Download
memory/4816-20-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/4816-22-0x00000000011B0000-0x00000000011B2000-memory.dmp

Filesize
8KB

Download
memory/4816-3-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download