Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 17:52
Static task
static1
Behavioral task
behavioral1
Sample
b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll
-
Size
120KB
-
MD5
4f6a318372a7efc3a8011ba01e62ce50
-
SHA1
b30a09f9a9a57ada1c293b54b54dd8ba14945749
-
SHA256
b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d
-
SHA512
403403bd4c328cf932fd81efaaa5e3d8c3eeeaa267a2928475c031a8d2c8b182e4dd343ef5e1fa8deca25a81eb0a07d2bd768d002b2abf303bf9a3d1d53b6c8a
-
SSDEEP
3072:jos6XK3rgarAE3DJZ8vKZqSB/77XZkun2g:jolK7gNE3DMvK1XZ/2g
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e574e10.exee5769c6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574e10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574e10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5769c6.exe -
Processes:
e574e10.exee5769c6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5769c6.exe -
Processes:
e574e10.exee5769c6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5769c6.exe -
Executes dropped EXE 4 IoCs
Processes:
e574e10.exee574f29.exee5769a7.exee5769c6.exepid process 2396 e574e10.exe 1636 e574f29.exe 1844 e5769a7.exe 4536 e5769c6.exe -
Processes:
resource yara_rule behavioral2/memory/2396-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-13-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-31-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-26-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-18-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-28-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-42-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-43-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-57-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-59-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-60-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-72-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-77-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-80-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-82-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-84-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-87-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-89-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-91-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-93-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2396-108-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4536-135-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4536-140-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Processes:
e5769c6.exee574e10.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574e10.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574e10.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5769c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5769c6.exe -
Processes:
e574e10.exee5769c6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5769c6.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e574e10.exedescription ioc process File opened (read-only) \??\I: e574e10.exe File opened (read-only) \??\J: e574e10.exe File opened (read-only) \??\R: e574e10.exe File opened (read-only) \??\E: e574e10.exe File opened (read-only) \??\L: e574e10.exe File opened (read-only) \??\Q: e574e10.exe File opened (read-only) \??\P: e574e10.exe File opened (read-only) \??\S: e574e10.exe File opened (read-only) \??\G: e574e10.exe File opened (read-only) \??\H: e574e10.exe File opened (read-only) \??\K: e574e10.exe File opened (read-only) \??\M: e574e10.exe File opened (read-only) \??\N: e574e10.exe File opened (read-only) \??\O: e574e10.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e574e10.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Uninstall.exe e574e10.exe File opened for modification C:\Program Files\7-Zip\7z.exe e574e10.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e574e10.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e574e10.exe -
Drops file in Windows directory 3 IoCs
Processes:
e5769c6.exee574e10.exedescription ioc process File created C:\Windows\e57b844 e5769c6.exe File created C:\Windows\e574e4f e574e10.exe File opened for modification C:\Windows\SYSTEM.INI e574e10.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e574e10.exepid process 2396 e574e10.exe 2396 e574e10.exe 2396 e574e10.exe 2396 e574e10.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e574e10.exedescription pid process Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe Token: SeDebugPrivilege 2396 e574e10.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
rundll32.exerundll32.exee574e10.exedescription pid process target process PID 4608 wrote to memory of 4816 4608 rundll32.exe rundll32.exe PID 4608 wrote to memory of 4816 4608 rundll32.exe rundll32.exe PID 4608 wrote to memory of 4816 4608 rundll32.exe rundll32.exe PID 4816 wrote to memory of 2396 4816 rundll32.exe e574e10.exe PID 4816 wrote to memory of 2396 4816 rundll32.exe e574e10.exe PID 4816 wrote to memory of 2396 4816 rundll32.exe e574e10.exe PID 2396 wrote to memory of 792 2396 e574e10.exe fontdrvhost.exe PID 2396 wrote to memory of 796 2396 e574e10.exe fontdrvhost.exe PID 2396 wrote to memory of 316 2396 e574e10.exe dwm.exe PID 2396 wrote to memory of 2564 2396 e574e10.exe sihost.exe PID 2396 wrote to memory of 2584 2396 e574e10.exe svchost.exe PID 2396 wrote to memory of 2744 2396 e574e10.exe taskhostw.exe PID 2396 wrote to memory of 3508 2396 e574e10.exe Explorer.EXE PID 2396 wrote to memory of 3644 2396 e574e10.exe svchost.exe PID 2396 wrote to memory of 3836 2396 e574e10.exe DllHost.exe PID 2396 wrote to memory of 3928 2396 e574e10.exe StartMenuExperienceHost.exe PID 2396 wrote to memory of 3996 2396 e574e10.exe RuntimeBroker.exe PID 2396 wrote to memory of 4076 2396 e574e10.exe SearchApp.exe PID 2396 wrote to memory of 3368 2396 e574e10.exe RuntimeBroker.exe PID 2396 wrote to memory of 64 2396 e574e10.exe RuntimeBroker.exe PID 2396 wrote to memory of 4116 2396 e574e10.exe TextInputHost.exe PID 2396 wrote to memory of 4608 2396 e574e10.exe rundll32.exe PID 2396 wrote to memory of 4816 2396 e574e10.exe rundll32.exe PID 2396 wrote to memory of 4816 2396 e574e10.exe rundll32.exe PID 4816 wrote to memory of 1636 4816 rundll32.exe e574f29.exe PID 4816 wrote to memory of 1636 4816 rundll32.exe e574f29.exe PID 4816 wrote to memory of 1636 4816 rundll32.exe e574f29.exe PID 4816 wrote to memory of 1844 4816 rundll32.exe e5769a7.exe PID 4816 wrote to memory of 1844 4816 rundll32.exe e5769a7.exe PID 4816 wrote to memory of 1844 4816 rundll32.exe e5769a7.exe PID 4816 wrote to memory of 4536 4816 rundll32.exe e5769c6.exe PID 4816 wrote to memory of 4536 4816 rundll32.exe e5769c6.exe PID 4816 wrote to memory of 4536 4816 rundll32.exe e5769c6.exe PID 2396 wrote to memory of 792 2396 e574e10.exe fontdrvhost.exe PID 2396 wrote to memory of 796 2396 e574e10.exe fontdrvhost.exe PID 2396 wrote to memory of 316 2396 e574e10.exe dwm.exe PID 2396 wrote to memory of 2564 2396 e574e10.exe sihost.exe PID 2396 wrote to memory of 2584 2396 e574e10.exe svchost.exe PID 2396 wrote to memory of 2744 2396 e574e10.exe taskhostw.exe PID 2396 wrote to memory of 3508 2396 e574e10.exe Explorer.EXE PID 2396 wrote to memory of 3644 2396 e574e10.exe svchost.exe PID 2396 wrote to memory of 3836 2396 e574e10.exe DllHost.exe PID 2396 wrote to memory of 3928 2396 e574e10.exe StartMenuExperienceHost.exe PID 2396 wrote to memory of 3996 2396 e574e10.exe RuntimeBroker.exe PID 2396 wrote to memory of 4076 2396 e574e10.exe SearchApp.exe PID 2396 wrote to memory of 3368 2396 e574e10.exe RuntimeBroker.exe PID 2396 wrote to memory of 64 2396 e574e10.exe RuntimeBroker.exe PID 2396 wrote to memory of 4116 2396 e574e10.exe TextInputHost.exe PID 2396 wrote to memory of 1636 2396 e574e10.exe e574f29.exe PID 2396 wrote to memory of 1636 2396 e574e10.exe e574f29.exe PID 2396 wrote to memory of 1844 2396 e574e10.exe e5769a7.exe PID 2396 wrote to memory of 1844 2396 e574e10.exe e5769a7.exe PID 2396 wrote to memory of 4536 2396 e574e10.exe e5769c6.exe PID 2396 wrote to memory of 4536 2396 e574e10.exe e5769c6.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e574e10.exee5769c6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5769c6.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5d926d8e5b6e791cd82c36978fa23687f62b29cc6a0675600c7d2dfae8f965d_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574e10.exeC:\Users\Admin\AppData\Local\Temp\e574e10.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574f29.exeC:\Users\Admin\AppData\Local\Temp\e574f29.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5769a7.exeC:\Users\Admin\AppData\Local\Temp\e5769a7.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5769c6.exeC:\Users\Admin\AppData\Local\Temp\e5769c6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574e10.exeFilesize
97KB
MD5f75dfaabcd6b714373ee7450d4cdf6ce
SHA109fd501fd05df80c6f58d178ffff84e76691f370
SHA2564c6b9dd8d5e8a96ea20f9e924b357cb2c9f0bea9ae6246d7b90b4c6ade43ee69
SHA5125844dfbbb405cf1a3c03146432d954b5585d24dcf940f16e85938ee957ae63de5bd6eb81ad92ac86ecfcae51862404b12d58ac0c79b411462893ec5126de484c
-
C:\Windows\SYSTEM.INIFilesize
257B
MD52ea646a2a0cc3eab72f4aee1d94f283f
SHA13044ed797c49ee63eaaf08e8ddd79d4c8aee0baf
SHA256e52ff3240bf4888e7f1dbf3fea6fe7033d1b72226e69c45711f0e17d9ab078b1
SHA5123fd0cf1ff6c4da0f33afec84d1fc4f26a35791d3090acd00c867bae2083cae05ffd7e74b9fc35701dd670685217998231cc75bfcae19002181fa21377e4b76e5
-
memory/1636-117-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1636-68-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1636-33-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1636-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1636-63-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/1844-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1844-121-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1844-65-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1844-69-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1844-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2396-82-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-84-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-28-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2396-9-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-23-0x0000000003FB0000-0x0000000003FB1000-memory.dmpFilesize
4KB
-
memory/2396-108-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-8-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-6-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-36-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-37-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-38-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-39-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-40-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-42-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-43-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-113-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2396-18-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-57-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-59-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-60-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-32-0x00000000037A0000-0x00000000037A2000-memory.dmpFilesize
8KB
-
memory/2396-93-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-91-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-34-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-72-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-26-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-31-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-89-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-87-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-13-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-77-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-80-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-10-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/2396-27-0x00000000037A0000-0x00000000037A2000-memory.dmpFilesize
8KB
-
memory/2396-86-0x00000000037A0000-0x00000000037A2000-memory.dmpFilesize
8KB
-
memory/4536-67-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4536-74-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4536-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4536-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4536-135-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4536-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4536-140-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4816-35-0x00000000011B0000-0x00000000011B2000-memory.dmpFilesize
8KB
-
memory/4816-19-0x00000000011B0000-0x00000000011B2000-memory.dmpFilesize
8KB
-
memory/4816-20-0x0000000004710000-0x0000000004711000-memory.dmpFilesize
4KB
-
memory/4816-22-0x00000000011B0000-0x00000000011B2000-memory.dmpFilesize
8KB
-
memory/4816-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB