sality | 23734d7a5922bf74e912246b7515f09a23997b37c2ad88e2024514abd38c98c6

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23734d7a5922bf74e912246b7515f09a23997b37c2ad88e2024514abd38c98c6_NeikiAnalytics.dll
Size

120KB
MD5

aae61b49c5987663d776ade89f89f4a0
SHA1

06818c92b72fd06d719571d27a9fd4c49fe2c70f
SHA256

23734d7a5922bf74e912246b7515f09a23997b37c2ad88e2024514abd38c98c6
SHA512

d720eaa9a4c80b96f785e0e10b0b7192de639d97a5db4181b8266e2e4f45a83db396ff510dfe65a0f9ea9e9ffbbf0d67766655568e16312ccfc0b89146dec5dd
SSDEEP

1536:+kpH0vSJcPK0XpwszisLFloFQvp4dmTvkvWFYB/m/JTDuzlaVz0HIEWMsyz:FpUvSmpwQLFloCvOmTZFIlegoEK

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e576292.exee5746bd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e576292.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5746bd.exee576292.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e576292.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5746bd.exee576292.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e576292.exe

Executes dropped EXE 3 IoCs

Processes:

e5746bd.exee574892.exee576292.exe

pid process

3632 e5746bd.exe
380 e574892.exe
2028 e576292.exe

pid	process
3632	e5746bd.exe
380	e574892.exe
2028	e576292.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3632-6-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-13-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-9-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-11-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-10-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-19-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-14-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-35-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-32-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-8-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-36-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-37-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-38-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-39-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-41-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-40-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-43-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-44-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-53-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-55-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-56-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-67-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-68-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-71-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-73-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-75-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-77-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-85-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-84-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-86-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-88-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/3632-92-0x00000000007A0000-0x000000000185A000-memory.dmp	upx
behavioral2/memory/2028-123-0x0000000000B80000-0x0000000001C3A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5746bd.exee576292.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5746bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e576292.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e576292.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e576292.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e5746bd.exee576292.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e576292.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e5746bd.exe

description	ioc	process
File opened (read-only)	\??\H:	e5746bd.exe
File opened (read-only)	\??\L:	e5746bd.exe
File opened (read-only)	\??\O:	e5746bd.exe
File opened (read-only)	\??\Q:	e5746bd.exe
File opened (read-only)	\??\R:	e5746bd.exe
File opened (read-only)	\??\G:	e5746bd.exe
File opened (read-only)	\??\K:	e5746bd.exe
File opened (read-only)	\??\M:	e5746bd.exe
File opened (read-only)	\??\P:	e5746bd.exe
File opened (read-only)	\??\S:	e5746bd.exe
File opened (read-only)	\??\E:	e5746bd.exe
File opened (read-only)	\??\I:	e5746bd.exe
File opened (read-only)	\??\J:	e5746bd.exe
File opened (read-only)	\??\N:	e5746bd.exe

Drops file in Program Files directory 4 IoCs

Processes:

e5746bd.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e5746bd.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e5746bd.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e5746bd.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e5746bd.exe

Drops file in Windows directory 3 IoCs

Processes:

e5746bd.exee576292.exe

description ioc process

File created C:\Windows\e57474a e5746bd.exe
File opened for modification C:\Windows\SYSTEM.INI e5746bd.exe
File created C:\Windows\e57b110 e576292.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e5746bd.exe

pid process

3632 e5746bd.exe
3632 e5746bd.exe
3632 e5746bd.exe
3632 e5746bd.exe

description	ioc	process
File created	C:\Windows\e57474a	e5746bd.exe
File opened for modification	C:\Windows\SYSTEM.INI	e5746bd.exe
File created	C:\Windows\e57b110	e576292.exe

pid	process
3632	e5746bd.exe
3632	e5746bd.exe
3632	e5746bd.exe
3632	e5746bd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e5746bd.exe

description	pid	process
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe
Token: SeDebugPrivilege	3632	e5746bd.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exerundll32.exee5746bd.exe

description	pid	process	target process
PID 4828 wrote to memory of 1464	4828	rundll32.exe	rundll32.exe
PID 4828 wrote to memory of 1464	4828	rundll32.exe	rundll32.exe
PID 4828 wrote to memory of 1464	4828	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 3632	1464	rundll32.exe	e5746bd.exe
PID 1464 wrote to memory of 3632	1464	rundll32.exe	e5746bd.exe
PID 1464 wrote to memory of 3632	1464	rundll32.exe	e5746bd.exe
PID 3632 wrote to memory of 780	3632	e5746bd.exe	fontdrvhost.exe
PID 3632 wrote to memory of 784	3632	e5746bd.exe	fontdrvhost.exe
PID 3632 wrote to memory of 316	3632	e5746bd.exe	dwm.exe
PID 3632 wrote to memory of 2808	3632	e5746bd.exe	sihost.exe
PID 3632 wrote to memory of 2892	3632	e5746bd.exe	svchost.exe
PID 3632 wrote to memory of 2996	3632	e5746bd.exe	taskhostw.exe
PID 3632 wrote to memory of 3464	3632	e5746bd.exe	Explorer.EXE
PID 3632 wrote to memory of 3584	3632	e5746bd.exe	svchost.exe
PID 3632 wrote to memory of 3776	3632	e5746bd.exe	DllHost.exe
PID 3632 wrote to memory of 3868	3632	e5746bd.exe	StartMenuExperienceHost.exe
PID 3632 wrote to memory of 3936	3632	e5746bd.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 4060	3632	e5746bd.exe	SearchApp.exe
PID 3632 wrote to memory of 4172	3632	e5746bd.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 4728	3632	e5746bd.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 2436	3632	e5746bd.exe	TextInputHost.exe
PID 3632 wrote to memory of 4828	3632	e5746bd.exe	rundll32.exe
PID 3632 wrote to memory of 1464	3632	e5746bd.exe	rundll32.exe
PID 3632 wrote to memory of 1464	3632	e5746bd.exe	rundll32.exe
PID 1464 wrote to memory of 380	1464	rundll32.exe	e574892.exe
PID 1464 wrote to memory of 380	1464	rundll32.exe	e574892.exe
PID 1464 wrote to memory of 380	1464	rundll32.exe	e574892.exe
PID 1464 wrote to memory of 2028	1464	rundll32.exe	e576292.exe
PID 1464 wrote to memory of 2028	1464	rundll32.exe	e576292.exe
PID 1464 wrote to memory of 2028	1464	rundll32.exe	e576292.exe
PID 3632 wrote to memory of 780	3632	e5746bd.exe	fontdrvhost.exe
PID 3632 wrote to memory of 784	3632	e5746bd.exe	fontdrvhost.exe
PID 3632 wrote to memory of 316	3632	e5746bd.exe	dwm.exe
PID 3632 wrote to memory of 2808	3632	e5746bd.exe	sihost.exe
PID 3632 wrote to memory of 2892	3632	e5746bd.exe	svchost.exe
PID 3632 wrote to memory of 2996	3632	e5746bd.exe	taskhostw.exe
PID 3632 wrote to memory of 3464	3632	e5746bd.exe	Explorer.EXE
PID 3632 wrote to memory of 3584	3632	e5746bd.exe	svchost.exe
PID 3632 wrote to memory of 3776	3632	e5746bd.exe	DllHost.exe
PID 3632 wrote to memory of 3868	3632	e5746bd.exe	StartMenuExperienceHost.exe
PID 3632 wrote to memory of 3936	3632	e5746bd.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 4060	3632	e5746bd.exe	SearchApp.exe
PID 3632 wrote to memory of 4172	3632	e5746bd.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 4728	3632	e5746bd.exe	RuntimeBroker.exe
PID 3632 wrote to memory of 2436	3632	e5746bd.exe	TextInputHost.exe
PID 3632 wrote to memory of 380	3632	e5746bd.exe	e574892.exe
PID 3632 wrote to memory of 380	3632	e5746bd.exe	e574892.exe
PID 3632 wrote to memory of 2028	3632	e5746bd.exe	e576292.exe
PID 3632 wrote to memory of 2028	3632	e5746bd.exe	e576292.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e5746bd.exee576292.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5746bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e576292.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2892

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2996

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23734d7a5922bf74e912246b7515f09a23997b37c2ad88e2024514abd38c98c6_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23734d7a5922bf74e912246b7515f09a23997b37c2ad88e2024514abd38c98c6_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\e5746bd.exe
C:\Users\Admin\AppData\Local\Temp\e5746bd.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3632

C:\Users\Admin\AppData\Local\Temp\e574892.exe
C:\Users\Admin\AppData\Local\Temp\e574892.exe
4⤵
- Executes dropped EXE
PID:380

C:\Users\Admin\AppData\Local\Temp\e576292.exe
C:\Users\Admin\AppData\Local\Temp\e576292.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4172

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4728

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2436

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5746bd.exe
Filesize
97KB

MD5
032bcefa3c10fcbde64a0f6dd8a86009

SHA1
c03fc6e34eaaaff97f3135036d6fcf0c55ae8d83

SHA256
e44b83ee1afe225ae08b9349ad5571f685c3f9ea3561f2396933b0931bd0442c

SHA512
28acb88a5b66883dda129c35946c7c8e4c2e87ff83fd99917380f83c2454461cdd0ee2d99213d37dfb7d5669d42f18aec10653695f3f4a62e4a77b9b247f4f80

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
d30b63067e8541048787fcbf2ef0e808

SHA1
afae58478fa9bbbda17931e2b24b25f57a6a5d56

SHA256
7bf170b3113d282fe3de9b79d79072d5f976589107ce7f16cbb46a0d238e95ec

SHA512
ff0797aac81c4da6cc2e25c0a420d168869beb84a54b00df5513d93c2933ef78dc975ef4c762ac15e370ab72b2bb5e145297c7a61e994202c568c7e013d50949

Download Submit
memory/380-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/380-112-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/380-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/380-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/380-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1464-26-0x0000000004910000-0x0000000004912000-memory.dmp

Filesize
8KB

Download
memory/1464-20-0x0000000004910000-0x0000000004912000-memory.dmp

Filesize
8KB

Download
memory/1464-21-0x0000000004910000-0x0000000004912000-memory.dmp

Filesize
8KB

Download
memory/1464-28-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1464-51-0x0000000004910000-0x0000000004912000-memory.dmp

Filesize
8KB

Download
memory/1464-2-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2028-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2028-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2028-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2028-123-0x0000000000B80000-0x0000000001C3A000-memory.dmp

Filesize
16.7MB

Download
memory/2028-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3632-43-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-10-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-36-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-37-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-38-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-39-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-41-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-40-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-29-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

Filesize
8KB

Download
memory/3632-44-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-24-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/3632-32-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-53-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-55-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-56-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-35-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-14-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-19-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-33-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

Filesize
8KB

Download
memory/3632-8-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-11-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-67-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-68-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-71-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-73-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-75-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-77-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-85-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-84-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-86-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-88-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-97-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

Filesize
8KB

Download
memory/3632-108-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3632-9-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-92-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-13-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-6-0x00000000007A0000-0x000000000185A000-memory.dmp

Filesize
16.7MB

Download
memory/3632-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads