Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a_NeikiAnalytics.dll
-
Size
120KB
-
MD5
f6271d785de51ecf9e7c2ba2a7049570
-
SHA1
5923d99c5bbe8cc8fad90040c293f5c42a7d6f86
-
SHA256
149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a
-
SHA512
ad618fd1022db1b36d55312b7f0ea30493d6eb90466206d895eee900d2db97cfb61e7871cb7e8b9e6401c47a950afea2a990234a4c9e29e51792d6c6eca45ebe
-
SSDEEP
1536:uEYMSa6w2EoS4cInytmNVfZt3seXIq2YHxPeqta6yB1D0vdgN40g34WWTCCQte6H:RYMSL3ZSj4ysbX3sUeMa6y7D003TTRi
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e575498.exee57567c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57567c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57567c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575498.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575498.exe -
Processes:
e575498.exee57567c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57567c.exe -
Processes:
e575498.exee57567c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57567c.exe -
Executes dropped EXE 4 IoCs
Processes:
e575498.exee57567c.exee577fa0.exee577fcf.exepid process 1008 e575498.exe 4732 e57567c.exe 1376 e577fa0.exe 3028 e577fcf.exe -
Processes:
resource yara_rule behavioral2/memory/1008-6-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-9-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-13-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-19-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-31-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-20-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-21-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-12-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-11-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-8-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-35-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-36-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-37-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-38-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-39-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-45-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-58-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-59-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-60-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-62-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-64-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-66-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-70-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-71-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1008-75-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/4732-97-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/4732-98-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/4732-103-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/4732-127-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Processes:
e57567c.exee575498.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57567c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575498.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575498.exe -
Processes:
e575498.exee57567c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575498.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57567c.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e575498.exedescription ioc process File opened (read-only) \??\E: e575498.exe File opened (read-only) \??\G: e575498.exe File opened (read-only) \??\H: e575498.exe File opened (read-only) \??\J: e575498.exe File opened (read-only) \??\N: e575498.exe File opened (read-only) \??\I: e575498.exe File opened (read-only) \??\K: e575498.exe File opened (read-only) \??\L: e575498.exe File opened (read-only) \??\M: e575498.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e575498.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e575498.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e575498.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e575498.exe -
Drops file in Windows directory 3 IoCs
Processes:
e57567c.exee575498.exedescription ioc process File created C:\Windows\e57a5a6 e57567c.exe File created C:\Windows\e5754d7 e575498.exe File opened for modification C:\Windows\SYSTEM.INI e575498.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e575498.exee57567c.exepid process 1008 e575498.exe 1008 e575498.exe 1008 e575498.exe 1008 e575498.exe 4732 e57567c.exe 4732 e57567c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e575498.exedescription pid process Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe Token: SeDebugPrivilege 1008 e575498.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee575498.exee57567c.exedescription pid process target process PID 264 wrote to memory of 232 264 rundll32.exe rundll32.exe PID 264 wrote to memory of 232 264 rundll32.exe rundll32.exe PID 264 wrote to memory of 232 264 rundll32.exe rundll32.exe PID 232 wrote to memory of 1008 232 rundll32.exe e575498.exe PID 232 wrote to memory of 1008 232 rundll32.exe e575498.exe PID 232 wrote to memory of 1008 232 rundll32.exe e575498.exe PID 1008 wrote to memory of 792 1008 e575498.exe fontdrvhost.exe PID 1008 wrote to memory of 800 1008 e575498.exe fontdrvhost.exe PID 1008 wrote to memory of 336 1008 e575498.exe dwm.exe PID 1008 wrote to memory of 3048 1008 e575498.exe sihost.exe PID 1008 wrote to memory of 508 1008 e575498.exe svchost.exe PID 1008 wrote to memory of 772 1008 e575498.exe taskhostw.exe PID 1008 wrote to memory of 3392 1008 e575498.exe Explorer.EXE PID 1008 wrote to memory of 3516 1008 e575498.exe svchost.exe PID 1008 wrote to memory of 3724 1008 e575498.exe DllHost.exe PID 1008 wrote to memory of 3848 1008 e575498.exe StartMenuExperienceHost.exe PID 1008 wrote to memory of 3940 1008 e575498.exe RuntimeBroker.exe PID 1008 wrote to memory of 4020 1008 e575498.exe SearchApp.exe PID 1008 wrote to memory of 3916 1008 e575498.exe RuntimeBroker.exe PID 1008 wrote to memory of 2156 1008 e575498.exe RuntimeBroker.exe PID 1008 wrote to memory of 2136 1008 e575498.exe TextInputHost.exe PID 1008 wrote to memory of 372 1008 e575498.exe backgroundTaskHost.exe PID 1008 wrote to memory of 2616 1008 e575498.exe backgroundTaskHost.exe PID 1008 wrote to memory of 264 1008 e575498.exe rundll32.exe PID 1008 wrote to memory of 232 1008 e575498.exe rundll32.exe PID 1008 wrote to memory of 232 1008 e575498.exe rundll32.exe PID 232 wrote to memory of 4732 232 rundll32.exe e57567c.exe PID 232 wrote to memory of 4732 232 rundll32.exe e57567c.exe PID 232 wrote to memory of 4732 232 rundll32.exe e57567c.exe PID 1008 wrote to memory of 792 1008 e575498.exe fontdrvhost.exe PID 1008 wrote to memory of 800 1008 e575498.exe fontdrvhost.exe PID 1008 wrote to memory of 336 1008 e575498.exe dwm.exe PID 1008 wrote to memory of 3048 1008 e575498.exe sihost.exe PID 1008 wrote to memory of 508 1008 e575498.exe svchost.exe PID 1008 wrote to memory of 772 1008 e575498.exe taskhostw.exe PID 1008 wrote to memory of 3392 1008 e575498.exe Explorer.EXE PID 1008 wrote to memory of 3516 1008 e575498.exe svchost.exe PID 1008 wrote to memory of 3724 1008 e575498.exe DllHost.exe PID 1008 wrote to memory of 3848 1008 e575498.exe StartMenuExperienceHost.exe PID 1008 wrote to memory of 3940 1008 e575498.exe RuntimeBroker.exe PID 1008 wrote to memory of 4020 1008 e575498.exe SearchApp.exe PID 1008 wrote to memory of 3916 1008 e575498.exe RuntimeBroker.exe PID 1008 wrote to memory of 2156 1008 e575498.exe RuntimeBroker.exe PID 1008 wrote to memory of 2136 1008 e575498.exe TextInputHost.exe PID 1008 wrote to memory of 372 1008 e575498.exe backgroundTaskHost.exe PID 1008 wrote to memory of 2616 1008 e575498.exe backgroundTaskHost.exe PID 1008 wrote to memory of 264 1008 e575498.exe rundll32.exe PID 1008 wrote to memory of 4732 1008 e575498.exe e57567c.exe PID 1008 wrote to memory of 4732 1008 e575498.exe e57567c.exe PID 1008 wrote to memory of 3024 1008 e575498.exe RuntimeBroker.exe PID 1008 wrote to memory of 1796 1008 e575498.exe RuntimeBroker.exe PID 232 wrote to memory of 1376 232 rundll32.exe e577fa0.exe PID 232 wrote to memory of 1376 232 rundll32.exe e577fa0.exe PID 232 wrote to memory of 1376 232 rundll32.exe e577fa0.exe PID 232 wrote to memory of 3028 232 rundll32.exe e577fcf.exe PID 232 wrote to memory of 3028 232 rundll32.exe e577fcf.exe PID 232 wrote to memory of 3028 232 rundll32.exe e577fcf.exe PID 4732 wrote to memory of 792 4732 e57567c.exe fontdrvhost.exe PID 4732 wrote to memory of 800 4732 e57567c.exe fontdrvhost.exe PID 4732 wrote to memory of 336 4732 e57567c.exe dwm.exe PID 4732 wrote to memory of 3048 4732 e57567c.exe sihost.exe PID 4732 wrote to memory of 508 4732 e57567c.exe svchost.exe PID 4732 wrote to memory of 772 4732 e57567c.exe taskhostw.exe PID 4732 wrote to memory of 3392 4732 e57567c.exe Explorer.EXE -
System policy modification 1 TTPs 2 IoCs
Processes:
e57567c.exee575498.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57567c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575498.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e575498.exeC:\Users\Admin\AppData\Local\Temp\e575498.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57567c.exeC:\Users\Admin\AppData\Local\Temp\e57567c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e577fa0.exeC:\Users\Admin\AppData\Local\Temp\e577fa0.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e577fcf.exeC:\Users\Admin\AppData\Local\Temp\e577fcf.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575498.exeFilesize
97KB
MD51c2d5bb6263bb48cc7aff395f9257982
SHA1916ee7cd7e9519bf22187f574ba5c80764193565
SHA256efaa42ae4d5d46b18c889d5c2e0f4091eccdc0917c93d27c15f39bb07e03d916
SHA512fc2962790d69fa9c35201999cc682720df2ce653cc0dedf2e11e196813d6ecff8d5162ba2bd690c11d6c901cb335f17446fe86ee014fe1d582bd3576eee0475a
-
C:\Windows\SYSTEM.INIFilesize
257B
MD54ef1517a840fffcc9d590a08bd95eac2
SHA1c918f1263575fce72661cf1769ccffecad1f572d
SHA256f7a01e983178f715f7fa185c2f82ea1efa6f406770ec8b43a2cd5aef5af8777e
SHA51283558e9aa4827f67205fcd473a720100d3e76f865d7df2bc2b3bcd1043d7ed3a05cdbb0b545139058cfbcb0ae2eb56e29e7426558ce063075b4d8b4967372c79
-
memory/232-30-0x00000000047C0000-0x00000000047C2000-memory.dmpFilesize
8KB
-
memory/232-55-0x00000000047C0000-0x00000000047C2000-memory.dmpFilesize
8KB
-
memory/232-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/232-22-0x00000000047C0000-0x00000000047C2000-memory.dmpFilesize
8KB
-
memory/232-23-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/232-28-0x00000000047C0000-0x00000000047C2000-memory.dmpFilesize
8KB
-
memory/1008-39-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-6-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-31-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-29-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/1008-32-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/1008-25-0x0000000001AC0000-0x0000000001AC1000-memory.dmpFilesize
4KB
-
memory/1008-19-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-13-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-21-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-12-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-11-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-8-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-35-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-36-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-37-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-38-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-9-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1008-75-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-91-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1008-45-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-20-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-79-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/1008-58-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-59-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-60-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-62-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-64-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-66-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-70-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1008-71-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1376-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1376-132-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3028-137-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4732-44-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4732-43-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4732-42-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4732-97-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/4732-98-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/4732-103-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/4732-128-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4732-127-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB