sality | 149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a_NeikiAnalytics.dll
Size

120KB
MD5

f6271d785de51ecf9e7c2ba2a7049570
SHA1

5923d99c5bbe8cc8fad90040c293f5c42a7d6f86
SHA256

149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a
SHA512

ad618fd1022db1b36d55312b7f0ea30493d6eb90466206d895eee900d2db97cfb61e7871cb7e8b9e6401c47a950afea2a990234a4c9e29e51792d6c6eca45ebe
SSDEEP

1536:uEYMSa6w2EoS4cInytmNVfZt3seXIq2YHxPeqta6yB1D0vdgN40g34WWTCCQte6H:RYMSL3ZSj4ysbX3sUeMa6y7D003TTRi

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e575498.exee57567c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e575498.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e575498.exee57567c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57567c.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e575498.exee57567c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57567c.exe

Executes dropped EXE 4 IoCs

Processes:

e575498.exee57567c.exee577fa0.exee577fcf.exe

pid process

1008 e575498.exe
4732 e57567c.exe
1376 e577fa0.exe
3028 e577fcf.exe

pid	process
1008	e575498.exe
4732	e57567c.exe
1376	e577fa0.exe
3028	e577fcf.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1008-6-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-9-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-13-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-19-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-31-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-20-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-21-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-12-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-11-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-8-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-35-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-36-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-37-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-38-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-39-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-45-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-58-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-59-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-60-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-62-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-64-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-66-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-70-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-71-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/1008-75-0x0000000000840000-0x00000000018FA000-memory.dmp	upx
behavioral2/memory/4732-97-0x0000000000B60000-0x0000000001C1A000-memory.dmp	upx
behavioral2/memory/4732-98-0x0000000000B60000-0x0000000001C1A000-memory.dmp	upx
behavioral2/memory/4732-103-0x0000000000B60000-0x0000000001C1A000-memory.dmp	upx
behavioral2/memory/4732-127-0x0000000000B60000-0x0000000001C1A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57567c.exee575498.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57567c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575498.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e575498.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e575498.exee57567c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57567c.exe

Enumerates connected drives 3 TTPs 9 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e575498.exe

description	ioc	process
File opened (read-only)	\??\E:	e575498.exe
File opened (read-only)	\??\G:	e575498.exe
File opened (read-only)	\??\H:	e575498.exe
File opened (read-only)	\??\J:	e575498.exe
File opened (read-only)	\??\N:	e575498.exe
File opened (read-only)	\??\I:	e575498.exe
File opened (read-only)	\??\K:	e575498.exe
File opened (read-only)	\??\L:	e575498.exe
File opened (read-only)	\??\M:	e575498.exe

Drops file in Program Files directory 3 IoCs

Processes:

e575498.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e575498.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e575498.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e575498.exe

Drops file in Windows directory 3 IoCs

Processes:

e57567c.exee575498.exe

description ioc process

File created C:\Windows\e57a5a6 e57567c.exe
File created C:\Windows\e5754d7 e575498.exe
File opened for modification C:\Windows\SYSTEM.INI e575498.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e575498.exee57567c.exe

pid process

1008 e575498.exe
1008 e575498.exe
1008 e575498.exe
1008 e575498.exe
4732 e57567c.exe
4732 e57567c.exe

description	ioc	process
File created	C:\Windows\e57a5a6	e57567c.exe
File created	C:\Windows\e5754d7	e575498.exe
File opened for modification	C:\Windows\SYSTEM.INI	e575498.exe

pid	process
1008	e575498.exe
1008	e575498.exe
1008	e575498.exe
1008	e575498.exe
4732	e57567c.exe
4732	e57567c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e575498.exe

description	pid	process
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe
Token: SeDebugPrivilege	1008	e575498.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee575498.exee57567c.exe

description	pid	process	target process
PID 264 wrote to memory of 232	264	rundll32.exe	rundll32.exe
PID 264 wrote to memory of 232	264	rundll32.exe	rundll32.exe
PID 264 wrote to memory of 232	264	rundll32.exe	rundll32.exe
PID 232 wrote to memory of 1008	232	rundll32.exe	e575498.exe
PID 232 wrote to memory of 1008	232	rundll32.exe	e575498.exe
PID 232 wrote to memory of 1008	232	rundll32.exe	e575498.exe
PID 1008 wrote to memory of 792	1008	e575498.exe	fontdrvhost.exe
PID 1008 wrote to memory of 800	1008	e575498.exe	fontdrvhost.exe
PID 1008 wrote to memory of 336	1008	e575498.exe	dwm.exe
PID 1008 wrote to memory of 3048	1008	e575498.exe	sihost.exe
PID 1008 wrote to memory of 508	1008	e575498.exe	svchost.exe
PID 1008 wrote to memory of 772	1008	e575498.exe	taskhostw.exe
PID 1008 wrote to memory of 3392	1008	e575498.exe	Explorer.EXE
PID 1008 wrote to memory of 3516	1008	e575498.exe	svchost.exe
PID 1008 wrote to memory of 3724	1008	e575498.exe	DllHost.exe
PID 1008 wrote to memory of 3848	1008	e575498.exe	StartMenuExperienceHost.exe
PID 1008 wrote to memory of 3940	1008	e575498.exe	RuntimeBroker.exe
PID 1008 wrote to memory of 4020	1008	e575498.exe	SearchApp.exe
PID 1008 wrote to memory of 3916	1008	e575498.exe	RuntimeBroker.exe
PID 1008 wrote to memory of 2156	1008	e575498.exe	RuntimeBroker.exe
PID 1008 wrote to memory of 2136	1008	e575498.exe	TextInputHost.exe
PID 1008 wrote to memory of 372	1008	e575498.exe	backgroundTaskHost.exe
PID 1008 wrote to memory of 2616	1008	e575498.exe	backgroundTaskHost.exe
PID 1008 wrote to memory of 264	1008	e575498.exe	rundll32.exe
PID 1008 wrote to memory of 232	1008	e575498.exe	rundll32.exe
PID 1008 wrote to memory of 232	1008	e575498.exe	rundll32.exe
PID 232 wrote to memory of 4732	232	rundll32.exe	e57567c.exe
PID 232 wrote to memory of 4732	232	rundll32.exe	e57567c.exe
PID 232 wrote to memory of 4732	232	rundll32.exe	e57567c.exe
PID 1008 wrote to memory of 792	1008	e575498.exe	fontdrvhost.exe
PID 1008 wrote to memory of 800	1008	e575498.exe	fontdrvhost.exe
PID 1008 wrote to memory of 336	1008	e575498.exe	dwm.exe
PID 1008 wrote to memory of 3048	1008	e575498.exe	sihost.exe
PID 1008 wrote to memory of 508	1008	e575498.exe	svchost.exe
PID 1008 wrote to memory of 772	1008	e575498.exe	taskhostw.exe
PID 1008 wrote to memory of 3392	1008	e575498.exe	Explorer.EXE
PID 1008 wrote to memory of 3516	1008	e575498.exe	svchost.exe
PID 1008 wrote to memory of 3724	1008	e575498.exe	DllHost.exe
PID 1008 wrote to memory of 3848	1008	e575498.exe	StartMenuExperienceHost.exe
PID 1008 wrote to memory of 3940	1008	e575498.exe	RuntimeBroker.exe
PID 1008 wrote to memory of 4020	1008	e575498.exe	SearchApp.exe
PID 1008 wrote to memory of 3916	1008	e575498.exe	RuntimeBroker.exe
PID 1008 wrote to memory of 2156	1008	e575498.exe	RuntimeBroker.exe
PID 1008 wrote to memory of 2136	1008	e575498.exe	TextInputHost.exe
PID 1008 wrote to memory of 372	1008	e575498.exe	backgroundTaskHost.exe
PID 1008 wrote to memory of 2616	1008	e575498.exe	backgroundTaskHost.exe
PID 1008 wrote to memory of 264	1008	e575498.exe	rundll32.exe
PID 1008 wrote to memory of 4732	1008	e575498.exe	e57567c.exe
PID 1008 wrote to memory of 4732	1008	e575498.exe	e57567c.exe
PID 1008 wrote to memory of 3024	1008	e575498.exe	RuntimeBroker.exe
PID 1008 wrote to memory of 1796	1008	e575498.exe	RuntimeBroker.exe
PID 232 wrote to memory of 1376	232	rundll32.exe	e577fa0.exe
PID 232 wrote to memory of 1376	232	rundll32.exe	e577fa0.exe
PID 232 wrote to memory of 1376	232	rundll32.exe	e577fa0.exe
PID 232 wrote to memory of 3028	232	rundll32.exe	e577fcf.exe
PID 232 wrote to memory of 3028	232	rundll32.exe	e577fcf.exe
PID 232 wrote to memory of 3028	232	rundll32.exe	e577fcf.exe
PID 4732 wrote to memory of 792	4732	e57567c.exe	fontdrvhost.exe
PID 4732 wrote to memory of 800	4732	e57567c.exe	fontdrvhost.exe
PID 4732 wrote to memory of 336	4732	e57567c.exe	dwm.exe
PID 4732 wrote to memory of 3048	4732	e57567c.exe	sihost.exe
PID 4732 wrote to memory of 508	4732	e57567c.exe	svchost.exe
PID 4732 wrote to memory of 772	4732	e57567c.exe	taskhostw.exe
PID 4732 wrote to memory of 3392	4732	e57567c.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e57567c.exee575498.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57567c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575498.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:508

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:772

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:264

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\149164d48875cd87458d8b77d6921296263f8e2d0b8c2c8e64baf7dc2a03a38a_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Users\Admin\AppData\Local\Temp\e575498.exe
C:\Users\Admin\AppData\Local\Temp\e575498.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1008

C:\Users\Admin\AppData\Local\Temp\e57567c.exe
C:\Users\Admin\AppData\Local\Temp\e57567c.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4732

C:\Users\Admin\AppData\Local\Temp\e577fa0.exe
C:\Users\Admin\AppData\Local\Temp\e577fa0.exe
4⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Local\Temp\e577fcf.exe
C:\Users\Admin\AppData\Local\Temp\e577fcf.exe
4⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3940

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3916

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2156

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2136

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:372

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2616

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e575498.exe
Filesize
97KB

MD5
1c2d5bb6263bb48cc7aff395f9257982

SHA1
916ee7cd7e9519bf22187f574ba5c80764193565

SHA256
efaa42ae4d5d46b18c889d5c2e0f4091eccdc0917c93d27c15f39bb07e03d916

SHA512
fc2962790d69fa9c35201999cc682720df2ce653cc0dedf2e11e196813d6ecff8d5162ba2bd690c11d6c901cb335f17446fe86ee014fe1d582bd3576eee0475a

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
4ef1517a840fffcc9d590a08bd95eac2

SHA1
c918f1263575fce72661cf1769ccffecad1f572d

SHA256
f7a01e983178f715f7fa185c2f82ea1efa6f406770ec8b43a2cd5aef5af8777e

SHA512
83558e9aa4827f67205fcd473a720100d3e76f865d7df2bc2b3bcd1043d7ed3a05cdbb0b545139058cfbcb0ae2eb56e29e7426558ce063075b4d8b4967372c79

Download Submit
memory/232-30-0x00000000047C0000-0x00000000047C2000-memory.dmp

Filesize
8KB

Download
memory/232-55-0x00000000047C0000-0x00000000047C2000-memory.dmp

Filesize
8KB

Download
memory/232-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/232-22-0x00000000047C0000-0x00000000047C2000-memory.dmp

Filesize
8KB

Download
memory/232-23-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/232-28-0x00000000047C0000-0x00000000047C2000-memory.dmp

Filesize
8KB

Download
memory/1008-39-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-6-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-31-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-29-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download
memory/1008-32-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download
memory/1008-25-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/1008-19-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-13-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-21-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-12-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-11-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-8-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-35-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-36-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-37-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-38-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-9-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1008-75-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-91-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1008-45-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-20-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-79-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download
memory/1008-58-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-59-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-60-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-62-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-64-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-66-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-70-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1008-71-0x0000000000840000-0x00000000018FA000-memory.dmp

Filesize
16.7MB

Download
memory/1376-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1376-132-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3028-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4732-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4732-43-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4732-42-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4732-97-0x0000000000B60000-0x0000000001C1A000-memory.dmp

Filesize
16.7MB

Download
memory/4732-98-0x0000000000B60000-0x0000000001C1A000-memory.dmp

Filesize
16.7MB

Download
memory/4732-103-0x0000000000B60000-0x0000000001C1A000-memory.dmp

Filesize
16.7MB

Download
memory/4732-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4732-127-0x0000000000B60000-0x0000000001C1A000-memory.dmp

Filesize
16.7MB

Download