Analysis
-
max time kernel
28s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36_NeikiAnalytics.dll
-
Size
120KB
-
MD5
17d65cf494ee651df6559d61dc465f90
-
SHA1
60f0aa8c26fb59bd4f3eef8d6ddce9c6ca978a97
-
SHA256
3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36
-
SHA512
994ff7d5b491bc566ee047a56fd5b343dc4b757c97b9d96ae10158893a193094a0de86541aa53ab1c51879cd5072b3b7c192c4c9d52b8036557d885281ab3f9c
-
SSDEEP
1536:ucDHCT5NjJ8n2+IZmaFOsm2f1cBQruE/nOKfJgqOfMuom0PD9qLK8t7SIh1k:uDT5dm2+BiSQfnOKfLuopxip
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e573cda.exee575d04.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573cda.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573cda.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575d04.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575d04.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575d04.exe -
Processes:
e573cda.exee575d04.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575d04.exe -
Processes:
e573cda.exee575d04.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575d04.exe -
Executes dropped EXE 3 IoCs
Processes:
e573cda.exee573e51.exee575d04.exepid process 3428 e573cda.exe 1208 e573e51.exe 3304 e575d04.exe -
Processes:
resource yara_rule behavioral2/memory/3428-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-12-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-23-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-32-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-42-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-51-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-53-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-62-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-64-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-65-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-67-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-70-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-72-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-74-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3428-78-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3304-115-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/3304-143-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Processes:
e575d04.exee573cda.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573cda.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575d04.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575d04.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573cda.exe -
Processes:
e573cda.exee575d04.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575d04.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573cda.exee575d04.exedescription ioc process File opened (read-only) \??\E: e573cda.exe File opened (read-only) \??\H: e573cda.exe File opened (read-only) \??\I: e573cda.exe File opened (read-only) \??\J: e573cda.exe File opened (read-only) \??\K: e573cda.exe File opened (read-only) \??\L: e573cda.exe File opened (read-only) \??\M: e573cda.exe File opened (read-only) \??\O: e573cda.exe File opened (read-only) \??\E: e575d04.exe File opened (read-only) \??\G: e573cda.exe File opened (read-only) \??\N: e573cda.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e573cda.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e573cda.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573cda.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573cda.exe -
Drops file in Windows directory 3 IoCs
Processes:
e573cda.exee575d04.exedescription ioc process File created C:\Windows\e573d76 e573cda.exe File opened for modification C:\Windows\SYSTEM.INI e573cda.exe File created C:\Windows\e57927c e575d04.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e573cda.exee575d04.exepid process 3428 e573cda.exe 3428 e573cda.exe 3428 e573cda.exe 3428 e573cda.exe 3304 e575d04.exe 3304 e575d04.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573cda.exedescription pid process Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe Token: SeDebugPrivilege 3428 e573cda.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee573cda.exee575d04.exedescription pid process target process PID 692 wrote to memory of 2888 692 rundll32.exe rundll32.exe PID 692 wrote to memory of 2888 692 rundll32.exe rundll32.exe PID 692 wrote to memory of 2888 692 rundll32.exe rundll32.exe PID 2888 wrote to memory of 3428 2888 rundll32.exe e573cda.exe PID 2888 wrote to memory of 3428 2888 rundll32.exe e573cda.exe PID 2888 wrote to memory of 3428 2888 rundll32.exe e573cda.exe PID 3428 wrote to memory of 788 3428 e573cda.exe fontdrvhost.exe PID 3428 wrote to memory of 796 3428 e573cda.exe fontdrvhost.exe PID 3428 wrote to memory of 384 3428 e573cda.exe dwm.exe PID 3428 wrote to memory of 2624 3428 e573cda.exe sihost.exe PID 3428 wrote to memory of 2736 3428 e573cda.exe svchost.exe PID 3428 wrote to memory of 2980 3428 e573cda.exe taskhostw.exe PID 3428 wrote to memory of 3404 3428 e573cda.exe Explorer.EXE PID 3428 wrote to memory of 3564 3428 e573cda.exe svchost.exe PID 3428 wrote to memory of 3748 3428 e573cda.exe DllHost.exe PID 3428 wrote to memory of 3836 3428 e573cda.exe StartMenuExperienceHost.exe PID 3428 wrote to memory of 3900 3428 e573cda.exe RuntimeBroker.exe PID 3428 wrote to memory of 4020 3428 e573cda.exe SearchApp.exe PID 3428 wrote to memory of 4100 3428 e573cda.exe RuntimeBroker.exe PID 3428 wrote to memory of 4460 3428 e573cda.exe RuntimeBroker.exe PID 3428 wrote to memory of 1088 3428 e573cda.exe TextInputHost.exe PID 3428 wrote to memory of 224 3428 e573cda.exe backgroundTaskHost.exe PID 3428 wrote to memory of 3172 3428 e573cda.exe backgroundTaskHost.exe PID 3428 wrote to memory of 692 3428 e573cda.exe rundll32.exe PID 3428 wrote to memory of 2888 3428 e573cda.exe rundll32.exe PID 3428 wrote to memory of 2888 3428 e573cda.exe rundll32.exe PID 2888 wrote to memory of 1208 2888 rundll32.exe e573e51.exe PID 2888 wrote to memory of 1208 2888 rundll32.exe e573e51.exe PID 2888 wrote to memory of 1208 2888 rundll32.exe e573e51.exe PID 2888 wrote to memory of 3304 2888 rundll32.exe e575d04.exe PID 2888 wrote to memory of 3304 2888 rundll32.exe e575d04.exe PID 2888 wrote to memory of 3304 2888 rundll32.exe e575d04.exe PID 3428 wrote to memory of 788 3428 e573cda.exe fontdrvhost.exe PID 3428 wrote to memory of 796 3428 e573cda.exe fontdrvhost.exe PID 3428 wrote to memory of 384 3428 e573cda.exe dwm.exe PID 3428 wrote to memory of 2624 3428 e573cda.exe sihost.exe PID 3428 wrote to memory of 2736 3428 e573cda.exe svchost.exe PID 3428 wrote to memory of 2980 3428 e573cda.exe taskhostw.exe PID 3428 wrote to memory of 3404 3428 e573cda.exe Explorer.EXE PID 3428 wrote to memory of 3564 3428 e573cda.exe svchost.exe PID 3428 wrote to memory of 3748 3428 e573cda.exe DllHost.exe PID 3428 wrote to memory of 3836 3428 e573cda.exe StartMenuExperienceHost.exe PID 3428 wrote to memory of 3900 3428 e573cda.exe RuntimeBroker.exe PID 3428 wrote to memory of 4020 3428 e573cda.exe SearchApp.exe PID 3428 wrote to memory of 4100 3428 e573cda.exe RuntimeBroker.exe PID 3428 wrote to memory of 4460 3428 e573cda.exe RuntimeBroker.exe PID 3428 wrote to memory of 1088 3428 e573cda.exe TextInputHost.exe PID 3428 wrote to memory of 224 3428 e573cda.exe backgroundTaskHost.exe PID 3428 wrote to memory of 3172 3428 e573cda.exe backgroundTaskHost.exe PID 3428 wrote to memory of 1208 3428 e573cda.exe e573e51.exe PID 3428 wrote to memory of 1208 3428 e573cda.exe e573e51.exe PID 3428 wrote to memory of 5084 3428 e573cda.exe RuntimeBroker.exe PID 3428 wrote to memory of 2804 3428 e573cda.exe RuntimeBroker.exe PID 3428 wrote to memory of 3304 3428 e573cda.exe e575d04.exe PID 3428 wrote to memory of 3304 3428 e573cda.exe e575d04.exe PID 3428 wrote to memory of 2512 3428 e573cda.exe BackgroundTransferHost.exe PID 3304 wrote to memory of 788 3304 e575d04.exe fontdrvhost.exe PID 3304 wrote to memory of 796 3304 e575d04.exe fontdrvhost.exe PID 3304 wrote to memory of 384 3304 e575d04.exe dwm.exe PID 3304 wrote to memory of 2624 3304 e575d04.exe sihost.exe PID 3304 wrote to memory of 2736 3304 e575d04.exe svchost.exe PID 3304 wrote to memory of 2980 3304 e575d04.exe taskhostw.exe PID 3304 wrote to memory of 3404 3304 e575d04.exe Explorer.EXE PID 3304 wrote to memory of 3564 3304 e575d04.exe svchost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e573cda.exee575d04.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573cda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575d04.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573cda.exeC:\Users\Admin\AppData\Local\Temp\e573cda.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573e51.exeC:\Users\Admin\AppData\Local\Temp\e573e51.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e575d04.exeC:\Users\Admin\AppData\Local\Temp\e575d04.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573cda.exeFilesize
97KB
MD51f127bbea6ec705936ff24626ceacc64
SHA1d5f5a8e97022603922312c6af92b5b457d35f0a7
SHA256ff2f6540319fd85632bbee770a9e25ba0ad7ed266ab44bdb6041c536fd06f198
SHA5120c48a8c4589d6c230685bf09bc378f5caf56c8d1893267714f8527011ca0ef01ddc8f0127d6b4e8243025da537670027e889abc926c76a88369340c7ebaf7b05
-
C:\Windows\SYSTEM.INIFilesize
256B
MD554ae09ca39be4dcc30ac17689b737618
SHA1ef2380e499d5e23b482c15aa2b5c45a79b549f32
SHA256be5dac8b813031446070e38691486608c05bd5f59348c8dd063db112e0656ea5
SHA5123896c1c1ed2208c89d9254b2e220b111bbee503fea500f90211926e32fc367bf927aa549c89deae0160b2d61ed18d20f76867276741243cb32fe7ea0c306870c
-
memory/1208-30-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1208-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1208-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1208-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1208-98-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2888-14-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/2888-18-0x0000000000D90000-0x0000000000D92000-memory.dmpFilesize
8KB
-
memory/2888-15-0x0000000000D90000-0x0000000000D92000-memory.dmpFilesize
8KB
-
memory/2888-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2888-13-0x0000000000D90000-0x0000000000D92000-memory.dmpFilesize
8KB
-
memory/3304-115-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/3304-142-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3304-143-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/3304-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3304-57-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3304-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3304-50-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3428-40-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-53-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-6-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-36-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-37-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-38-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-39-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-20-0x0000000001A00000-0x0000000001A01000-memory.dmpFilesize
4KB
-
memory/3428-42-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-9-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-51-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-10-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-35-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-33-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-34-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-32-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-26-0x00000000019F0000-0x00000000019F2000-memory.dmpFilesize
8KB
-
memory/3428-11-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-62-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-64-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-65-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-67-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-70-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-72-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-74-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-94-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3428-78-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-86-0x00000000019F0000-0x00000000019F2000-memory.dmpFilesize
8KB
-
memory/3428-23-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-31-0x00000000019F0000-0x00000000019F2000-memory.dmpFilesize
8KB
-
memory/3428-12-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-8-0x00000000007B0000-0x000000000186A000-memory.dmpFilesize
16.7MB
-
memory/3428-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB