sality | 3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36

Analysis

max time kernel
28s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36_NeikiAnalytics.dll
Size

120KB
MD5

17d65cf494ee651df6559d61dc465f90
SHA1

60f0aa8c26fb59bd4f3eef8d6ddce9c6ca978a97
SHA256

3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36
SHA512

994ff7d5b491bc566ee047a56fd5b343dc4b757c97b9d96ae10158893a193094a0de86541aa53ab1c51879cd5072b3b7c192c4c9d52b8036557d885281ab3f9c
SSDEEP

1536:ucDHCT5NjJ8n2+IZmaFOsm2f1cBQruE/nOKfJgqOfMuom0PD9qLK8t7SIh1k:uDT5dm2+BiSQfnOKfLuopxip

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e573cda.exee575d04.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e575d04.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573cda.exee575d04.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575d04.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573cda.exee575d04.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575d04.exe

Executes dropped EXE 3 IoCs

Processes:

e573cda.exee573e51.exee575d04.exe

pid process

3428 e573cda.exe
1208 e573e51.exe
3304 e575d04.exe

pid	process
3428	e573cda.exe
1208	e573e51.exe
3304	e575d04.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3428-8-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-12-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-23-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-32-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-34-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-33-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-35-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-10-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-9-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-11-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-6-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-36-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-37-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-38-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-39-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-40-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-42-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-51-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-53-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-62-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-64-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-65-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-67-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-70-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-72-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-74-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3428-78-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3304-115-0x0000000000B60000-0x0000000001C1A000-memory.dmp	upx
behavioral2/memory/3304-143-0x0000000000B60000-0x0000000001C1A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e575d04.exee573cda.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573cda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575d04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575d04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573cda.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e573cda.exee575d04.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575d04.exe

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e573cda.exee575d04.exe

description	ioc	process
File opened (read-only)	\??\E:	e573cda.exe
File opened (read-only)	\??\H:	e573cda.exe
File opened (read-only)	\??\I:	e573cda.exe
File opened (read-only)	\??\J:	e573cda.exe
File opened (read-only)	\??\K:	e573cda.exe
File opened (read-only)	\??\L:	e573cda.exe
File opened (read-only)	\??\M:	e573cda.exe
File opened (read-only)	\??\O:	e573cda.exe
File opened (read-only)	\??\E:	e575d04.exe
File opened (read-only)	\??\G:	e573cda.exe
File opened (read-only)	\??\N:	e573cda.exe

Drops file in Program Files directory 3 IoCs

Processes:

e573cda.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e573cda.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e573cda.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e573cda.exe

Drops file in Windows directory 3 IoCs

Processes:

e573cda.exee575d04.exe

description ioc process

File created C:\Windows\e573d76 e573cda.exe
File opened for modification C:\Windows\SYSTEM.INI e573cda.exe
File created C:\Windows\e57927c e575d04.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e573cda.exee575d04.exe

pid process

3428 e573cda.exe
3428 e573cda.exe
3428 e573cda.exe
3428 e573cda.exe
3304 e575d04.exe
3304 e575d04.exe

description	ioc	process
File created	C:\Windows\e573d76	e573cda.exe
File opened for modification	C:\Windows\SYSTEM.INI	e573cda.exe
File created	C:\Windows\e57927c	e575d04.exe

pid	process
3428	e573cda.exe
3428	e573cda.exe
3428	e573cda.exe
3428	e573cda.exe
3304	e575d04.exe
3304	e575d04.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e573cda.exe

description	pid	process
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe
Token: SeDebugPrivilege	3428	e573cda.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee573cda.exee575d04.exe

description	pid	process	target process
PID 692 wrote to memory of 2888	692	rundll32.exe	rundll32.exe
PID 692 wrote to memory of 2888	692	rundll32.exe	rundll32.exe
PID 692 wrote to memory of 2888	692	rundll32.exe	rundll32.exe
PID 2888 wrote to memory of 3428	2888	rundll32.exe	e573cda.exe
PID 2888 wrote to memory of 3428	2888	rundll32.exe	e573cda.exe
PID 2888 wrote to memory of 3428	2888	rundll32.exe	e573cda.exe
PID 3428 wrote to memory of 788	3428	e573cda.exe	fontdrvhost.exe
PID 3428 wrote to memory of 796	3428	e573cda.exe	fontdrvhost.exe
PID 3428 wrote to memory of 384	3428	e573cda.exe	dwm.exe
PID 3428 wrote to memory of 2624	3428	e573cda.exe	sihost.exe
PID 3428 wrote to memory of 2736	3428	e573cda.exe	svchost.exe
PID 3428 wrote to memory of 2980	3428	e573cda.exe	taskhostw.exe
PID 3428 wrote to memory of 3404	3428	e573cda.exe	Explorer.EXE
PID 3428 wrote to memory of 3564	3428	e573cda.exe	svchost.exe
PID 3428 wrote to memory of 3748	3428	e573cda.exe	DllHost.exe
PID 3428 wrote to memory of 3836	3428	e573cda.exe	StartMenuExperienceHost.exe
PID 3428 wrote to memory of 3900	3428	e573cda.exe	RuntimeBroker.exe
PID 3428 wrote to memory of 4020	3428	e573cda.exe	SearchApp.exe
PID 3428 wrote to memory of 4100	3428	e573cda.exe	RuntimeBroker.exe
PID 3428 wrote to memory of 4460	3428	e573cda.exe	RuntimeBroker.exe
PID 3428 wrote to memory of 1088	3428	e573cda.exe	TextInputHost.exe
PID 3428 wrote to memory of 224	3428	e573cda.exe	backgroundTaskHost.exe
PID 3428 wrote to memory of 3172	3428	e573cda.exe	backgroundTaskHost.exe
PID 3428 wrote to memory of 692	3428	e573cda.exe	rundll32.exe
PID 3428 wrote to memory of 2888	3428	e573cda.exe	rundll32.exe
PID 3428 wrote to memory of 2888	3428	e573cda.exe	rundll32.exe
PID 2888 wrote to memory of 1208	2888	rundll32.exe	e573e51.exe
PID 2888 wrote to memory of 1208	2888	rundll32.exe	e573e51.exe
PID 2888 wrote to memory of 1208	2888	rundll32.exe	e573e51.exe
PID 2888 wrote to memory of 3304	2888	rundll32.exe	e575d04.exe
PID 2888 wrote to memory of 3304	2888	rundll32.exe	e575d04.exe
PID 2888 wrote to memory of 3304	2888	rundll32.exe	e575d04.exe
PID 3428 wrote to memory of 788	3428	e573cda.exe	fontdrvhost.exe
PID 3428 wrote to memory of 796	3428	e573cda.exe	fontdrvhost.exe
PID 3428 wrote to memory of 384	3428	e573cda.exe	dwm.exe
PID 3428 wrote to memory of 2624	3428	e573cda.exe	sihost.exe
PID 3428 wrote to memory of 2736	3428	e573cda.exe	svchost.exe
PID 3428 wrote to memory of 2980	3428	e573cda.exe	taskhostw.exe
PID 3428 wrote to memory of 3404	3428	e573cda.exe	Explorer.EXE
PID 3428 wrote to memory of 3564	3428	e573cda.exe	svchost.exe
PID 3428 wrote to memory of 3748	3428	e573cda.exe	DllHost.exe
PID 3428 wrote to memory of 3836	3428	e573cda.exe	StartMenuExperienceHost.exe
PID 3428 wrote to memory of 3900	3428	e573cda.exe	RuntimeBroker.exe
PID 3428 wrote to memory of 4020	3428	e573cda.exe	SearchApp.exe
PID 3428 wrote to memory of 4100	3428	e573cda.exe	RuntimeBroker.exe
PID 3428 wrote to memory of 4460	3428	e573cda.exe	RuntimeBroker.exe
PID 3428 wrote to memory of 1088	3428	e573cda.exe	TextInputHost.exe
PID 3428 wrote to memory of 224	3428	e573cda.exe	backgroundTaskHost.exe
PID 3428 wrote to memory of 3172	3428	e573cda.exe	backgroundTaskHost.exe
PID 3428 wrote to memory of 1208	3428	e573cda.exe	e573e51.exe
PID 3428 wrote to memory of 1208	3428	e573cda.exe	e573e51.exe
PID 3428 wrote to memory of 5084	3428	e573cda.exe	RuntimeBroker.exe
PID 3428 wrote to memory of 2804	3428	e573cda.exe	RuntimeBroker.exe
PID 3428 wrote to memory of 3304	3428	e573cda.exe	e575d04.exe
PID 3428 wrote to memory of 3304	3428	e573cda.exe	e575d04.exe
PID 3428 wrote to memory of 2512	3428	e573cda.exe	BackgroundTransferHost.exe
PID 3304 wrote to memory of 788	3304	e575d04.exe	fontdrvhost.exe
PID 3304 wrote to memory of 796	3304	e575d04.exe	fontdrvhost.exe
PID 3304 wrote to memory of 384	3304	e575d04.exe	dwm.exe
PID 3304 wrote to memory of 2624	3304	e575d04.exe	sihost.exe
PID 3304 wrote to memory of 2736	3304	e575d04.exe	svchost.exe
PID 3304 wrote to memory of 2980	3304	e575d04.exe	taskhostw.exe
PID 3304 wrote to memory of 3404	3304	e575d04.exe	Explorer.EXE
PID 3304 wrote to memory of 3564	3304	e575d04.exe	svchost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e573cda.exee575d04.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573cda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575d04.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2736

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2980

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3415e3207b3bf988cf8d7c517b8e0ea89523b3538b2ea02c49bf4a992e3a5d36_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Local\Temp\e573cda.exe
C:\Users\Admin\AppData\Local\Temp\e573cda.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3428

C:\Users\Admin\AppData\Local\Temp\e573e51.exe
C:\Users\Admin\AppData\Local\Temp\e573e51.exe
4⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Local\Temp\e575d04.exe
C:\Users\Admin\AppData\Local\Temp\e575d04.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1088

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:224

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3172

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2804

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2512

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e573cda.exe
Filesize
97KB

MD5
1f127bbea6ec705936ff24626ceacc64

SHA1
d5f5a8e97022603922312c6af92b5b457d35f0a7

SHA256
ff2f6540319fd85632bbee770a9e25ba0ad7ed266ab44bdb6041c536fd06f198

SHA512
0c48a8c4589d6c230685bf09bc378f5caf56c8d1893267714f8527011ca0ef01ddc8f0127d6b4e8243025da537670027e889abc926c76a88369340c7ebaf7b05

Download Submit
C:\Windows\SYSTEM.INI
Filesize
256B

MD5
54ae09ca39be4dcc30ac17689b737618

SHA1
ef2380e499d5e23b482c15aa2b5c45a79b549f32

SHA256
be5dac8b813031446070e38691486608c05bd5f59348c8dd063db112e0656ea5

SHA512
3896c1c1ed2208c89d9254b2e220b111bbee503fea500f90211926e32fc367bf927aa549c89deae0160b2d61ed18d20f76867276741243cb32fe7ea0c306870c

Download Submit
memory/1208-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1208-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1208-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1208-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1208-98-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2888-14-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2888-18-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/2888-15-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/2888-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2888-13-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/3304-115-0x0000000000B60000-0x0000000001C1A000-memory.dmp

Filesize
16.7MB

Download
memory/3304-142-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3304-143-0x0000000000B60000-0x0000000001C1A000-memory.dmp

Filesize
16.7MB

Download
memory/3304-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3304-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3304-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3304-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3428-40-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-53-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-6-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-36-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-37-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-38-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-39-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-20-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/3428-42-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-9-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-51-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-10-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-35-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-33-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-34-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-32-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-26-0x00000000019F0000-0x00000000019F2000-memory.dmp

Filesize
8KB

Download
memory/3428-11-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-62-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-64-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-65-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-67-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-70-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-72-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-74-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-94-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3428-78-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-86-0x00000000019F0000-0x00000000019F2000-memory.dmp

Filesize
8KB

Download
memory/3428-23-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-31-0x00000000019F0000-0x00000000019F2000-memory.dmp

Filesize
8KB

Download
memory/3428-12-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-8-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3428-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download