sality | 387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8_NeikiAnalytics.dll
Size

120KB
MD5

8be17b47ed444d820c8646e85b4f3b20
SHA1

f28fa390ed85b675ce9747212b2bbef90aa35dbc
SHA256

387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8
SHA512

52d4a099dd3109142f59cf0ce8e8de0127cdd4f6477f03c1a804182f2ffe4ae4ba30ab86241e44e966c90715d22529f2c168ba2d5531e26362320f238d0cd1c0
SSDEEP

3072:e5stVdchoisZ2/GCg9aMVb7vy5g5tdYooK:DtVKSbEG/aMtymZro

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e574fd5.exee576b5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e576b5c.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574fd5.exee576b5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e576b5c.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e576b5c.exee574fd5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574fd5.exe

Executes dropped EXE 3 IoCs

Processes:

e574fd5.exee57516c.exee576b5c.exe

pid process

1588 e574fd5.exe
740 e57516c.exe
4392 e576b5c.exe

pid	process
1588	e574fd5.exe
740	e57516c.exe
4392	e576b5c.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1588-6-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-8-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-10-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-30-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-26-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-33-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-12-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-11-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-9-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-34-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-35-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-36-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-37-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-38-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-39-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-41-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-42-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-51-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-53-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-54-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-64-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-65-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-69-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-70-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-73-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-74-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-77-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-79-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-86-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/1588-89-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4392-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx
behavioral2/memory/4392-154-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574fd5.exee576b5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e576b5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574fd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e576b5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e576b5c.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e574fd5.exee576b5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e576b5c.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e574fd5.exee576b5c.exe

description	ioc	process
File opened (read-only)	\??\E:	e574fd5.exe
File opened (read-only)	\??\N:	e574fd5.exe
File opened (read-only)	\??\O:	e574fd5.exe
File opened (read-only)	\??\R:	e574fd5.exe
File opened (read-only)	\??\M:	e574fd5.exe
File opened (read-only)	\??\H:	e574fd5.exe
File opened (read-only)	\??\J:	e574fd5.exe
File opened (read-only)	\??\Q:	e574fd5.exe
File opened (read-only)	\??\E:	e576b5c.exe
File opened (read-only)	\??\G:	e574fd5.exe
File opened (read-only)	\??\K:	e574fd5.exe
File opened (read-only)	\??\L:	e574fd5.exe
File opened (read-only)	\??\P:	e574fd5.exe
File opened (read-only)	\??\S:	e574fd5.exe
File opened (read-only)	\??\G:	e576b5c.exe
File opened (read-only)	\??\I:	e574fd5.exe

Drops file in Program Files directory 4 IoCs

Processes:

e574fd5.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e574fd5.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e574fd5.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e574fd5.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e574fd5.exe

Drops file in Windows directory 3 IoCs

Processes:

e574fd5.exee576b5c.exe

description ioc process

File created C:\Windows\e575062 e574fd5.exe
File opened for modification C:\Windows\SYSTEM.INI e574fd5.exe
File created C:\Windows\e57a057 e576b5c.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e574fd5.exee576b5c.exe

pid process

1588 e574fd5.exe
1588 e574fd5.exe
1588 e574fd5.exe
1588 e574fd5.exe
4392 e576b5c.exe
4392 e576b5c.exe

description	ioc	process
File created	C:\Windows\e575062	e574fd5.exe
File opened for modification	C:\Windows\SYSTEM.INI	e574fd5.exe
File created	C:\Windows\e57a057	e576b5c.exe

pid	process
1588	e574fd5.exe
1588	e574fd5.exe
1588	e574fd5.exe
1588	e574fd5.exe
4392	e576b5c.exe
4392	e576b5c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e574fd5.exe

description	pid	process
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe
Token: SeDebugPrivilege	1588	e574fd5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee574fd5.exee576b5c.exe

description	pid	process	target process
PID 924 wrote to memory of 3996	924	rundll32.exe	rundll32.exe
PID 924 wrote to memory of 3996	924	rundll32.exe	rundll32.exe
PID 924 wrote to memory of 3996	924	rundll32.exe	rundll32.exe
PID 3996 wrote to memory of 1588	3996	rundll32.exe	e574fd5.exe
PID 3996 wrote to memory of 1588	3996	rundll32.exe	e574fd5.exe
PID 3996 wrote to memory of 1588	3996	rundll32.exe	e574fd5.exe
PID 1588 wrote to memory of 776	1588	e574fd5.exe	fontdrvhost.exe
PID 1588 wrote to memory of 784	1588	e574fd5.exe	fontdrvhost.exe
PID 1588 wrote to memory of 384	1588	e574fd5.exe	dwm.exe
PID 1588 wrote to memory of 3060	1588	e574fd5.exe	sihost.exe
PID 1588 wrote to memory of 2204	1588	e574fd5.exe	svchost.exe
PID 1588 wrote to memory of 3084	1588	e574fd5.exe	taskhostw.exe
PID 1588 wrote to memory of 3444	1588	e574fd5.exe	Explorer.EXE
PID 1588 wrote to memory of 3584	1588	e574fd5.exe	svchost.exe
PID 1588 wrote to memory of 3768	1588	e574fd5.exe	DllHost.exe
PID 1588 wrote to memory of 3856	1588	e574fd5.exe	StartMenuExperienceHost.exe
PID 1588 wrote to memory of 3920	1588	e574fd5.exe	RuntimeBroker.exe
PID 1588 wrote to memory of 4052	1588	e574fd5.exe	SearchApp.exe
PID 1588 wrote to memory of 4020	1588	e574fd5.exe	RuntimeBroker.exe
PID 1588 wrote to memory of 4384	1588	e574fd5.exe	RuntimeBroker.exe
PID 1588 wrote to memory of 2164	1588	e574fd5.exe	TextInputHost.exe
PID 1588 wrote to memory of 924	1588	e574fd5.exe	rundll32.exe
PID 1588 wrote to memory of 3996	1588	e574fd5.exe	rundll32.exe
PID 1588 wrote to memory of 3996	1588	e574fd5.exe	rundll32.exe
PID 3996 wrote to memory of 740	3996	rundll32.exe	e57516c.exe
PID 3996 wrote to memory of 740	3996	rundll32.exe	e57516c.exe
PID 3996 wrote to memory of 740	3996	rundll32.exe	e57516c.exe
PID 3996 wrote to memory of 4392	3996	rundll32.exe	e576b5c.exe
PID 3996 wrote to memory of 4392	3996	rundll32.exe	e576b5c.exe
PID 3996 wrote to memory of 4392	3996	rundll32.exe	e576b5c.exe
PID 1588 wrote to memory of 776	1588	e574fd5.exe	fontdrvhost.exe
PID 1588 wrote to memory of 784	1588	e574fd5.exe	fontdrvhost.exe
PID 1588 wrote to memory of 384	1588	e574fd5.exe	dwm.exe
PID 1588 wrote to memory of 3060	1588	e574fd5.exe	sihost.exe
PID 1588 wrote to memory of 2204	1588	e574fd5.exe	svchost.exe
PID 1588 wrote to memory of 3084	1588	e574fd5.exe	taskhostw.exe
PID 1588 wrote to memory of 3444	1588	e574fd5.exe	Explorer.EXE
PID 1588 wrote to memory of 3584	1588	e574fd5.exe	svchost.exe
PID 1588 wrote to memory of 3768	1588	e574fd5.exe	DllHost.exe
PID 1588 wrote to memory of 3856	1588	e574fd5.exe	StartMenuExperienceHost.exe
PID 1588 wrote to memory of 3920	1588	e574fd5.exe	RuntimeBroker.exe
PID 1588 wrote to memory of 4052	1588	e574fd5.exe	SearchApp.exe
PID 1588 wrote to memory of 4020	1588	e574fd5.exe	RuntimeBroker.exe
PID 1588 wrote to memory of 4384	1588	e574fd5.exe	RuntimeBroker.exe
PID 1588 wrote to memory of 2164	1588	e574fd5.exe	TextInputHost.exe
PID 1588 wrote to memory of 740	1588	e574fd5.exe	e57516c.exe
PID 1588 wrote to memory of 740	1588	e574fd5.exe	e57516c.exe
PID 1588 wrote to memory of 4392	1588	e574fd5.exe	e576b5c.exe
PID 1588 wrote to memory of 4392	1588	e574fd5.exe	e576b5c.exe
PID 4392 wrote to memory of 776	4392	e576b5c.exe	fontdrvhost.exe
PID 4392 wrote to memory of 784	4392	e576b5c.exe	fontdrvhost.exe
PID 4392 wrote to memory of 384	4392	e576b5c.exe	dwm.exe
PID 4392 wrote to memory of 3060	4392	e576b5c.exe	sihost.exe
PID 4392 wrote to memory of 2204	4392	e576b5c.exe	svchost.exe
PID 4392 wrote to memory of 3084	4392	e576b5c.exe	taskhostw.exe
PID 4392 wrote to memory of 3444	4392	e576b5c.exe	Explorer.EXE
PID 4392 wrote to memory of 3584	4392	e576b5c.exe	svchost.exe
PID 4392 wrote to memory of 3768	4392	e576b5c.exe	DllHost.exe
PID 4392 wrote to memory of 3856	4392	e576b5c.exe	StartMenuExperienceHost.exe
PID 4392 wrote to memory of 3920	4392	e576b5c.exe	RuntimeBroker.exe
PID 4392 wrote to memory of 4052	4392	e576b5c.exe	SearchApp.exe
PID 4392 wrote to memory of 4020	4392	e576b5c.exe	RuntimeBroker.exe
PID 4392 wrote to memory of 4384	4392	e576b5c.exe	RuntimeBroker.exe
PID 4392 wrote to memory of 2164	4392	e576b5c.exe	TextInputHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e574fd5.exee576b5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e576b5c.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2204

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3084

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\e574fd5.exe
C:\Users\Admin\AppData\Local\Temp\e574fd5.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1588

C:\Users\Admin\AppData\Local\Temp\e57516c.exe
C:\Users\Admin\AppData\Local\Temp\e57516c.exe
4⤵
- Executes dropped EXE
PID:740

C:\Users\Admin\AppData\Local\Temp\e576b5c.exe
C:\Users\Admin\AppData\Local\Temp\e576b5c.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4384

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e574fd5.exe
Filesize
97KB

MD5
8ea5d9ab70530e547f78287174c9bc94

SHA1
7498ee410f5f14546ac18a86ed7e051e7dc6614e

SHA256
72669fac8baeb340e4d02037cb3657b5b04dad1c8df24de3db3b91097e8e6563

SHA512
d5e7631f951375c29de70727c95a0d0b08d524f1faf3ed548c9cb61127165711ba8fbd0c8156ae11d3b840b6d51207e16b0da217bc06f5119705cbefbc98cc0d

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
50521943b7e61b4f4085db00a3143adf

SHA1
4d44798afff30981ee1bb714039dc73d41b3733d

SHA256
53c420b051f466aa4c5733e983b5fe2a4018755043bc43d154baa3a87fc35edb

SHA512
c5e5aa0acb0865c70e3ddb0144055c22818852c5b8bf322577c447489881642ec85e7b26adf08d037bae3bd7fce2f8cf7eebd9414067e749b676d33fbad18af9

Download Submit
memory/740-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/740-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/740-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/740-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/740-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1588-41-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-70-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-26-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-33-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-27-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/1588-12-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1588-22-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/1588-11-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-16-0x0000000003E70000-0x0000000003E71000-memory.dmp

Filesize
4KB

Download
memory/1588-6-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-9-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-98-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/1588-34-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-35-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-36-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-37-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-38-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-39-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1588-42-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-89-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-51-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-53-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-54-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-86-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-79-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-77-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-74-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-10-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-8-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-64-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-65-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-69-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-30-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/1588-73-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/3996-28-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/3996-0-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3996-13-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/3996-14-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/3996-23-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/4392-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4392-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4392-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4392-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4392-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Filesize
16.7MB

Download
memory/4392-155-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4392-154-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Filesize
16.7MB

Download