Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 05:22
Static task
static1
Behavioral task
behavioral1
Sample
387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8_NeikiAnalytics.dll
-
Size
120KB
-
MD5
8be17b47ed444d820c8646e85b4f3b20
-
SHA1
f28fa390ed85b675ce9747212b2bbef90aa35dbc
-
SHA256
387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8
-
SHA512
52d4a099dd3109142f59cf0ce8e8de0127cdd4f6477f03c1a804182f2ffe4ae4ba30ab86241e44e966c90715d22529f2c168ba2d5531e26362320f238d0cd1c0
-
SSDEEP
3072:e5stVdchoisZ2/GCg9aMVb7vy5g5tdYooK:DtVKSbEG/aMtymZro
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e574fd5.exee576b5c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576b5c.exe -
Processes:
e574fd5.exee576b5c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576b5c.exe -
Processes:
e576b5c.exee574fd5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574fd5.exe -
Executes dropped EXE 3 IoCs
Processes:
e574fd5.exee57516c.exee576b5c.exepid process 1588 e574fd5.exe 740 e57516c.exe 4392 e576b5c.exe -
Processes:
resource yara_rule behavioral2/memory/1588-6-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-8-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-10-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-30-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-26-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-33-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-12-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-11-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-9-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-34-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-35-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-36-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-37-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-38-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-39-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-41-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-42-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-51-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-53-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-54-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-64-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-65-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-69-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-70-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-73-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-74-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-77-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-79-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-86-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1588-89-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4392-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4392-154-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e574fd5.exee576b5c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576b5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574fd5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576b5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576b5c.exe -
Processes:
e574fd5.exee576b5c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576b5c.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e574fd5.exee576b5c.exedescription ioc process File opened (read-only) \??\E: e574fd5.exe File opened (read-only) \??\N: e574fd5.exe File opened (read-only) \??\O: e574fd5.exe File opened (read-only) \??\R: e574fd5.exe File opened (read-only) \??\M: e574fd5.exe File opened (read-only) \??\H: e574fd5.exe File opened (read-only) \??\J: e574fd5.exe File opened (read-only) \??\Q: e574fd5.exe File opened (read-only) \??\E: e576b5c.exe File opened (read-only) \??\G: e574fd5.exe File opened (read-only) \??\K: e574fd5.exe File opened (read-only) \??\L: e574fd5.exe File opened (read-only) \??\P: e574fd5.exe File opened (read-only) \??\S: e574fd5.exe File opened (read-only) \??\G: e576b5c.exe File opened (read-only) \??\I: e574fd5.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e574fd5.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zG.exe e574fd5.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e574fd5.exe File opened for modification C:\Program Files\7-Zip\7z.exe e574fd5.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e574fd5.exe -
Drops file in Windows directory 3 IoCs
Processes:
e574fd5.exee576b5c.exedescription ioc process File created C:\Windows\e575062 e574fd5.exe File opened for modification C:\Windows\SYSTEM.INI e574fd5.exe File created C:\Windows\e57a057 e576b5c.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e574fd5.exee576b5c.exepid process 1588 e574fd5.exe 1588 e574fd5.exe 1588 e574fd5.exe 1588 e574fd5.exe 4392 e576b5c.exe 4392 e576b5c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e574fd5.exedescription pid process Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe Token: SeDebugPrivilege 1588 e574fd5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee574fd5.exee576b5c.exedescription pid process target process PID 924 wrote to memory of 3996 924 rundll32.exe rundll32.exe PID 924 wrote to memory of 3996 924 rundll32.exe rundll32.exe PID 924 wrote to memory of 3996 924 rundll32.exe rundll32.exe PID 3996 wrote to memory of 1588 3996 rundll32.exe e574fd5.exe PID 3996 wrote to memory of 1588 3996 rundll32.exe e574fd5.exe PID 3996 wrote to memory of 1588 3996 rundll32.exe e574fd5.exe PID 1588 wrote to memory of 776 1588 e574fd5.exe fontdrvhost.exe PID 1588 wrote to memory of 784 1588 e574fd5.exe fontdrvhost.exe PID 1588 wrote to memory of 384 1588 e574fd5.exe dwm.exe PID 1588 wrote to memory of 3060 1588 e574fd5.exe sihost.exe PID 1588 wrote to memory of 2204 1588 e574fd5.exe svchost.exe PID 1588 wrote to memory of 3084 1588 e574fd5.exe taskhostw.exe PID 1588 wrote to memory of 3444 1588 e574fd5.exe Explorer.EXE PID 1588 wrote to memory of 3584 1588 e574fd5.exe svchost.exe PID 1588 wrote to memory of 3768 1588 e574fd5.exe DllHost.exe PID 1588 wrote to memory of 3856 1588 e574fd5.exe StartMenuExperienceHost.exe PID 1588 wrote to memory of 3920 1588 e574fd5.exe RuntimeBroker.exe PID 1588 wrote to memory of 4052 1588 e574fd5.exe SearchApp.exe PID 1588 wrote to memory of 4020 1588 e574fd5.exe RuntimeBroker.exe PID 1588 wrote to memory of 4384 1588 e574fd5.exe RuntimeBroker.exe PID 1588 wrote to memory of 2164 1588 e574fd5.exe TextInputHost.exe PID 1588 wrote to memory of 924 1588 e574fd5.exe rundll32.exe PID 1588 wrote to memory of 3996 1588 e574fd5.exe rundll32.exe PID 1588 wrote to memory of 3996 1588 e574fd5.exe rundll32.exe PID 3996 wrote to memory of 740 3996 rundll32.exe e57516c.exe PID 3996 wrote to memory of 740 3996 rundll32.exe e57516c.exe PID 3996 wrote to memory of 740 3996 rundll32.exe e57516c.exe PID 3996 wrote to memory of 4392 3996 rundll32.exe e576b5c.exe PID 3996 wrote to memory of 4392 3996 rundll32.exe e576b5c.exe PID 3996 wrote to memory of 4392 3996 rundll32.exe e576b5c.exe PID 1588 wrote to memory of 776 1588 e574fd5.exe fontdrvhost.exe PID 1588 wrote to memory of 784 1588 e574fd5.exe fontdrvhost.exe PID 1588 wrote to memory of 384 1588 e574fd5.exe dwm.exe PID 1588 wrote to memory of 3060 1588 e574fd5.exe sihost.exe PID 1588 wrote to memory of 2204 1588 e574fd5.exe svchost.exe PID 1588 wrote to memory of 3084 1588 e574fd5.exe taskhostw.exe PID 1588 wrote to memory of 3444 1588 e574fd5.exe Explorer.EXE PID 1588 wrote to memory of 3584 1588 e574fd5.exe svchost.exe PID 1588 wrote to memory of 3768 1588 e574fd5.exe DllHost.exe PID 1588 wrote to memory of 3856 1588 e574fd5.exe StartMenuExperienceHost.exe PID 1588 wrote to memory of 3920 1588 e574fd5.exe RuntimeBroker.exe PID 1588 wrote to memory of 4052 1588 e574fd5.exe SearchApp.exe PID 1588 wrote to memory of 4020 1588 e574fd5.exe RuntimeBroker.exe PID 1588 wrote to memory of 4384 1588 e574fd5.exe RuntimeBroker.exe PID 1588 wrote to memory of 2164 1588 e574fd5.exe TextInputHost.exe PID 1588 wrote to memory of 740 1588 e574fd5.exe e57516c.exe PID 1588 wrote to memory of 740 1588 e574fd5.exe e57516c.exe PID 1588 wrote to memory of 4392 1588 e574fd5.exe e576b5c.exe PID 1588 wrote to memory of 4392 1588 e574fd5.exe e576b5c.exe PID 4392 wrote to memory of 776 4392 e576b5c.exe fontdrvhost.exe PID 4392 wrote to memory of 784 4392 e576b5c.exe fontdrvhost.exe PID 4392 wrote to memory of 384 4392 e576b5c.exe dwm.exe PID 4392 wrote to memory of 3060 4392 e576b5c.exe sihost.exe PID 4392 wrote to memory of 2204 4392 e576b5c.exe svchost.exe PID 4392 wrote to memory of 3084 4392 e576b5c.exe taskhostw.exe PID 4392 wrote to memory of 3444 4392 e576b5c.exe Explorer.EXE PID 4392 wrote to memory of 3584 4392 e576b5c.exe svchost.exe PID 4392 wrote to memory of 3768 4392 e576b5c.exe DllHost.exe PID 4392 wrote to memory of 3856 4392 e576b5c.exe StartMenuExperienceHost.exe PID 4392 wrote to memory of 3920 4392 e576b5c.exe RuntimeBroker.exe PID 4392 wrote to memory of 4052 4392 e576b5c.exe SearchApp.exe PID 4392 wrote to memory of 4020 4392 e576b5c.exe RuntimeBroker.exe PID 4392 wrote to memory of 4384 4392 e576b5c.exe RuntimeBroker.exe PID 4392 wrote to memory of 2164 4392 e576b5c.exe TextInputHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e574fd5.exee576b5c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574fd5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576b5c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\387ea5cba0304ea7cface2ecd2439ce3fea5eb15672d2367c7ca52f3e72da3c8_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574fd5.exeC:\Users\Admin\AppData\Local\Temp\e574fd5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57516c.exeC:\Users\Admin\AppData\Local\Temp\e57516c.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576b5c.exeC:\Users\Admin\AppData\Local\Temp\e576b5c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574fd5.exeFilesize
97KB
MD58ea5d9ab70530e547f78287174c9bc94
SHA17498ee410f5f14546ac18a86ed7e051e7dc6614e
SHA25672669fac8baeb340e4d02037cb3657b5b04dad1c8df24de3db3b91097e8e6563
SHA512d5e7631f951375c29de70727c95a0d0b08d524f1faf3ed548c9cb61127165711ba8fbd0c8156ae11d3b840b6d51207e16b0da217bc06f5119705cbefbc98cc0d
-
C:\Windows\SYSTEM.INIFilesize
257B
MD550521943b7e61b4f4085db00a3143adf
SHA14d44798afff30981ee1bb714039dc73d41b3733d
SHA25653c420b051f466aa4c5733e983b5fe2a4018755043bc43d154baa3a87fc35edb
SHA512c5e5aa0acb0865c70e3ddb0144055c22818852c5b8bf322577c447489881642ec85e7b26adf08d037bae3bd7fce2f8cf7eebd9414067e749b676d33fbad18af9
-
memory/740-32-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/740-127-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/740-57-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/740-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/740-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1588-41-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-70-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-26-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-33-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-27-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/1588-12-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1588-22-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/1588-11-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-16-0x0000000003E70000-0x0000000003E71000-memory.dmpFilesize
4KB
-
memory/1588-6-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-9-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-98-0x0000000003660000-0x0000000003662000-memory.dmpFilesize
8KB
-
memory/1588-34-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-35-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-36-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-37-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-38-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-39-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-106-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1588-42-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-89-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-51-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-53-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-54-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-86-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-79-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-77-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-74-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-10-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-8-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-64-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-65-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-69-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-30-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/1588-73-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/3996-28-0x00000000007C0000-0x00000000007C2000-memory.dmpFilesize
8KB
-
memory/3996-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3996-13-0x00000000007C0000-0x00000000007C2000-memory.dmpFilesize
8KB
-
memory/3996-14-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/3996-23-0x00000000007C0000-0x00000000007C2000-memory.dmpFilesize
8KB
-
memory/4392-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4392-59-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4392-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4392-50-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4392-123-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4392-155-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4392-154-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB