Analysis
-
max time kernel
155s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 20:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e227b03c6958e4c07e728cc964901ce0.exe
Resource
win7-20231020-en
windows7-x64
16 signatures
150 seconds
General
-
Target
NEAS.e227b03c6958e4c07e728cc964901ce0.exe
-
Size
650KB
-
MD5
e227b03c6958e4c07e728cc964901ce0
-
SHA1
9db3ee0af4708e51ce2f0d379b7c17b15e999028
-
SHA256
6d3caa2753025c2920f3f8a97614fce47ea56768d55d0c2914aa20af658597a1
-
SHA512
e89a0da2e89d0a23da0dd21bf2ee61f6800a9f3f2445df00201f73c81d146df90df5251eea9fea9ee9d09ced6c0e5676c7079411e43c9a09f09f054d03ce633c
-
SSDEEP
12288:0SkAc2YZ6jcd1DaB0BYOrHgKwObBhyD9dxzOWsGpd4Lzo/Z2BuYg6ZBGU+7rCPHr:0S1cdM+1WB0BNAnObrs9dxzOPGpKWZ4b
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.e227b03c6958e4c07e728cc964901ce0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe -
Executes dropped EXE 1 IoCs
pid Process 1528 update.exe -
Loads dropped DLL 3 IoCs
pid Process 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 1528 update.exe 1528 update.exe -
resource yara_rule behavioral2/memory/2996-1-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-6-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-10-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-76-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-81-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-82-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-83-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-84-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-85-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-86-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-87-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-89-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-95-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-96-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-98-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-99-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-100-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-104-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-106-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-107-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-109-0x00000000024D0000-0x000000000355E000-memory.dmp upx behavioral2/memory/2996-126-0x00000000024D0000-0x000000000355E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.e227b03c6958e4c07e728cc964901ce0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.e227b03c6958e4c07e728cc964901ce0.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: NEAS.e227b03c6958e4c07e728cc964901ce0.exe File opened (read-only) \??\E: NEAS.e227b03c6958e4c07e728cc964901ce0.exe File opened (read-only) \??\G: NEAS.e227b03c6958e4c07e728cc964901ce0.exe File opened (read-only) \??\H: NEAS.e227b03c6958e4c07e728cc964901ce0.exe File opened (read-only) \??\I: NEAS.e227b03c6958e4c07e728cc964901ce0.exe File opened (read-only) \??\J: NEAS.e227b03c6958e4c07e728cc964901ce0.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI NEAS.e227b03c6958e4c07e728cc964901ce0.exe File opened for modification C:\Windows\setupapi.log update.exe File opened for modification \??\c:\windows\KB969238.log update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe Token: SeDebugPrivilege 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2996 wrote to memory of 756 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 8 PID 2996 wrote to memory of 764 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 83 PID 2996 wrote to memory of 336 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 79 PID 2996 wrote to memory of 2432 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 49 PID 2996 wrote to memory of 2456 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 48 PID 2996 wrote to memory of 2652 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 42 PID 2996 wrote to memory of 3292 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 36 PID 2996 wrote to memory of 3416 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 35 PID 2996 wrote to memory of 3660 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 34 PID 2996 wrote to memory of 3780 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 33 PID 2996 wrote to memory of 3892 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 9 PID 2996 wrote to memory of 3980 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 32 PID 2996 wrote to memory of 3496 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 31 PID 2996 wrote to memory of 2176 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 29 PID 2996 wrote to memory of 4348 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 19 PID 2996 wrote to memory of 1552 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 12 PID 2996 wrote to memory of 460 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 11 PID 2996 wrote to memory of 4000 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 10 PID 2996 wrote to memory of 1380 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 86 PID 2996 wrote to memory of 1528 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 87 PID 2996 wrote to memory of 1528 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 87 PID 2996 wrote to memory of 1528 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 87 PID 2996 wrote to memory of 756 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 8 PID 2996 wrote to memory of 764 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 83 PID 2996 wrote to memory of 336 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 79 PID 2996 wrote to memory of 2432 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 49 PID 2996 wrote to memory of 2456 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 48 PID 2996 wrote to memory of 2652 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 42 PID 2996 wrote to memory of 3292 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 36 PID 2996 wrote to memory of 3416 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 35 PID 2996 wrote to memory of 3660 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 34 PID 2996 wrote to memory of 3780 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 33 PID 2996 wrote to memory of 3892 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 9 PID 2996 wrote to memory of 3980 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 32 PID 2996 wrote to memory of 3496 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 31 PID 2996 wrote to memory of 2176 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 29 PID 2996 wrote to memory of 4348 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 19 PID 2996 wrote to memory of 1552 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 12 PID 2996 wrote to memory of 460 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 11 PID 2996 wrote to memory of 4000 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 10 PID 2996 wrote to memory of 1380 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 86 PID 2996 wrote to memory of 1528 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 87 PID 2996 wrote to memory of 1528 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 87 PID 2996 wrote to memory of 1600 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 89 PID 2996 wrote to memory of 756 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 8 PID 2996 wrote to memory of 764 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 83 PID 2996 wrote to memory of 336 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 79 PID 2996 wrote to memory of 2432 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 49 PID 2996 wrote to memory of 2456 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 48 PID 2996 wrote to memory of 2652 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 42 PID 2996 wrote to memory of 3292 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 36 PID 2996 wrote to memory of 3416 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 35 PID 2996 wrote to memory of 3660 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 34 PID 2996 wrote to memory of 3780 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 33 PID 2996 wrote to memory of 3892 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 9 PID 2996 wrote to memory of 3980 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 32 PID 2996 wrote to memory of 3496 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 31 PID 2996 wrote to memory of 2176 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 29 PID 2996 wrote to memory of 4348 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 19 PID 2996 wrote to memory of 1552 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 12 PID 2996 wrote to memory of 460 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 11 PID 2996 wrote to memory of 4000 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 10 PID 2996 wrote to memory of 1600 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 89 PID 2996 wrote to memory of 1800 2996 NEAS.e227b03c6958e4c07e728cc964901ce0.exe 92 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.e227b03c6958e4c07e728cc964901ce0.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:756
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3892
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4000
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:460
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1552
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4348
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2176
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3496
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3780
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3416
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e227b03c6958e4c07e728cc964901ce0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e227b03c6958e4c07e728cc964901ce0.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2996 -
\??\c:\5e7d599030a6fcc2096af1ee3e2cbc\update\update.exec:\5e7d599030a6fcc2096af1ee3e2cbc\update\update.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1528
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2456
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2432
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:1380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1600
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1800
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5ee207e35aea4d5df41d90221e1b66efa
SHA1757469cf9ad2f21f267bbe730560114fdf8a89a5
SHA256cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64
SHA51243e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d
-
Filesize
718KB
MD563f5a5654e20219858b52186cc7bb5dd
SHA19cc028e3e19bad20f124c0cdac0b9fa8757d95f9
SHA256cd37671de7e7ce8594166eab8bf4548e01f9ca2ca6549d82d24fff8888f4915d
SHA512b022eaca3b53abdaf2e957e159c24954b82aa3c80b22e4e904d54f21ee7e86b54b95fc444facf45c6e01f8d4ab4cb255ef432435406578bd86312f2155ea151f
-
Filesize
344KB
MD5f1616bb80ffd31151492c2dfb094538c
SHA168fe324dc1923a9b2f79fc0b6d569ef7f01d3b83
SHA256ddd09d687d45ef6eebeb81bfcf72006de39ea774bafcab23ea3c2ea13d237e47
SHA51254eca6c491eeda58812defdc842194cae2208925d5f5ccd8825d6c4caf402b2ed5c643d2c5d2584cfff54d4f58d1c76838fe23d08bd2b96cbefb69ec4f000c07
-
Filesize
344KB
MD5f1616bb80ffd31151492c2dfb094538c
SHA168fe324dc1923a9b2f79fc0b6d569ef7f01d3b83
SHA256ddd09d687d45ef6eebeb81bfcf72006de39ea774bafcab23ea3c2ea13d237e47
SHA51254eca6c491eeda58812defdc842194cae2208925d5f5ccd8825d6c4caf402b2ed5c643d2c5d2584cfff54d4f58d1c76838fe23d08bd2b96cbefb69ec4f000c07
-
Filesize
578KB
MD55509033934ddb6103912f88e6845f201
SHA1655420507a4810a762d4c4c035bdebd7bec76d12
SHA256d7beafb42076f26b0568d3b93c775ddbf39bdbaca8571c7bcea9328ad8ad7386
SHA512cac41275627f48aee3a80a8d9af7edff8f6fd55d25f2459506c232872d10378805374320afc20f8b85fb7371a2ebed998e74610aa1e4d31a800b2fd65eb44d2b