Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 22:25
Static task
static1
Behavioral task
behavioral1
Sample
43d75978219f48d16a80564c7e2ee510_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
43d75978219f48d16a80564c7e2ee510_NeikiAnalytics.dll
-
Size
120KB
-
MD5
43d75978219f48d16a80564c7e2ee510
-
SHA1
b8a4b3a0933ac27d26faf74daf4af944d8840954
-
SHA256
865c17f44ff15e57cebe4c6846a85cb23d11163b9ad369add358cd8154cc2ac4
-
SHA512
15235a51f739349fd81e959142301d4f8e4ec3da8ba2a7e098deb17c91dee5de12685d7fef55010aa68f4011a5ff6aca9521fdc4f2810dc85de393b7fcf62d45
-
SSDEEP
3072:VXJ+QyueK9bScLGQjokLwbQWBSTF+X2g82Wn5pS0H:VXTyueiGQibQWmO2gx25g0
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e57518b.exee5735b6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57518b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57518b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5735b6.exe -
Processes:
e5735b6.exee57518b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57518b.exe -
Processes:
e57518b.exee5735b6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5735b6.exe -
Executes dropped EXE 4 IoCs
Processes:
e5735b6.exee5736b0.exee57518b.exee57519a.exepid process 2440 e5735b6.exe 1652 e5736b0.exe 220 e57518b.exe 1120 e57519a.exe -
Processes:
resource yara_rule behavioral2/memory/2440-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-13-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-34-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-30-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-26-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-41-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-43-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-44-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-57-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-59-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-61-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-75-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-76-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-78-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-80-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-82-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-84-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-91-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-94-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-96-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2440-99-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/220-139-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/220-146-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e57518b.exee5735b6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5735b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57518b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5735b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5735b6.exe -
Processes:
e5735b6.exee57518b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57518b.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e5735b6.exedescription ioc process File opened (read-only) \??\M: e5735b6.exe File opened (read-only) \??\O: e5735b6.exe File opened (read-only) \??\Q: e5735b6.exe File opened (read-only) \??\J: e5735b6.exe File opened (read-only) \??\L: e5735b6.exe File opened (read-only) \??\R: e5735b6.exe File opened (read-only) \??\G: e5735b6.exe File opened (read-only) \??\H: e5735b6.exe File opened (read-only) \??\K: e5735b6.exe File opened (read-only) \??\S: e5735b6.exe File opened (read-only) \??\E: e5735b6.exe File opened (read-only) \??\I: e5735b6.exe File opened (read-only) \??\N: e5735b6.exe File opened (read-only) \??\P: e5735b6.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e5735b6.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e5735b6.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5735b6.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5735b6.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5735b6.exe -
Drops file in Windows directory 3 IoCs
Processes:
e5735b6.exee57518b.exedescription ioc process File created C:\Windows\e5735f4 e5735b6.exe File opened for modification C:\Windows\SYSTEM.INI e5735b6.exe File created C:\Windows\e579ff9 e57518b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e5735b6.exepid process 2440 e5735b6.exe 2440 e5735b6.exe 2440 e5735b6.exe 2440 e5735b6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e5735b6.exedescription pid process Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe Token: SeDebugPrivilege 2440 e5735b6.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
rundll32.exerundll32.exee5735b6.exedescription pid process target process PID 744 wrote to memory of 2572 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 2572 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 2572 744 rundll32.exe rundll32.exe PID 2572 wrote to memory of 2440 2572 rundll32.exe e5735b6.exe PID 2572 wrote to memory of 2440 2572 rundll32.exe e5735b6.exe PID 2572 wrote to memory of 2440 2572 rundll32.exe e5735b6.exe PID 2440 wrote to memory of 760 2440 e5735b6.exe fontdrvhost.exe PID 2440 wrote to memory of 764 2440 e5735b6.exe fontdrvhost.exe PID 2440 wrote to memory of 64 2440 e5735b6.exe dwm.exe PID 2440 wrote to memory of 2628 2440 e5735b6.exe sihost.exe PID 2440 wrote to memory of 2648 2440 e5735b6.exe svchost.exe PID 2440 wrote to memory of 2792 2440 e5735b6.exe taskhostw.exe PID 2440 wrote to memory of 3404 2440 e5735b6.exe Explorer.EXE PID 2440 wrote to memory of 3576 2440 e5735b6.exe svchost.exe PID 2440 wrote to memory of 3780 2440 e5735b6.exe DllHost.exe PID 2440 wrote to memory of 3868 2440 e5735b6.exe StartMenuExperienceHost.exe PID 2440 wrote to memory of 3932 2440 e5735b6.exe RuntimeBroker.exe PID 2440 wrote to memory of 4016 2440 e5735b6.exe SearchApp.exe PID 2440 wrote to memory of 4132 2440 e5735b6.exe RuntimeBroker.exe PID 2440 wrote to memory of 4516 2440 e5735b6.exe TextInputHost.exe PID 2440 wrote to memory of 3788 2440 e5735b6.exe RuntimeBroker.exe PID 2440 wrote to memory of 2672 2440 e5735b6.exe backgroundTaskHost.exe PID 2440 wrote to memory of 2168 2440 e5735b6.exe backgroundTaskHost.exe PID 2440 wrote to memory of 744 2440 e5735b6.exe rundll32.exe PID 2440 wrote to memory of 2572 2440 e5735b6.exe rundll32.exe PID 2440 wrote to memory of 2572 2440 e5735b6.exe rundll32.exe PID 2572 wrote to memory of 1652 2572 rundll32.exe e5736b0.exe PID 2572 wrote to memory of 1652 2572 rundll32.exe e5736b0.exe PID 2572 wrote to memory of 1652 2572 rundll32.exe e5736b0.exe PID 2572 wrote to memory of 220 2572 rundll32.exe e57518b.exe PID 2572 wrote to memory of 220 2572 rundll32.exe e57518b.exe PID 2572 wrote to memory of 220 2572 rundll32.exe e57518b.exe PID 2572 wrote to memory of 1120 2572 rundll32.exe e57519a.exe PID 2572 wrote to memory of 1120 2572 rundll32.exe e57519a.exe PID 2572 wrote to memory of 1120 2572 rundll32.exe e57519a.exe PID 2440 wrote to memory of 760 2440 e5735b6.exe fontdrvhost.exe PID 2440 wrote to memory of 764 2440 e5735b6.exe fontdrvhost.exe PID 2440 wrote to memory of 64 2440 e5735b6.exe dwm.exe PID 2440 wrote to memory of 2628 2440 e5735b6.exe sihost.exe PID 2440 wrote to memory of 2648 2440 e5735b6.exe svchost.exe PID 2440 wrote to memory of 2792 2440 e5735b6.exe taskhostw.exe PID 2440 wrote to memory of 3404 2440 e5735b6.exe Explorer.EXE PID 2440 wrote to memory of 3576 2440 e5735b6.exe svchost.exe PID 2440 wrote to memory of 3780 2440 e5735b6.exe DllHost.exe PID 2440 wrote to memory of 3868 2440 e5735b6.exe StartMenuExperienceHost.exe PID 2440 wrote to memory of 3932 2440 e5735b6.exe RuntimeBroker.exe PID 2440 wrote to memory of 4016 2440 e5735b6.exe SearchApp.exe PID 2440 wrote to memory of 4132 2440 e5735b6.exe RuntimeBroker.exe PID 2440 wrote to memory of 4516 2440 e5735b6.exe TextInputHost.exe PID 2440 wrote to memory of 3788 2440 e5735b6.exe RuntimeBroker.exe PID 2440 wrote to memory of 2672 2440 e5735b6.exe backgroundTaskHost.exe PID 2440 wrote to memory of 1652 2440 e5735b6.exe e5736b0.exe PID 2440 wrote to memory of 1652 2440 e5735b6.exe e5736b0.exe PID 2440 wrote to memory of 4536 2440 e5735b6.exe RuntimeBroker.exe PID 2440 wrote to memory of 756 2440 e5735b6.exe RuntimeBroker.exe PID 2440 wrote to memory of 220 2440 e5735b6.exe e57518b.exe PID 2440 wrote to memory of 220 2440 e5735b6.exe e57518b.exe PID 2440 wrote to memory of 1120 2440 e5735b6.exe e57519a.exe PID 2440 wrote to memory of 1120 2440 e5735b6.exe e57519a.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e5735b6.exee57518b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5735b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57518b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43d75978219f48d16a80564c7e2ee510_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43d75978219f48d16a80564c7e2ee510_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5735b6.exeC:\Users\Admin\AppData\Local\Temp\e5735b6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5736b0.exeC:\Users\Admin\AppData\Local\Temp\e5736b0.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57518b.exeC:\Users\Admin\AppData\Local\Temp\e57518b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57519a.exeC:\Users\Admin\AppData\Local\Temp\e57519a.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5735b6.exeFilesize
97KB
MD5b27616094228c4c16e87416ebe99ccd0
SHA118823af457f368981fdbde5312331e4483e7f38f
SHA25600dccf99c3d264722f0df6c6a1d54cf0d61beca52a3343fb348e178b0506a6d3
SHA512636c725d27d73e7937b858ab21ff87d06d2ae461ebe10055b97def9737a81623c585f11073ff54602bf6907c4dc29929d8bb12a521ab5550057e87341be68794
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d9f387de2ef4394c605cf6be25c44aca
SHA10d24ce61bf93b4e5fd56834c01ec3fbb1c1b6fc7
SHA256537250b43d9c4ab1f028714c05c01e86c8495d4ce1708a1304857d5d224d8dee
SHA51272a47b944f23856cead8b2ea93c22f85eb6dda4ad1ca818b1161303054a34055ad0302792605429e4e95b5472c52871914797857a84dbec449f007970df7a9a3
-
memory/220-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/220-146-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/220-139-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/220-145-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/220-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/220-66-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/220-55-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1120-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1120-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1120-69-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1120-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1652-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1652-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1652-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1652-120-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1652-36-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2440-57-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-93-0x0000000001B30000-0x0000000001B32000-memory.dmpFilesize
8KB
-
memory/2440-8-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-35-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-37-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-38-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-39-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-40-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-41-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-43-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-44-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2440-9-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-59-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-61-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-6-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-11-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-29-0x0000000001B30000-0x0000000001B32000-memory.dmpFilesize
8KB
-
memory/2440-10-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-12-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-13-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-26-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-31-0x0000000001B30000-0x0000000001B32000-memory.dmpFilesize
8KB
-
memory/2440-30-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-75-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-76-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-78-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-80-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-82-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-84-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-91-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-17-0x0000000003FB0000-0x0000000003FB1000-memory.dmpFilesize
4KB
-
memory/2440-94-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-96-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-116-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2440-34-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2440-99-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2572-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2572-28-0x0000000001190000-0x0000000001192000-memory.dmpFilesize
8KB
-
memory/2572-27-0x00000000045D0000-0x00000000045D1000-memory.dmpFilesize
4KB
-
memory/2572-14-0x0000000001190000-0x0000000001192000-memory.dmpFilesize
8KB
-
memory/2572-18-0x0000000001190000-0x0000000001192000-memory.dmpFilesize
8KB