Analysis
-
max time kernel
11s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 06:19
Static task
static1
Behavioral task
behavioral1
Sample
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
-
Size
732KB
-
MD5
bebb67767b53cd13f67283cdc9bd9570
-
SHA1
b02fe6f21cdf9a6377c2cf0b3de608f7117f6d90
-
SHA256
0c1c157c24d9fe99e7dadd695926dd3d61dfa973a8c7a755968b730b8815d1d2
-
SHA512
c2be48ff93f5645ccf5fc7305382c5ab4a803bd39d4165f6bd3a73e7daa8db6047708485b2f54c5eefb3637946b4e3eeece77c4ae9a507bcd88de1422770b7fa
-
SSDEEP
12288:WTyjXW+48qWywrU4kGFezOAVuJ5PIzww7F5DO3HYffIERagUj7K:MIXW/8yw1ez54lIvF5SXYHIMa/j7K
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rundll32.exe -
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe -
Processes:
rundll32.exebebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 2964 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
rundll32.exepid process 2964 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exepid process 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/2064-6-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-8-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-9-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-15-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-16-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-12-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-7-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-3-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-13-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-11-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-10-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-33-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-40-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2064-39-0x00000000023F0000-0x000000000347E000-memory.dmp upx behavioral1/memory/2964-70-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-84-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-69-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-64-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-83-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-62-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-71-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-66-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-65-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-63-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-60-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2964-126-0x00000000025B0000-0x000000000363E000-memory.dmp upx -
Processes:
rundll32.exebebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe -
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exepid process 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe 2964 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exedescription pid process Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exepid process 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe 2964 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exedescription pid process target process PID 2064 wrote to memory of 1124 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe taskhost.exe PID 2064 wrote to memory of 1172 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Dwm.exe PID 2064 wrote to memory of 1228 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Explorer.EXE PID 2064 wrote to memory of 2404 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe DllHost.exe PID 2064 wrote to memory of 2964 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe rundll32.exe PID 2064 wrote to memory of 2964 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe rundll32.exe PID 2064 wrote to memory of 2964 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe rundll32.exe PID 2064 wrote to memory of 2964 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe rundll32.exe PID 2064 wrote to memory of 2964 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe rundll32.exe PID 2064 wrote to memory of 2964 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe rundll32.exe PID 2064 wrote to memory of 2964 2064 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe rundll32.exe PID 2964 wrote to memory of 1124 2964 rundll32.exe taskhost.exe PID 2964 wrote to memory of 1172 2964 rundll32.exe Dwm.exe PID 2964 wrote to memory of 1228 2964 rundll32.exe Explorer.EXE PID 2964 wrote to memory of 2404 2964 rundll32.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
8Hide Artifacts
2Hidden Files and Directories
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F762E12_Rar\rundll32.exeFilesize
664KB
MD59f4ad2e1a21330ed5442d666e37a3b47
SHA1af241db65197924eab63e20fd481bbdd8aafb053
SHA256d895f7d839dedecac0558587ec722eb06ecf352399380aa6137052e1bc168783
SHA512c9763e0c148ac7ced9263256afaae6d08de6a6b42a688df91d2faf7973ae725da9ed74cd88f1393ce6aa96e8bd227da9c0c7421af2be21427c3d102bd7018dfb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeFilesize
732KB
MD5bebb67767b53cd13f67283cdc9bd9570
SHA1b02fe6f21cdf9a6377c2cf0b3de608f7117f6d90
SHA2560c1c157c24d9fe99e7dadd695926dd3d61dfa973a8c7a755968b730b8815d1d2
SHA512c2be48ff93f5645ccf5fc7305382c5ab4a803bd39d4165f6bd3a73e7daa8db6047708485b2f54c5eefb3637946b4e3eeece77c4ae9a507bcd88de1422770b7fa
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5f63450dd7ecb8436b2d496373cb0ec4b
SHA1c52fba1471636d989168694161b1024a06f8e113
SHA256234987e788dd24bf447ea6335da55ff24ba60df404552a7827cfca657a27f58a
SHA512024edb5214077a455eb2da4b8e3c084a2e2b393c850d50964681362ccc0287eb05dd2d92fb92f2caf22d4c31743a7b661bda547cf1f1be654a453f917ab8ca2d
-
memory/1124-17-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2064-59-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2064-13-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-15-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-30-0x0000000000380000-0x0000000000382000-memory.dmpFilesize
8KB
-
memory/2064-16-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-29-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/2064-0-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2064-26-0x0000000000380000-0x0000000000382000-memory.dmpFilesize
8KB
-
memory/2064-12-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-7-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-3-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-6-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-11-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-10-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-33-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-9-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-42-0x000000000A800000-0x000000000A8BF000-memory.dmpFilesize
764KB
-
memory/2064-8-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-27-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/2064-31-0x0000000000380000-0x0000000000382000-memory.dmpFilesize
8KB
-
memory/2064-40-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2064-39-0x00000000023F0000-0x000000000347E000-memory.dmpFilesize
16.6MB
-
memory/2964-63-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-84-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-87-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2964-69-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-64-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-83-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-62-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-71-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-86-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2964-66-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-85-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/2964-65-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-70-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-79-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2964-60-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-44-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2964-126-0x00000000025B0000-0x000000000363E000-memory.dmpFilesize
16.6MB
-
memory/2964-150-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB