Analysis
-
max time kernel
130s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 00:21
Static task
static1
Behavioral task
behavioral1
Sample
5dcb9fab84a4dfc5134c75ffdf394350_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
5dcb9fab84a4dfc5134c75ffdf394350_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5dcb9fab84a4dfc5134c75ffdf394350
-
SHA1
cf24d91f98b86cbd10bf633880d0b39fa849a50e
-
SHA256
6c33c7539adafb2bbcfa859c11f07a6195f15b30e0d74d8254f4095d7b83bc5f
-
SHA512
f67f655701ef903e7083c45ab1111832bad2956278b9427a1e6e8a903c3c3bf1e8c5b640c01df34957eea9a77b448d55b9633749976f6fd4ea399078e1987165
-
SSDEEP
3072:2GE6vkU4wz97yi9VlAuK14ftxuaqwIoYbCIHl:2QZL1/3K6ftlqbCI
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 9 IoCs
Processes:
e573c4d.exee573f5b.exee575822.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575822.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575822.exe -
Processes:
e573c4d.exee573f5b.exee575822.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575822.exe -
Processes:
e575822.exee573c4d.exee573f5b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573f5b.exe -
Executes dropped EXE 3 IoCs
Processes:
e573c4d.exee573f5b.exee575822.exepid process 4512 e573c4d.exe 1768 e573f5b.exe 1476 e575822.exe -
Processes:
resource yara_rule behavioral2/memory/4512-12-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-14-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-13-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-16-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-15-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-6-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-17-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-40-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-39-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-42-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-43-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-52-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-54-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-55-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-65-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-66-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-71-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-72-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-75-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-74-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-77-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-79-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-86-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-88-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4512-92-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/1768-114-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1476-120-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Processes:
e573c4d.exee573f5b.exee575822.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573f5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575822.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573c4d.exe -
Processes:
e573c4d.exee573f5b.exee575822.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573f5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575822.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573c4d.exedescription ioc process File opened (read-only) \??\P: e573c4d.exe File opened (read-only) \??\R: e573c4d.exe File opened (read-only) \??\L: e573c4d.exe File opened (read-only) \??\M: e573c4d.exe File opened (read-only) \??\N: e573c4d.exe File opened (read-only) \??\H: e573c4d.exe File opened (read-only) \??\O: e573c4d.exe File opened (read-only) \??\K: e573c4d.exe File opened (read-only) \??\S: e573c4d.exe File opened (read-only) \??\E: e573c4d.exe File opened (read-only) \??\G: e573c4d.exe File opened (read-only) \??\J: e573c4d.exe File opened (read-only) \??\I: e573c4d.exe File opened (read-only) \??\Q: e573c4d.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e573c4d.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Uninstall.exe e573c4d.exe File opened for modification C:\Program Files\7-Zip\7z.exe e573c4d.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573c4d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573c4d.exe -
Drops file in Windows directory 4 IoCs
Processes:
e573c4d.exee573f5b.exee575822.exedescription ioc process File created C:\Windows\e573c8c e573c4d.exe File opened for modification C:\Windows\SYSTEM.INI e573c4d.exe File created C:\Windows\e578d9a e573f5b.exe File created C:\Windows\e57a6a0 e575822.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e573c4d.exepid process 4512 e573c4d.exe 4512 e573c4d.exe 4512 e573c4d.exe 4512 e573c4d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573c4d.exedescription pid process Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe Token: SeDebugPrivilege 4512 e573c4d.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
rundll32.exerundll32.exee573c4d.exedescription pid process target process PID 1972 wrote to memory of 2012 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 2012 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 2012 1972 rundll32.exe rundll32.exe PID 2012 wrote to memory of 4512 2012 rundll32.exe e573c4d.exe PID 2012 wrote to memory of 4512 2012 rundll32.exe e573c4d.exe PID 2012 wrote to memory of 4512 2012 rundll32.exe e573c4d.exe PID 4512 wrote to memory of 760 4512 e573c4d.exe fontdrvhost.exe PID 4512 wrote to memory of 768 4512 e573c4d.exe fontdrvhost.exe PID 4512 wrote to memory of 316 4512 e573c4d.exe dwm.exe PID 4512 wrote to memory of 2484 4512 e573c4d.exe sihost.exe PID 4512 wrote to memory of 2492 4512 e573c4d.exe svchost.exe PID 4512 wrote to memory of 2632 4512 e573c4d.exe taskhostw.exe PID 4512 wrote to memory of 3492 4512 e573c4d.exe Explorer.EXE PID 4512 wrote to memory of 3608 4512 e573c4d.exe svchost.exe PID 4512 wrote to memory of 3820 4512 e573c4d.exe DllHost.exe PID 4512 wrote to memory of 3916 4512 e573c4d.exe StartMenuExperienceHost.exe PID 4512 wrote to memory of 3980 4512 e573c4d.exe RuntimeBroker.exe PID 4512 wrote to memory of 4056 4512 e573c4d.exe SearchApp.exe PID 4512 wrote to memory of 784 4512 e573c4d.exe RuntimeBroker.exe PID 4512 wrote to memory of 1324 4512 e573c4d.exe TextInputHost.exe PID 4512 wrote to memory of 4200 4512 e573c4d.exe RuntimeBroker.exe PID 4512 wrote to memory of 4396 4512 e573c4d.exe backgroundTaskHost.exe PID 4512 wrote to memory of 4476 4512 e573c4d.exe backgroundTaskHost.exe PID 4512 wrote to memory of 1972 4512 e573c4d.exe rundll32.exe PID 4512 wrote to memory of 2012 4512 e573c4d.exe rundll32.exe PID 4512 wrote to memory of 2012 4512 e573c4d.exe rundll32.exe PID 2012 wrote to memory of 1768 2012 rundll32.exe e573f5b.exe PID 2012 wrote to memory of 1768 2012 rundll32.exe e573f5b.exe PID 2012 wrote to memory of 1768 2012 rundll32.exe e573f5b.exe PID 2012 wrote to memory of 1476 2012 rundll32.exe e575822.exe PID 2012 wrote to memory of 1476 2012 rundll32.exe e575822.exe PID 2012 wrote to memory of 1476 2012 rundll32.exe e575822.exe PID 4512 wrote to memory of 760 4512 e573c4d.exe fontdrvhost.exe PID 4512 wrote to memory of 768 4512 e573c4d.exe fontdrvhost.exe PID 4512 wrote to memory of 316 4512 e573c4d.exe dwm.exe PID 4512 wrote to memory of 2484 4512 e573c4d.exe sihost.exe PID 4512 wrote to memory of 2492 4512 e573c4d.exe svchost.exe PID 4512 wrote to memory of 2632 4512 e573c4d.exe taskhostw.exe PID 4512 wrote to memory of 3492 4512 e573c4d.exe Explorer.EXE PID 4512 wrote to memory of 3608 4512 e573c4d.exe svchost.exe PID 4512 wrote to memory of 3820 4512 e573c4d.exe DllHost.exe PID 4512 wrote to memory of 3916 4512 e573c4d.exe StartMenuExperienceHost.exe PID 4512 wrote to memory of 3980 4512 e573c4d.exe RuntimeBroker.exe PID 4512 wrote to memory of 4056 4512 e573c4d.exe SearchApp.exe PID 4512 wrote to memory of 784 4512 e573c4d.exe RuntimeBroker.exe PID 4512 wrote to memory of 1324 4512 e573c4d.exe TextInputHost.exe PID 4512 wrote to memory of 4200 4512 e573c4d.exe RuntimeBroker.exe PID 4512 wrote to memory of 4396 4512 e573c4d.exe backgroundTaskHost.exe PID 4512 wrote to memory of 1768 4512 e573c4d.exe e573f5b.exe PID 4512 wrote to memory of 1768 4512 e573c4d.exe e573f5b.exe PID 4512 wrote to memory of 1896 4512 e573c4d.exe RuntimeBroker.exe PID 4512 wrote to memory of 5036 4512 e573c4d.exe RuntimeBroker.exe PID 4512 wrote to memory of 1476 4512 e573c4d.exe e575822.exe PID 4512 wrote to memory of 1476 4512 e573c4d.exe e575822.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e575822.exee573c4d.exee573f5b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573c4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573f5b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2492
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2632
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5dcb9fab84a4dfc5134c75ffdf394350_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5dcb9fab84a4dfc5134c75ffdf394350_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\e573c4d.exeC:\Users\Admin\AppData\Local\Temp\e573c4d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\e573f5b.exeC:\Users\Admin\AppData\Local\Temp\e573f5b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\e575822.exeC:\Users\Admin\AppData\Local\Temp\e575822.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:784
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1324
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4200
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4396
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4476
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5036
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573c4d.exeFilesize
97KB
MD562b3f4042c8d60735479b7a9ca2c230a
SHA1b24c8c64ef5f5a6ef1d227bb46aa6c024010d0b4
SHA256e88ecb5bc5d4eb60e189e864cc873417e890d39e67e07c356119e4c11efafd98
SHA512883cf54b1abdb61e1c64981da4fd7371775d26c2c34ab6cfec6fb88d585f44e5521f43ed67d53c5d2da65d642dd64a745d1f61a44813f1a98e238580945fda16
-
memory/1476-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1476-121-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1476-119-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1476-120-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1476-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1476-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1476-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1768-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1768-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1768-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1768-114-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/1768-113-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1768-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2012-27-0x00000000006A0000-0x00000000006A2000-memory.dmpFilesize
8KB
-
memory/2012-19-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/2012-18-0x00000000006A0000-0x00000000006A2000-memory.dmpFilesize
8KB
-
memory/2012-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2012-22-0x00000000006A0000-0x00000000006A2000-memory.dmpFilesize
8KB
-
memory/4512-42-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-14-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-17-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-36-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-37-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-38-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-40-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-39-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-25-0x0000000000580000-0x0000000000582000-memory.dmpFilesize
8KB
-
memory/4512-43-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-6-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-52-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-54-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-55-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-11-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-15-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-21-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/4512-16-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-13-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-28-0x0000000000580000-0x0000000000582000-memory.dmpFilesize
8KB
-
memory/4512-65-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-66-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-71-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-72-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-75-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-74-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-77-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-79-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-80-0x0000000000580000-0x0000000000582000-memory.dmpFilesize
8KB
-
memory/4512-86-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-88-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-92-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-108-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4512-8-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-9-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-10-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-12-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4512-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB