Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 13:49
Static task
static1
Behavioral task
behavioral1
Sample
d1662ab299378f2723c3e6380f28a9b0_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
d1662ab299378f2723c3e6380f28a9b0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
d1662ab299378f2723c3e6380f28a9b0
-
SHA1
be4d9e1999c619634db7a2e5641f6ce596ad01df
-
SHA256
4881000348f05a389943f348004f49f459deba85cc036ba602fe01422f11b063
-
SHA512
714a07c22f5962460452f2f007d934cd85e3e6b2a0e0cea143d3da80047a70d2aefc2d7d1c22d18c584cc7afec675099efb4ef62a7aa470c1c27ed2a839b4350
-
SSDEEP
1536:Oha3vD29f/tRttKWCpG74JfjxRrktcE4JjSsQ5wDp3kZjbQxB9ex5:Ma3efFGpZJf9mc3RS5wDpUZAex
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 9 IoCs
Processes:
e5779b4.exee5744d9.exee57469e.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57469e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57469e.exe -
Processes:
e5744d9.exee57469e.exee5779b4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5779b4.exe -
Processes:
e5779b4.exee5744d9.exee57469e.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5779b4.exe -
Executes dropped EXE 3 IoCs
Processes:
e5744d9.exee57469e.exee5779b4.exepid process 900 e5744d9.exe 216 e57469e.exe 4004 e5779b4.exe -
Processes:
resource yara_rule behavioral2/memory/900-11-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-9-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-18-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-32-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-28-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-19-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-12-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-20-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-8-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-10-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-37-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-38-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-39-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-40-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-41-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-47-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-56-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-58-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-59-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-66-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-67-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-68-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-71-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/900-73-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/216-99-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/216-93-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/216-100-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/216-109-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/216-96-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/216-125-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Processes:
e5744d9.exee57469e.exee5779b4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57469e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57469e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5744d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5779b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5779b4.exe -
Processes:
e5744d9.exee57469e.exee5779b4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5779b4.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e5744d9.exee5779b4.exedescription ioc process File opened (read-only) \??\G: e5744d9.exe File opened (read-only) \??\H: e5744d9.exe File opened (read-only) \??\I: e5744d9.exe File opened (read-only) \??\M: e5744d9.exe File opened (read-only) \??\E: e5744d9.exe File opened (read-only) \??\K: e5744d9.exe File opened (read-only) \??\L: e5744d9.exe File opened (read-only) \??\E: e5779b4.exe File opened (read-only) \??\G: e5779b4.exe File opened (read-only) \??\H: e5779b4.exe File opened (read-only) \??\I: e5779b4.exe File opened (read-only) \??\J: e5744d9.exe -
Drops file in Windows directory 4 IoCs
Processes:
e5779b4.exee5744d9.exee57469e.exedescription ioc process File created C:\Windows\e57a6a0 e5779b4.exe File created C:\Windows\e574565 e5744d9.exe File opened for modification C:\Windows\SYSTEM.INI e5744d9.exe File created C:\Windows\e579971 e57469e.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
e5744d9.exee57469e.exee5779b4.exepid process 900 e5744d9.exe 900 e5744d9.exe 900 e5744d9.exe 900 e5744d9.exe 216 e57469e.exe 216 e57469e.exe 4004 e5779b4.exe 4004 e5779b4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e5744d9.exedescription pid process Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe Token: SeDebugPrivilege 900 e5744d9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee5744d9.exee57469e.exedescription pid process target process PID 920 wrote to memory of 3612 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 3612 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 3612 920 rundll32.exe rundll32.exe PID 3612 wrote to memory of 900 3612 rundll32.exe e5744d9.exe PID 3612 wrote to memory of 900 3612 rundll32.exe e5744d9.exe PID 3612 wrote to memory of 900 3612 rundll32.exe e5744d9.exe PID 900 wrote to memory of 776 900 e5744d9.exe fontdrvhost.exe PID 900 wrote to memory of 784 900 e5744d9.exe fontdrvhost.exe PID 900 wrote to memory of 60 900 e5744d9.exe dwm.exe PID 900 wrote to memory of 2664 900 e5744d9.exe sihost.exe PID 900 wrote to memory of 2676 900 e5744d9.exe svchost.exe PID 900 wrote to memory of 2888 900 e5744d9.exe taskhostw.exe PID 900 wrote to memory of 3448 900 e5744d9.exe Explorer.EXE PID 900 wrote to memory of 3548 900 e5744d9.exe svchost.exe PID 900 wrote to memory of 3748 900 e5744d9.exe DllHost.exe PID 900 wrote to memory of 3840 900 e5744d9.exe StartMenuExperienceHost.exe PID 900 wrote to memory of 3908 900 e5744d9.exe RuntimeBroker.exe PID 900 wrote to memory of 3988 900 e5744d9.exe SearchApp.exe PID 900 wrote to memory of 3352 900 e5744d9.exe RuntimeBroker.exe PID 900 wrote to memory of 4700 900 e5744d9.exe RuntimeBroker.exe PID 900 wrote to memory of 2264 900 e5744d9.exe TextInputHost.exe PID 900 wrote to memory of 756 900 e5744d9.exe backgroundTaskHost.exe PID 900 wrote to memory of 2884 900 e5744d9.exe backgroundTaskHost.exe PID 900 wrote to memory of 920 900 e5744d9.exe rundll32.exe PID 900 wrote to memory of 3612 900 e5744d9.exe rundll32.exe PID 900 wrote to memory of 3612 900 e5744d9.exe rundll32.exe PID 3612 wrote to memory of 216 3612 rundll32.exe e57469e.exe PID 3612 wrote to memory of 216 3612 rundll32.exe e57469e.exe PID 3612 wrote to memory of 216 3612 rundll32.exe e57469e.exe PID 900 wrote to memory of 776 900 e5744d9.exe fontdrvhost.exe PID 900 wrote to memory of 784 900 e5744d9.exe fontdrvhost.exe PID 900 wrote to memory of 60 900 e5744d9.exe dwm.exe PID 900 wrote to memory of 2664 900 e5744d9.exe sihost.exe PID 900 wrote to memory of 2676 900 e5744d9.exe svchost.exe PID 900 wrote to memory of 2888 900 e5744d9.exe taskhostw.exe PID 900 wrote to memory of 3448 900 e5744d9.exe Explorer.EXE PID 900 wrote to memory of 3548 900 e5744d9.exe svchost.exe PID 900 wrote to memory of 3748 900 e5744d9.exe DllHost.exe PID 900 wrote to memory of 3840 900 e5744d9.exe StartMenuExperienceHost.exe PID 900 wrote to memory of 3908 900 e5744d9.exe RuntimeBroker.exe PID 900 wrote to memory of 3988 900 e5744d9.exe SearchApp.exe PID 900 wrote to memory of 3352 900 e5744d9.exe RuntimeBroker.exe PID 900 wrote to memory of 4700 900 e5744d9.exe RuntimeBroker.exe PID 900 wrote to memory of 2264 900 e5744d9.exe TextInputHost.exe PID 900 wrote to memory of 756 900 e5744d9.exe backgroundTaskHost.exe PID 900 wrote to memory of 2884 900 e5744d9.exe backgroundTaskHost.exe PID 900 wrote to memory of 920 900 e5744d9.exe rundll32.exe PID 900 wrote to memory of 216 900 e5744d9.exe e57469e.exe PID 900 wrote to memory of 216 900 e5744d9.exe e57469e.exe PID 900 wrote to memory of 772 900 e5744d9.exe RuntimeBroker.exe PID 900 wrote to memory of 4316 900 e5744d9.exe RuntimeBroker.exe PID 3612 wrote to memory of 4004 3612 rundll32.exe e5779b4.exe PID 3612 wrote to memory of 4004 3612 rundll32.exe e5779b4.exe PID 3612 wrote to memory of 4004 3612 rundll32.exe e5779b4.exe PID 216 wrote to memory of 776 216 e57469e.exe fontdrvhost.exe PID 216 wrote to memory of 784 216 e57469e.exe fontdrvhost.exe PID 216 wrote to memory of 60 216 e57469e.exe dwm.exe PID 216 wrote to memory of 2664 216 e57469e.exe sihost.exe PID 216 wrote to memory of 2676 216 e57469e.exe svchost.exe PID 216 wrote to memory of 2888 216 e57469e.exe taskhostw.exe PID 216 wrote to memory of 3448 216 e57469e.exe Explorer.EXE PID 216 wrote to memory of 3548 216 e57469e.exe svchost.exe PID 216 wrote to memory of 3748 216 e57469e.exe DllHost.exe PID 216 wrote to memory of 3840 216 e57469e.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e5744d9.exee57469e.exee5779b4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5744d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57469e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5779b4.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2676
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2888
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1662ab299378f2723c3e6380f28a9b0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1662ab299378f2723c3e6380f28a9b0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\e5744d9.exeC:\Users\Admin\AppData\Local\Temp\e5744d9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:900 -
C:\Users\Admin\AppData\Local\Temp\e57469e.exeC:\Users\Admin\AppData\Local\Temp\e57469e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:216 -
C:\Users\Admin\AppData\Local\Temp\e5779b4.exeC:\Users\Admin\AppData\Local\Temp\e5779b4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3352
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4700
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2264
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:756
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:772
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4316
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5744d9.exeFilesize
97KB
MD5492eb9dab6ef3f0dc076df488b4fa4e6
SHA1c3c46f17afbc76c806a56cf8406b8b864c112892
SHA2562d4712920db10496c94e66e2180d73591b83465cf5417d7919b32bc47e9cb8bc
SHA51239aab8672240a5750b83c6657deddd1083482de0af6778408990ed334af48897683c6dfa99d0fdbf317840bce13fd50fceb6e8fcac9ca67d6a921eb3bca20e1a
-
C:\Windows\SYSTEM.INIFilesize
257B
MD524486f371f888d7ce2c43206b1026489
SHA18d8608c4998d8bf2676655301d803e05c1bf7b86
SHA2561980a82cc093199d0ffa3a0f8c2b5a7b864ecc25cff7e4bf628e0c29a0d26fa0
SHA512b075f002a031ee4813d77ba75a443ab7e845dcd4a9c6a2af4ccbcd1f703f10d9f8c668de9c7f07abb3596b55188b0ffbe11e1278633ae052c5a3198965f2ecd1
-
memory/216-125-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-126-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/216-96-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-109-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-100-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/216-93-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-99-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/216-46-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/216-44-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/216-45-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/900-40-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-56-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/900-20-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-8-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-24-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/900-11-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-10-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-37-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-38-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-39-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-31-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/900-41-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-9-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-12-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-19-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-47-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-18-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-33-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/900-32-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-58-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-59-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-66-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-67-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-68-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-71-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-73-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/900-81-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/900-92-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/900-28-0x0000000000860000-0x000000000191A000-memory.dmpFilesize
16.7MB
-
memory/3612-30-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/3612-53-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/3612-25-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/3612-21-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/3612-29-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/3612-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4004-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4004-172-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB