sality | 994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248

General

Target

cd906030d501ed3283a4547f2f988bc0_NeikiAnalytics.dll
Size

120KB
MD5

cd906030d501ed3283a4547f2f988bc0
SHA1

b5ec05269948e47bdc086a1def3a27424a0e2b20
SHA256

994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248
SHA512

3949888e9206bd937fab465b5baf4e864f8c32e998ed83f0343eb66190137252d2dd71ec1817c8e3239026671f9ce6c79566f962cf8a2630fff304bf38d0656a
SSDEEP

1536:WPVoDmWBO9xx/EM9409gBgOrhQhmAPOVBO58RY5HJd0r8CGgo9obqRjjLJybRaxi:W9BWMbx/1ZmDwkvRMHMnqRjvSRaS1

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e57598a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57598a.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e57598a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57598a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57598a.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57598a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57598a.exe

Executes dropped EXE 3 IoCs

Processes:

e57598a.exee575a93.exee5782fb.exe

pid process

5032 e57598a.exe
4352 e575a93.exe
4640 e5782fb.exe

pid	process
5032	e57598a.exe
4352	e575a93.exe
4640	e5782fb.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5032-8-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-20-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-12-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-21-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-11-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-9-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-10-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-6-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-33-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-35-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-34-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-36-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-37-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-39-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-38-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-41-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-54-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-55-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-57-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-59-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-60-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-61-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-64-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-66-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-69-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/5032-70-0x00000000007E0000-0x000000000189A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57598a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57598a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57598a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57598a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e57598a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57598a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57598a.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e57598a.exe

description	ioc	process
File opened (read-only)	\??\E:	e57598a.exe
File opened (read-only)	\??\G:	e57598a.exe
File opened (read-only)	\??\H:	e57598a.exe
File opened (read-only)	\??\I:	e57598a.exe
File opened (read-only)	\??\J:	e57598a.exe
File opened (read-only)	\??\O:	e57598a.exe
File opened (read-only)	\??\K:	e57598a.exe
File opened (read-only)	\??\L:	e57598a.exe
File opened (read-only)	\??\M:	e57598a.exe
File opened (read-only)	\??\N:	e57598a.exe

Drops file in Program Files directory 3 IoCs

Processes:

e57598a.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e57598a.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e57598a.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e57598a.exe

Drops file in Windows directory 2 IoCs

Processes:

e57598a.exe

description ioc process

File created C:\Windows\e5759e7 e57598a.exe
File opened for modification C:\Windows\SYSTEM.INI e57598a.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e57598a.exe

pid process

5032 e57598a.exe
5032 e57598a.exe
5032 e57598a.exe
5032 e57598a.exe

description	ioc	process
File created	C:\Windows\e5759e7	e57598a.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57598a.exe

pid	process
5032	e57598a.exe
5032	e57598a.exe
5032	e57598a.exe
5032	e57598a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57598a.exe

description	pid	process
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe
Token: SeDebugPrivilege	5032	e57598a.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

rundll32.exerundll32.exee57598a.exe

description	pid	process	target process
PID 4548 wrote to memory of 2100	4548	rundll32.exe	rundll32.exe
PID 4548 wrote to memory of 2100	4548	rundll32.exe	rundll32.exe
PID 4548 wrote to memory of 2100	4548	rundll32.exe	rundll32.exe
PID 2100 wrote to memory of 5032	2100	rundll32.exe	e57598a.exe
PID 2100 wrote to memory of 5032	2100	rundll32.exe	e57598a.exe
PID 2100 wrote to memory of 5032	2100	rundll32.exe	e57598a.exe
PID 5032 wrote to memory of 788	5032	e57598a.exe	fontdrvhost.exe
PID 5032 wrote to memory of 796	5032	e57598a.exe	fontdrvhost.exe
PID 5032 wrote to memory of 1016	5032	e57598a.exe	dwm.exe
PID 5032 wrote to memory of 2556	5032	e57598a.exe	sihost.exe
PID 5032 wrote to memory of 2588	5032	e57598a.exe	svchost.exe
PID 5032 wrote to memory of 2688	5032	e57598a.exe	taskhostw.exe
PID 5032 wrote to memory of 3480	5032	e57598a.exe	Explorer.EXE
PID 5032 wrote to memory of 3644	5032	e57598a.exe	svchost.exe
PID 5032 wrote to memory of 3848	5032	e57598a.exe	DllHost.exe
PID 5032 wrote to memory of 3976	5032	e57598a.exe	StartMenuExperienceHost.exe
PID 5032 wrote to memory of 4064	5032	e57598a.exe	RuntimeBroker.exe
PID 5032 wrote to memory of 1512	5032	e57598a.exe	SearchApp.exe
PID 5032 wrote to memory of 4204	5032	e57598a.exe	RuntimeBroker.exe
PID 5032 wrote to memory of 4536	5032	e57598a.exe	RuntimeBroker.exe
PID 5032 wrote to memory of 4616	5032	e57598a.exe	TextInputHost.exe
PID 5032 wrote to memory of 1444	5032	e57598a.exe	backgroundTaskHost.exe
PID 5032 wrote to memory of 3112	5032	e57598a.exe	backgroundTaskHost.exe
PID 5032 wrote to memory of 4548	5032	e57598a.exe	rundll32.exe
PID 5032 wrote to memory of 2100	5032	e57598a.exe	rundll32.exe
PID 5032 wrote to memory of 2100	5032	e57598a.exe	rundll32.exe
PID 2100 wrote to memory of 4352	2100	rundll32.exe	e575a93.exe
PID 2100 wrote to memory of 4352	2100	rundll32.exe	e575a93.exe
PID 2100 wrote to memory of 4352	2100	rundll32.exe	e575a93.exe
PID 5032 wrote to memory of 788	5032	e57598a.exe	fontdrvhost.exe
PID 5032 wrote to memory of 796	5032	e57598a.exe	fontdrvhost.exe
PID 5032 wrote to memory of 1016	5032	e57598a.exe	dwm.exe
PID 5032 wrote to memory of 2556	5032	e57598a.exe	sihost.exe
PID 5032 wrote to memory of 2588	5032	e57598a.exe	svchost.exe
PID 5032 wrote to memory of 2688	5032	e57598a.exe	taskhostw.exe
PID 5032 wrote to memory of 3480	5032	e57598a.exe	Explorer.EXE
PID 5032 wrote to memory of 3644	5032	e57598a.exe	svchost.exe
PID 5032 wrote to memory of 3848	5032	e57598a.exe	DllHost.exe
PID 5032 wrote to memory of 3976	5032	e57598a.exe	StartMenuExperienceHost.exe
PID 5032 wrote to memory of 4064	5032	e57598a.exe	RuntimeBroker.exe
PID 5032 wrote to memory of 1512	5032	e57598a.exe	SearchApp.exe
PID 5032 wrote to memory of 4204	5032	e57598a.exe	RuntimeBroker.exe
PID 5032 wrote to memory of 4536	5032	e57598a.exe	RuntimeBroker.exe
PID 5032 wrote to memory of 4616	5032	e57598a.exe	TextInputHost.exe
PID 5032 wrote to memory of 1444	5032	e57598a.exe	backgroundTaskHost.exe
PID 5032 wrote to memory of 3112	5032	e57598a.exe	backgroundTaskHost.exe
PID 5032 wrote to memory of 4548	5032	e57598a.exe	rundll32.exe
PID 5032 wrote to memory of 4352	5032	e57598a.exe	e575a93.exe
PID 5032 wrote to memory of 4352	5032	e57598a.exe	e575a93.exe
PID 5032 wrote to memory of 3704	5032	e57598a.exe	RuntimeBroker.exe
PID 5032 wrote to memory of 5048	5032	e57598a.exe	RuntimeBroker.exe
PID 2100 wrote to memory of 4640	2100	rundll32.exe	e5782fb.exe
PID 2100 wrote to memory of 4640	2100	rundll32.exe	e5782fb.exe
PID 2100 wrote to memory of 4640	2100	rundll32.exe	e5782fb.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e57598a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57598a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57598a.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2588

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2688

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd906030d501ed3283a4547f2f988bc0_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd906030d501ed3283a4547f2f988bc0_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\e57598a.exe
C:\Users\Admin\AppData\Local\Temp\e57598a.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5032

C:\Users\Admin\AppData\Local\Temp\e575a93.exe
C:\Users\Admin\AppData\Local\Temp\e575a93.exe
4⤵
- Executes dropped EXE
PID:4352

C:\Users\Admin\AppData\Local\Temp\e5782fb.exe
C:\Users\Admin\AppData\Local\Temp\e5782fb.exe
4⤵
- Executes dropped EXE
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1512

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4536

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4616

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1444

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3704

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57598a.exe
Filesize
97KB

MD5
93b2239926111d0bb1e6c59405c8ea3e

SHA1
9decfb123ec11d9cb1913c808bddf4fe7f28ee79

SHA256
8ddc9f13a89c83a055b3e77a709929f0752ef0251bd821168e36bb18e6796643

SHA512
d4bb4e4743e2bb29d45db49a389f685c1dd4aa1ea7b88541a21d02094fd27c94d0d79f1a5cf72213605ef2e2023d793575ac2dd172e4b46420a4f0f5dceff0df

Download Submit
memory/2100-17-0x0000000004130000-0x0000000004132000-memory.dmp

Filesize
8KB

Download
memory/2100-13-0x0000000004130000-0x0000000004132000-memory.dmp

Filesize
8KB

Download
memory/2100-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2100-14-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2100-49-0x0000000004130000-0x0000000004132000-memory.dmp

Filesize
8KB

Download
memory/2100-24-0x0000000004130000-0x0000000004132000-memory.dmp

Filesize
8KB

Download
memory/4352-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4352-43-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4352-45-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4352-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4352-92-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4640-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4640-94-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5032-36-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-32-0x0000000001A70000-0x0000000001A72000-memory.dmp

Filesize
8KB

Download
memory/5032-16-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/5032-9-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-6-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-33-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-35-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-34-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-11-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-37-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-39-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-38-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-41-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-26-0x0000000001A70000-0x0000000001A72000-memory.dmp

Filesize
8KB

Download
memory/5032-21-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-10-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-12-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-20-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-54-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-55-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-57-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-59-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-60-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-61-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-64-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-66-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-69-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-70-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-71-0x0000000001A70000-0x0000000001A72000-memory.dmp

Filesize
8KB

Download
memory/5032-8-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/5032-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5032-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads