Malware Analysis Report

2024-11-16 13:18

Sample ID 240518-rspalafh57
Target d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.exe
SHA256 ec0398121807170f8d46b94adc67331ebd4d7ae0654e60d9b2cc797f017f0606
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec0398121807170f8d46b94adc67331ebd4d7ae0654e60d9b2cc797f017f0606

Threat Level: Known bad

The file d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Modifies firewall policy service

Windows security bypass

Windows security modification

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 14:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 14:27

Reported

2024-05-18 14:30

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761d8f C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
File created C:\Windows\f766f75 C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 1872 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d41.exe
PID 1976 wrote to memory of 1872 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d41.exe
PID 1976 wrote to memory of 1872 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d41.exe
PID 1976 wrote to memory of 1872 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d41.exe
PID 1872 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\system32\taskhost.exe
PID 1872 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\system32\Dwm.exe
PID 1872 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\Explorer.EXE
PID 1872 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\system32\DllHost.exe
PID 1872 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\system32\rundll32.exe
PID 1872 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\SysWOW64\rundll32.exe
PID 1872 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\SysWOW64\rundll32.exe
PID 1976 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76203d.exe
PID 1976 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76203d.exe
PID 1976 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76203d.exe
PID 1976 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76203d.exe
PID 1976 wrote to memory of 2880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7638cc.exe
PID 1976 wrote to memory of 2880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7638cc.exe
PID 1976 wrote to memory of 2880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7638cc.exe
PID 1976 wrote to memory of 2880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7638cc.exe
PID 1872 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\system32\taskhost.exe
PID 1872 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\system32\Dwm.exe
PID 1872 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Windows\Explorer.EXE
PID 1872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Users\Admin\AppData\Local\Temp\f76203d.exe
PID 1872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Users\Admin\AppData\Local\Temp\f76203d.exe
PID 1872 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Users\Admin\AppData\Local\Temp\f7638cc.exe
PID 1872 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\f761d41.exe C:\Users\Admin\AppData\Local\Temp\f7638cc.exe
PID 2880 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe C:\Windows\system32\taskhost.exe
PID 2880 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe C:\Windows\system32\Dwm.exe
PID 2880 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f7638cc.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d41.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7638cc.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761d41.exe

C:\Users\Admin\AppData\Local\Temp\f761d41.exe

C:\Users\Admin\AppData\Local\Temp\f76203d.exe

C:\Users\Admin\AppData\Local\Temp\f76203d.exe

C:\Users\Admin\AppData\Local\Temp\f7638cc.exe

C:\Users\Admin\AppData\Local\Temp\f7638cc.exe

Network

N/A

Files

memory/1976-9-0x0000000000250000-0x0000000000262000-memory.dmp

memory/1976-8-0x0000000000250000-0x0000000000262000-memory.dmp

memory/1976-7-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f761d41.exe

MD5 10155e9649226fd5f4fdafd0694cf7b2
SHA1 3738e32f62c4be523233c303ab56edbe631cd7a9
SHA256 ff98d4e25d02fcd822b9acd48f4a74559d328e0ecc9273d3e9ee0ab368d3b265
SHA512 421e34f56752970ebc8f44ecc152e8da2f792695201167e069fcbd633e4502afbb801f333b65e15aed3d03cf6627d440d9458b1dd1d6d0f9223f64b08106bb16

memory/1872-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1872-14-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-17-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-20-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-23-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-22-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-21-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-19-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-18-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-16-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-15-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-44-0x0000000004230000-0x0000000004231000-memory.dmp

memory/1976-38-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1872-46-0x00000000040E0000-0x00000000040E2000-memory.dmp

memory/1872-56-0x00000000040E0000-0x00000000040E2000-memory.dmp

memory/2616-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1976-58-0x0000000000760000-0x0000000000772000-memory.dmp

memory/1976-57-0x0000000000760000-0x0000000000772000-memory.dmp

memory/1976-55-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1976-45-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1976-37-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1976-36-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1116-29-0x0000000000310000-0x0000000000312000-memory.dmp

memory/1872-60-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-61-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-62-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-63-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-64-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-66-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-67-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2880-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1872-80-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-81-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-84-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2880-101-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2880-100-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2880-105-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2616-104-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/1872-102-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2616-96-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2616-94-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/1872-103-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-124-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/1872-146-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1872-145-0x00000000006D0000-0x000000000178A000-memory.dmp

memory/2616-150-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2880-167-0x00000000009C0000-0x0000000001A7A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1288acf43513f3b3f75e4cebe7feee66
SHA1 8589e47b5bbe64adb143c7263a17ef4d4c445211
SHA256 4f1b53e48f89aa241068e4fddda136da761fbb54639a1c6c6c86d74dd131ce0b
SHA512 2cab0489558da79cfa260e39d57a9280e95d6bf064e656af5ddc4f13d96cae2682cfe5075d84817aedfdaad9a047648abec8c1e6f2b0a2d60590587261cc6a3f

memory/2880-199-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/2880-198-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 14:27

Reported

2024-05-18 14:30

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5746cd C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File created C:\Windows\e579eef C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 568 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 568 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 568 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1412 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe
PID 1412 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe
PID 1412 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe
PID 2896 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\fontdrvhost.exe
PID 2896 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\fontdrvhost.exe
PID 2896 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\dwm.exe
PID 2896 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\sihost.exe
PID 2896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\svchost.exe
PID 2896 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\taskhostw.exe
PID 2896 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\Explorer.EXE
PID 2896 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\svchost.exe
PID 2896 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\DllHost.exe
PID 2896 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2896 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2896 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2896 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2896 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2896 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\rundll32.exe
PID 2896 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SysWOW64\rundll32.exe
PID 1412 wrote to memory of 4032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5747e6.exe
PID 1412 wrote to memory of 4032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5747e6.exe
PID 1412 wrote to memory of 4032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5747e6.exe
PID 2896 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\fontdrvhost.exe
PID 2896 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\fontdrvhost.exe
PID 2896 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\dwm.exe
PID 2896 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\sihost.exe
PID 2896 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\svchost.exe
PID 2896 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\taskhostw.exe
PID 2896 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\Explorer.EXE
PID 2896 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\svchost.exe
PID 2896 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\DllHost.exe
PID 2896 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2896 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2896 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2896 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2896 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2896 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\rundll32.exe
PID 2896 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Users\Admin\AppData\Local\Temp\e5747e6.exe
PID 2896 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Users\Admin\AppData\Local\Temp\e5747e6.exe
PID 2896 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 2896 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 1412 wrote to memory of 3472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577733.exe
PID 1412 wrote to memory of 3472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577733.exe
PID 1412 wrote to memory of 3472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577733.exe
PID 3472 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\system32\fontdrvhost.exe
PID 3472 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\system32\fontdrvhost.exe
PID 3472 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\system32\dwm.exe
PID 3472 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\system32\sihost.exe
PID 3472 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\system32\svchost.exe
PID 3472 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\system32\taskhostw.exe
PID 3472 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\Explorer.EXE
PID 3472 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\system32\svchost.exe
PID 3472 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\system32\DllHost.exe
PID 3472 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e577733.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577733.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57466f.exe

C:\Users\Admin\AppData\Local\Temp\e57466f.exe

C:\Users\Admin\AppData\Local\Temp\e5747e6.exe

C:\Users\Admin\AppData\Local\Temp\e5747e6.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e577733.exe

C:\Users\Admin\AppData\Local\Temp\e577733.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.89.16.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/1412-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2896-4-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57466f.exe

MD5 10155e9649226fd5f4fdafd0694cf7b2
SHA1 3738e32f62c4be523233c303ab56edbe631cd7a9
SHA256 ff98d4e25d02fcd822b9acd48f4a74559d328e0ecc9273d3e9ee0ab368d3b265
SHA512 421e34f56752970ebc8f44ecc152e8da2f792695201167e069fcbd633e4502afbb801f333b65e15aed3d03cf6627d440d9458b1dd1d6d0f9223f64b08106bb16

memory/2896-19-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-28-0x0000000000550000-0x0000000000552000-memory.dmp

memory/2896-30-0x0000000000550000-0x0000000000552000-memory.dmp

memory/2896-18-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4032-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2896-27-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-33-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-35-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1412-29-0x00000000012F0000-0x00000000012F2000-memory.dmp

memory/2896-11-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-14-0x0000000000780000-0x000000000183A000-memory.dmp

memory/1412-24-0x00000000012F0000-0x00000000012F2000-memory.dmp

memory/2896-23-0x0000000001A00000-0x0000000001A01000-memory.dmp

memory/1412-21-0x0000000001300000-0x0000000001301000-memory.dmp

memory/1412-20-0x00000000012F0000-0x00000000012F2000-memory.dmp

memory/2896-10-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-9-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-8-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-36-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-37-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-38-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-39-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-40-0x0000000000780000-0x000000000183A000-memory.dmp

memory/4032-42-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4032-43-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4032-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2896-46-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-54-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-56-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-57-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-58-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-61-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-63-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-64-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-71-0x0000000000780000-0x000000000183A000-memory.dmp

memory/2896-80-0x0000000000550000-0x0000000000552000-memory.dmp

memory/2896-90-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f1976d5296cf8a51a70a1a6ebc1b221b
SHA1 898079b0726352269d52d3ece52bb1791d6026a8
SHA256 12ae3152f6b73e6362e4901f5ae8871068f1b88c93bb1adc9bce16ba296bbc05
SHA512 14e943f97b0a7e811a52e42d98ddeb78a27dca2c9c34dc9e441a96ae3c84dcbe026d8c9cd51a91137eb55e709006c1a561a1da04548b36f3505a88a99a83b3b6

memory/3472-97-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/3472-107-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/3472-115-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/3472-114-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/3472-148-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3472-149-0x0000000000800000-0x00000000018BA000-memory.dmp