sality | 39c84a6897b7f87d3ab0aa58539a126ddc1e325ba2260bb801f0152feca109ed

Windows Service

T1543.003

Processes:

e5744e8.exee57701f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5744e8.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

e5744e8.exee57701f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57701f.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

Processes:

e5744e8.exee57701f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5744e8.exe

Executes dropped EXE 3 IoCs

Processes:

e5744e8.exee5745d3.exee57701f.exe

pid process

1636 e5744e8.exe
2492 e5745d3.exe
1596 e57701f.exe

pid	process
1636	e5744e8.exe
2492	e5745d3.exe
1596	e57701f.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1636-6-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-11-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-26-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-30-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-33-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-25-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-12-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-10-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-9-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-8-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-36-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-38-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-37-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-39-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-40-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-41-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-43-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-45-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-58-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-59-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-60-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-63-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-64-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-66-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-68-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-74-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-75-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1636-79-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1596-112-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1596-156-0x0000000000800000-0x00000000018BA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

Processes:

e5744e8.exee57701f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57701f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5744e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57701f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57701f.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

e5744e8.exee57701f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57701f.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e5744e8.exee57701f.exe

description	ioc	process
File opened (read-only)	\??\H:	e5744e8.exe
File opened (read-only)	\??\I:	e5744e8.exe
File opened (read-only)	\??\K:	e5744e8.exe
File opened (read-only)	\??\H:	e57701f.exe
File opened (read-only)	\??\I:	e57701f.exe
File opened (read-only)	\??\J:	e57701f.exe
File opened (read-only)	\??\J:	e5744e8.exe
File opened (read-only)	\??\M:	e5744e8.exe
File opened (read-only)	\??\N:	e5744e8.exe
File opened (read-only)	\??\L:	e5744e8.exe
File opened (read-only)	\??\O:	e5744e8.exe
File opened (read-only)	\??\E:	e57701f.exe
File opened (read-only)	\??\G:	e57701f.exe
File opened (read-only)	\??\E:	e5744e8.exe
File opened (read-only)	\??\G:	e5744e8.exe

Drops file in Program Files directory 3 IoCs

Processes:

e5744e8.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e5744e8.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e5744e8.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e5744e8.exe

Drops file in Windows directory 3 IoCs

Processes:

e57701f.exee5744e8.exe

description	ioc	process
File created	C:\Windows\e5797bc	e57701f.exe
File created	C:\Windows\e574537	e5744e8.exe
File opened for modification	C:\Windows\SYSTEM.INI	e5744e8.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e5744e8.exee57701f.exe

pid process

1636 e5744e8.exe
1636 e5744e8.exe
1636 e5744e8.exe
1636 e5744e8.exe
1596 e57701f.exe
1596 e57701f.exe

pid	process
1636	e5744e8.exe
1636	e5744e8.exe
1636	e5744e8.exe
1636	e5744e8.exe
1596	e57701f.exe
1596	e57701f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e5744e8.exe

description	pid	process
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe
Token: SeDebugPrivilege	1636	e5744e8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee5744e8.exee57701f.exe

description	pid	process	target process
PID 4476 wrote to memory of 1148	4476	rundll32.exe	rundll32.exe
PID 4476 wrote to memory of 1148	4476	rundll32.exe	rundll32.exe
PID 4476 wrote to memory of 1148	4476	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 1636	1148	rundll32.exe	e5744e8.exe
PID 1148 wrote to memory of 1636	1148	rundll32.exe	e5744e8.exe
PID 1148 wrote to memory of 1636	1148	rundll32.exe	e5744e8.exe
PID 1636 wrote to memory of 776	1636	e5744e8.exe	fontdrvhost.exe
PID 1636 wrote to memory of 784	1636	e5744e8.exe	fontdrvhost.exe
PID 1636 wrote to memory of 64	1636	e5744e8.exe	dwm.exe
PID 1636 wrote to memory of 2408	1636	e5744e8.exe	sihost.exe
PID 1636 wrote to memory of 2416	1636	e5744e8.exe	svchost.exe
PID 1636 wrote to memory of 2572	1636	e5744e8.exe	taskhostw.exe
PID 1636 wrote to memory of 3532	1636	e5744e8.exe	Explorer.EXE
PID 1636 wrote to memory of 3696	1636	e5744e8.exe	svchost.exe
PID 1636 wrote to memory of 3896	1636	e5744e8.exe	DllHost.exe
PID 1636 wrote to memory of 3984	1636	e5744e8.exe	StartMenuExperienceHost.exe
PID 1636 wrote to memory of 4048	1636	e5744e8.exe	RuntimeBroker.exe
PID 1636 wrote to memory of 2744	1636	e5744e8.exe	SearchApp.exe
PID 1636 wrote to memory of 4128	1636	e5744e8.exe	RuntimeBroker.exe
PID 1636 wrote to memory of 4056	1636	e5744e8.exe	TextInputHost.exe
PID 1636 wrote to memory of 1060	1636	e5744e8.exe	RuntimeBroker.exe
PID 1636 wrote to memory of 1576	1636	e5744e8.exe	backgroundTaskHost.exe
PID 1636 wrote to memory of 760	1636	e5744e8.exe	backgroundTaskHost.exe
PID 1636 wrote to memory of 4476	1636	e5744e8.exe	rundll32.exe
PID 1636 wrote to memory of 1148	1636	e5744e8.exe	rundll32.exe
PID 1636 wrote to memory of 1148	1636	e5744e8.exe	rundll32.exe
PID 1148 wrote to memory of 2492	1148	rundll32.exe	e5745d3.exe
PID 1148 wrote to memory of 2492	1148	rundll32.exe	e5745d3.exe
PID 1148 wrote to memory of 2492	1148	rundll32.exe	e5745d3.exe
PID 1636 wrote to memory of 776	1636	e5744e8.exe	fontdrvhost.exe
PID 1636 wrote to memory of 784	1636	e5744e8.exe	fontdrvhost.exe
PID 1636 wrote to memory of 64	1636	e5744e8.exe	dwm.exe
PID 1636 wrote to memory of 2408	1636	e5744e8.exe	sihost.exe
PID 1636 wrote to memory of 2416	1636	e5744e8.exe	svchost.exe
PID 1636 wrote to memory of 2572	1636	e5744e8.exe	taskhostw.exe
PID 1636 wrote to memory of 3532	1636	e5744e8.exe	Explorer.EXE
PID 1636 wrote to memory of 3696	1636	e5744e8.exe	svchost.exe
PID 1636 wrote to memory of 3896	1636	e5744e8.exe	DllHost.exe
PID 1636 wrote to memory of 3984	1636	e5744e8.exe	StartMenuExperienceHost.exe
PID 1636 wrote to memory of 4048	1636	e5744e8.exe	RuntimeBroker.exe
PID 1636 wrote to memory of 2744	1636	e5744e8.exe	SearchApp.exe
PID 1636 wrote to memory of 4128	1636	e5744e8.exe	RuntimeBroker.exe
PID 1636 wrote to memory of 4056	1636	e5744e8.exe	TextInputHost.exe
PID 1636 wrote to memory of 1060	1636	e5744e8.exe	RuntimeBroker.exe
PID 1636 wrote to memory of 1576	1636	e5744e8.exe	backgroundTaskHost.exe
PID 1636 wrote to memory of 760	1636	e5744e8.exe	backgroundTaskHost.exe
PID 1636 wrote to memory of 4476	1636	e5744e8.exe	rundll32.exe
PID 1636 wrote to memory of 2492	1636	e5744e8.exe	e5745d3.exe
PID 1636 wrote to memory of 2492	1636	e5744e8.exe	e5745d3.exe
PID 1636 wrote to memory of 2392	1636	e5744e8.exe	RuntimeBroker.exe
PID 1636 wrote to memory of 4492	1636	e5744e8.exe	RuntimeBroker.exe
PID 1636 wrote to memory of 4620	1636	e5744e8.exe	BackgroundTransferHost.exe
PID 1148 wrote to memory of 1596	1148	rundll32.exe	e57701f.exe
PID 1148 wrote to memory of 1596	1148	rundll32.exe	e57701f.exe
PID 1148 wrote to memory of 1596	1148	rundll32.exe	e57701f.exe
PID 1596 wrote to memory of 776	1596	e57701f.exe	fontdrvhost.exe
PID 1596 wrote to memory of 784	1596	e57701f.exe	fontdrvhost.exe
PID 1596 wrote to memory of 64	1596	e57701f.exe	dwm.exe
PID 1596 wrote to memory of 2408	1596	e57701f.exe	sihost.exe
PID 1596 wrote to memory of 2416	1596	e57701f.exe	svchost.exe
PID 1596 wrote to memory of 2572	1596	e57701f.exe	taskhostw.exe
PID 1596 wrote to memory of 3532	1596	e57701f.exe	Explorer.EXE
PID 1596 wrote to memory of 3696	1596	e57701f.exe	svchost.exe
PID 1596 wrote to memory of 3896	1596	e57701f.exe	DllHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

e5744e8.exee57701f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5744e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57701f.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:64

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2416

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2572

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dca4d38a685d77497813fcc67716f020_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dca4d38a685d77497813fcc67716f020_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\e5744e8.exe
C:\Users\Admin\AppData\Local\Temp\e5744e8.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1636

C:\Users\Admin\AppData\Local\Temp\e5745d3.exe
C:\Users\Admin\AppData\Local\Temp\e5745d3.exe
4⤵
- Executes dropped EXE
PID:2492

C:\Users\Admin\AppData\Local\Temp\e57701f.exe
C:\Users\Admin\AppData\Local\Temp\e57701f.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4048

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4128

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1060

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1576

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4492

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

5

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

T1012

Peripheral Device Discovery