Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 14:57
Static task
static1
Behavioral task
behavioral1
Sample
dca4d38a685d77497813fcc67716f020_NeikiAnalytics.dll
Resource
win7-20240419-en
General
-
Target
dca4d38a685d77497813fcc67716f020_NeikiAnalytics.dll
-
Size
120KB
-
MD5
dca4d38a685d77497813fcc67716f020
-
SHA1
ce938d10b8abd1126ac8d1e5e5dbc6f4b55573a6
-
SHA256
39c84a6897b7f87d3ab0aa58539a126ddc1e325ba2260bb801f0152feca109ed
-
SHA512
7ddc03634074ed983f594ab9d9ae7694352c7a66c59a843ec9e77c76566067ab493aa690cb268df77c04cd4aa4fc666efaf0b381fee7034b033bfb5379bd26c7
-
SSDEEP
1536:csrq81iCj0GexXxuQ55iRLPvJmVR0LghGQ0Yq1SKzJG5RX+8xjV+hM4ZZg6AkmKE:cIMmexXxLnYhmN4FYJKVXYV+hNJA5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e5744e8.exee57701f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57701f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57701f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5744e8.exe -
Processes:
e5744e8.exee57701f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57701f.exe -
Processes:
e5744e8.exee57701f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5744e8.exe -
Executes dropped EXE 3 IoCs
Processes:
e5744e8.exee5745d3.exee57701f.exepid process 1636 e5744e8.exe 2492 e5745d3.exe 1596 e57701f.exe -
Processes:
resource yara_rule behavioral2/memory/1636-6-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-11-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-26-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-30-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-33-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-25-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-12-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-10-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-9-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-8-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-36-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-38-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-37-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-39-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-40-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-41-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-43-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-45-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-58-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-59-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-60-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-63-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-64-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-66-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-68-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-74-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-75-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1636-79-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1596-112-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1596-156-0x0000000000800000-0x00000000018BA000-memory.dmp upx -
Processes:
e5744e8.exee57701f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57701f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5744e8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57701f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57701f.exe -
Processes:
e5744e8.exee57701f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57701f.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e5744e8.exee57701f.exedescription ioc process File opened (read-only) \??\H: e5744e8.exe File opened (read-only) \??\I: e5744e8.exe File opened (read-only) \??\K: e5744e8.exe File opened (read-only) \??\H: e57701f.exe File opened (read-only) \??\I: e57701f.exe File opened (read-only) \??\J: e57701f.exe File opened (read-only) \??\J: e5744e8.exe File opened (read-only) \??\M: e5744e8.exe File opened (read-only) \??\N: e5744e8.exe File opened (read-only) \??\L: e5744e8.exe File opened (read-only) \??\O: e5744e8.exe File opened (read-only) \??\E: e57701f.exe File opened (read-only) \??\G: e57701f.exe File opened (read-only) \??\E: e5744e8.exe File opened (read-only) \??\G: e5744e8.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e5744e8.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e5744e8.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5744e8.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5744e8.exe -
Drops file in Windows directory 3 IoCs
Processes:
e57701f.exee5744e8.exedescription ioc process File created C:\Windows\e5797bc e57701f.exe File created C:\Windows\e574537 e5744e8.exe File opened for modification C:\Windows\SYSTEM.INI e5744e8.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e5744e8.exee57701f.exepid process 1636 e5744e8.exe 1636 e5744e8.exe 1636 e5744e8.exe 1636 e5744e8.exe 1596 e57701f.exe 1596 e57701f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e5744e8.exedescription pid process Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe Token: SeDebugPrivilege 1636 e5744e8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee5744e8.exee57701f.exedescription pid process target process PID 4476 wrote to memory of 1148 4476 rundll32.exe rundll32.exe PID 4476 wrote to memory of 1148 4476 rundll32.exe rundll32.exe PID 4476 wrote to memory of 1148 4476 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1636 1148 rundll32.exe e5744e8.exe PID 1148 wrote to memory of 1636 1148 rundll32.exe e5744e8.exe PID 1148 wrote to memory of 1636 1148 rundll32.exe e5744e8.exe PID 1636 wrote to memory of 776 1636 e5744e8.exe fontdrvhost.exe PID 1636 wrote to memory of 784 1636 e5744e8.exe fontdrvhost.exe PID 1636 wrote to memory of 64 1636 e5744e8.exe dwm.exe PID 1636 wrote to memory of 2408 1636 e5744e8.exe sihost.exe PID 1636 wrote to memory of 2416 1636 e5744e8.exe svchost.exe PID 1636 wrote to memory of 2572 1636 e5744e8.exe taskhostw.exe PID 1636 wrote to memory of 3532 1636 e5744e8.exe Explorer.EXE PID 1636 wrote to memory of 3696 1636 e5744e8.exe svchost.exe PID 1636 wrote to memory of 3896 1636 e5744e8.exe DllHost.exe PID 1636 wrote to memory of 3984 1636 e5744e8.exe StartMenuExperienceHost.exe PID 1636 wrote to memory of 4048 1636 e5744e8.exe RuntimeBroker.exe PID 1636 wrote to memory of 2744 1636 e5744e8.exe SearchApp.exe PID 1636 wrote to memory of 4128 1636 e5744e8.exe RuntimeBroker.exe PID 1636 wrote to memory of 4056 1636 e5744e8.exe TextInputHost.exe PID 1636 wrote to memory of 1060 1636 e5744e8.exe RuntimeBroker.exe PID 1636 wrote to memory of 1576 1636 e5744e8.exe backgroundTaskHost.exe PID 1636 wrote to memory of 760 1636 e5744e8.exe backgroundTaskHost.exe PID 1636 wrote to memory of 4476 1636 e5744e8.exe rundll32.exe PID 1636 wrote to memory of 1148 1636 e5744e8.exe rundll32.exe PID 1636 wrote to memory of 1148 1636 e5744e8.exe rundll32.exe PID 1148 wrote to memory of 2492 1148 rundll32.exe e5745d3.exe PID 1148 wrote to memory of 2492 1148 rundll32.exe e5745d3.exe PID 1148 wrote to memory of 2492 1148 rundll32.exe e5745d3.exe PID 1636 wrote to memory of 776 1636 e5744e8.exe fontdrvhost.exe PID 1636 wrote to memory of 784 1636 e5744e8.exe fontdrvhost.exe PID 1636 wrote to memory of 64 1636 e5744e8.exe dwm.exe PID 1636 wrote to memory of 2408 1636 e5744e8.exe sihost.exe PID 1636 wrote to memory of 2416 1636 e5744e8.exe svchost.exe PID 1636 wrote to memory of 2572 1636 e5744e8.exe taskhostw.exe PID 1636 wrote to memory of 3532 1636 e5744e8.exe Explorer.EXE PID 1636 wrote to memory of 3696 1636 e5744e8.exe svchost.exe PID 1636 wrote to memory of 3896 1636 e5744e8.exe DllHost.exe PID 1636 wrote to memory of 3984 1636 e5744e8.exe StartMenuExperienceHost.exe PID 1636 wrote to memory of 4048 1636 e5744e8.exe RuntimeBroker.exe PID 1636 wrote to memory of 2744 1636 e5744e8.exe SearchApp.exe PID 1636 wrote to memory of 4128 1636 e5744e8.exe RuntimeBroker.exe PID 1636 wrote to memory of 4056 1636 e5744e8.exe TextInputHost.exe PID 1636 wrote to memory of 1060 1636 e5744e8.exe RuntimeBroker.exe PID 1636 wrote to memory of 1576 1636 e5744e8.exe backgroundTaskHost.exe PID 1636 wrote to memory of 760 1636 e5744e8.exe backgroundTaskHost.exe PID 1636 wrote to memory of 4476 1636 e5744e8.exe rundll32.exe PID 1636 wrote to memory of 2492 1636 e5744e8.exe e5745d3.exe PID 1636 wrote to memory of 2492 1636 e5744e8.exe e5745d3.exe PID 1636 wrote to memory of 2392 1636 e5744e8.exe RuntimeBroker.exe PID 1636 wrote to memory of 4492 1636 e5744e8.exe RuntimeBroker.exe PID 1636 wrote to memory of 4620 1636 e5744e8.exe BackgroundTransferHost.exe PID 1148 wrote to memory of 1596 1148 rundll32.exe e57701f.exe PID 1148 wrote to memory of 1596 1148 rundll32.exe e57701f.exe PID 1148 wrote to memory of 1596 1148 rundll32.exe e57701f.exe PID 1596 wrote to memory of 776 1596 e57701f.exe fontdrvhost.exe PID 1596 wrote to memory of 784 1596 e57701f.exe fontdrvhost.exe PID 1596 wrote to memory of 64 1596 e57701f.exe dwm.exe PID 1596 wrote to memory of 2408 1596 e57701f.exe sihost.exe PID 1596 wrote to memory of 2416 1596 e57701f.exe svchost.exe PID 1596 wrote to memory of 2572 1596 e57701f.exe taskhostw.exe PID 1596 wrote to memory of 3532 1596 e57701f.exe Explorer.EXE PID 1596 wrote to memory of 3696 1596 e57701f.exe svchost.exe PID 1596 wrote to memory of 3896 1596 e57701f.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e5744e8.exee57701f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5744e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57701f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dca4d38a685d77497813fcc67716f020_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dca4d38a685d77497813fcc67716f020_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5744e8.exeC:\Users\Admin\AppData\Local\Temp\e5744e8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5745d3.exeC:\Users\Admin\AppData\Local\Temp\e5745d3.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57701f.exeC:\Users\Admin\AppData\Local\Temp\e57701f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5744e8.exeFilesize
97KB
MD556e0494e6a9d806f6a4494f942effa8c
SHA1a873d190d5a248ae4172d704df356e3ca90e315c
SHA256509cd106696784644bdf10df3fa4c48cc559fd6c66f769e2d04d595d8e3fb2ac
SHA512c8616eb1c753d1ab2473cf94bd9c7ad366a3434c6476dfa14750bdeccef737ff7455b870e94c79c643f5011a9ced2174a3cfd875cd71304cfe15e791917c197d
-
C:\Windows\SYSTEM.INIFilesize
257B
MD589c3575c18db0ea38c08716c9138dd5d
SHA1e7d0de372bda23fe41af01d0b94f5483d24a06d5
SHA2569cd78fedd5f2597a3f750d1235c3ffc59a0ad27b0234557b04e595c513609eb7
SHA5129baeb0cb54e48ab703e69e40bca4ed2bf89eb30c061bc94fb42208d8213b42aef20e0ca2b5aad15cdb7ad971fdaaabbb27fb65d5d5e9b3584b4a4d72a0d967cc
-
memory/1148-53-0x00000000010A0000-0x00000000010A2000-memory.dmpFilesize
8KB
-
memory/1148-28-0x00000000010A0000-0x00000000010A2000-memory.dmpFilesize
8KB
-
memory/1148-27-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/1148-17-0x00000000010A0000-0x00000000010A2000-memory.dmpFilesize
8KB
-
memory/1148-13-0x00000000010A0000-0x00000000010A2000-memory.dmpFilesize
8KB
-
memory/1148-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1596-156-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1596-57-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1596-112-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1596-117-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/1596-116-0x00000000037A0000-0x00000000037A2000-memory.dmpFilesize
8KB
-
memory/1596-155-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1636-41-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-75-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-9-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-31-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1636-16-0x0000000003E70000-0x0000000003E71000-memory.dmpFilesize
4KB
-
memory/1636-12-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-8-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-36-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-38-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-37-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-39-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-40-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-25-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-43-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-45-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1636-6-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-33-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-11-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-26-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-58-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-59-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-60-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-63-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-64-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-66-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-68-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-74-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-10-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-87-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1636-79-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1636-96-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1636-29-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1636-30-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2492-100-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2492-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2492-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2492-49-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2492-48-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB