Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 17:00
Static task
static1
Behavioral task
behavioral1
Sample
0b76861c541b49745b9bf714a0bdd660_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
0b76861c541b49745b9bf714a0bdd660_NeikiAnalytics.dll
-
Size
120KB
-
MD5
0b76861c541b49745b9bf714a0bdd660
-
SHA1
ae8b3827e7f57bc4a2afc32acac6b6326ba7293b
-
SHA256
a68ff706938fc2c3006b6829b4a3addfb69bfb89252811da70555b944041f06f
-
SHA512
baea0abd643accb0f947538222a76712bf8f67034e96c7b2ae47289bb6f811874a42a7562caf38f75a9913466e07fce785c0c5f58838943b3385a05624f4c9ce
-
SSDEEP
1536:X5VTYSacOZmA1Ah8OkJUNUhk/4mzg7i0Xj3NaEFbTB7TReM/urdvlEi9hv/:X5VTyZlAiRJyY7Vj9aax71eMGrHEAn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e572f4d.exee574b32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574b32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574b32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e572f4d.exe -
Processes:
e572f4d.exee574b32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574b32.exe -
Processes:
e572f4d.exee574b32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572f4d.exe -
Executes dropped EXE 3 IoCs
Processes:
e572f4d.exee573076.exee574b32.exepid process 4580 e572f4d.exe 684 e573076.exe 2636 e574b32.exe -
Processes:
resource yara_rule behavioral2/memory/4580-6-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-11-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-18-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-27-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-30-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-12-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-10-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-9-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-28-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-19-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-36-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-37-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-38-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-39-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-40-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-42-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-43-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-53-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-54-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-55-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-65-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-67-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-70-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-72-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-74-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-77-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-76-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-80-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-82-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-86-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/2636-123-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/2636-150-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Processes:
e572f4d.exee574b32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574b32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574b32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574b32.exe -
Processes:
e572f4d.exee574b32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574b32.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e572f4d.exee574b32.exedescription ioc process File opened (read-only) \??\E: e572f4d.exe File opened (read-only) \??\L: e572f4d.exe File opened (read-only) \??\O: e572f4d.exe File opened (read-only) \??\J: e572f4d.exe File opened (read-only) \??\K: e572f4d.exe File opened (read-only) \??\M: e572f4d.exe File opened (read-only) \??\Q: e572f4d.exe File opened (read-only) \??\R: e572f4d.exe File opened (read-only) \??\G: e572f4d.exe File opened (read-only) \??\I: e572f4d.exe File opened (read-only) \??\P: e572f4d.exe File opened (read-only) \??\G: e574b32.exe File opened (read-only) \??\H: e572f4d.exe File opened (read-only) \??\N: e572f4d.exe File opened (read-only) \??\S: e572f4d.exe File opened (read-only) \??\E: e574b32.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e572f4d.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e572f4d.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e572f4d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e572f4d.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e572f4d.exe -
Drops file in Windows directory 3 IoCs
Processes:
e572f4d.exee574b32.exedescription ioc process File created C:\Windows\e572f8c e572f4d.exe File opened for modification C:\Windows\SYSTEM.INI e572f4d.exe File created C:\Windows\e577fbf e574b32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e572f4d.exee574b32.exepid process 4580 e572f4d.exe 4580 e572f4d.exe 4580 e572f4d.exe 4580 e572f4d.exe 2636 e574b32.exe 2636 e574b32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e572f4d.exedescription pid process Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe Token: SeDebugPrivilege 4580 e572f4d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee572f4d.exee574b32.exedescription pid process target process PID 2356 wrote to memory of 3856 2356 rundll32.exe rundll32.exe PID 2356 wrote to memory of 3856 2356 rundll32.exe rundll32.exe PID 2356 wrote to memory of 3856 2356 rundll32.exe rundll32.exe PID 3856 wrote to memory of 4580 3856 rundll32.exe e572f4d.exe PID 3856 wrote to memory of 4580 3856 rundll32.exe e572f4d.exe PID 3856 wrote to memory of 4580 3856 rundll32.exe e572f4d.exe PID 4580 wrote to memory of 760 4580 e572f4d.exe fontdrvhost.exe PID 4580 wrote to memory of 764 4580 e572f4d.exe fontdrvhost.exe PID 4580 wrote to memory of 60 4580 e572f4d.exe dwm.exe PID 4580 wrote to memory of 3040 4580 e572f4d.exe sihost.exe PID 4580 wrote to memory of 1880 4580 e572f4d.exe svchost.exe PID 4580 wrote to memory of 3104 4580 e572f4d.exe taskhostw.exe PID 4580 wrote to memory of 3424 4580 e572f4d.exe Explorer.EXE PID 4580 wrote to memory of 3552 4580 e572f4d.exe svchost.exe PID 4580 wrote to memory of 3748 4580 e572f4d.exe DllHost.exe PID 4580 wrote to memory of 3840 4580 e572f4d.exe StartMenuExperienceHost.exe PID 4580 wrote to memory of 3904 4580 e572f4d.exe RuntimeBroker.exe PID 4580 wrote to memory of 3988 4580 e572f4d.exe SearchApp.exe PID 4580 wrote to memory of 3340 4580 e572f4d.exe RuntimeBroker.exe PID 4580 wrote to memory of 4360 4580 e572f4d.exe TextInputHost.exe PID 4580 wrote to memory of 3336 4580 e572f4d.exe RuntimeBroker.exe PID 4580 wrote to memory of 2840 4580 e572f4d.exe backgroundTaskHost.exe PID 4580 wrote to memory of 4272 4580 e572f4d.exe backgroundTaskHost.exe PID 4580 wrote to memory of 2356 4580 e572f4d.exe rundll32.exe PID 4580 wrote to memory of 3856 4580 e572f4d.exe rundll32.exe PID 4580 wrote to memory of 3856 4580 e572f4d.exe rundll32.exe PID 3856 wrote to memory of 684 3856 rundll32.exe e573076.exe PID 3856 wrote to memory of 684 3856 rundll32.exe e573076.exe PID 3856 wrote to memory of 684 3856 rundll32.exe e573076.exe PID 3856 wrote to memory of 2636 3856 rundll32.exe e574b32.exe PID 3856 wrote to memory of 2636 3856 rundll32.exe e574b32.exe PID 3856 wrote to memory of 2636 3856 rundll32.exe e574b32.exe PID 4580 wrote to memory of 760 4580 e572f4d.exe fontdrvhost.exe PID 4580 wrote to memory of 764 4580 e572f4d.exe fontdrvhost.exe PID 4580 wrote to memory of 60 4580 e572f4d.exe dwm.exe PID 4580 wrote to memory of 3040 4580 e572f4d.exe sihost.exe PID 4580 wrote to memory of 1880 4580 e572f4d.exe svchost.exe PID 4580 wrote to memory of 3104 4580 e572f4d.exe taskhostw.exe PID 4580 wrote to memory of 3424 4580 e572f4d.exe Explorer.EXE PID 4580 wrote to memory of 3552 4580 e572f4d.exe svchost.exe PID 4580 wrote to memory of 3748 4580 e572f4d.exe DllHost.exe PID 4580 wrote to memory of 3840 4580 e572f4d.exe StartMenuExperienceHost.exe PID 4580 wrote to memory of 3904 4580 e572f4d.exe RuntimeBroker.exe PID 4580 wrote to memory of 3988 4580 e572f4d.exe SearchApp.exe PID 4580 wrote to memory of 3340 4580 e572f4d.exe RuntimeBroker.exe PID 4580 wrote to memory of 4360 4580 e572f4d.exe TextInputHost.exe PID 4580 wrote to memory of 3336 4580 e572f4d.exe RuntimeBroker.exe PID 4580 wrote to memory of 2840 4580 e572f4d.exe backgroundTaskHost.exe PID 4580 wrote to memory of 684 4580 e572f4d.exe e573076.exe PID 4580 wrote to memory of 684 4580 e572f4d.exe e573076.exe PID 4580 wrote to memory of 396 4580 e572f4d.exe RuntimeBroker.exe PID 4580 wrote to memory of 2768 4580 e572f4d.exe RuntimeBroker.exe PID 4580 wrote to memory of 2636 4580 e572f4d.exe e574b32.exe PID 4580 wrote to memory of 2636 4580 e572f4d.exe e574b32.exe PID 2636 wrote to memory of 760 2636 e574b32.exe fontdrvhost.exe PID 2636 wrote to memory of 764 2636 e574b32.exe fontdrvhost.exe PID 2636 wrote to memory of 60 2636 e574b32.exe dwm.exe PID 2636 wrote to memory of 3040 2636 e574b32.exe sihost.exe PID 2636 wrote to memory of 1880 2636 e574b32.exe svchost.exe PID 2636 wrote to memory of 3104 2636 e574b32.exe taskhostw.exe PID 2636 wrote to memory of 3424 2636 e574b32.exe Explorer.EXE PID 2636 wrote to memory of 3552 2636 e574b32.exe svchost.exe PID 2636 wrote to memory of 3748 2636 e574b32.exe DllHost.exe PID 2636 wrote to memory of 3840 2636 e574b32.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e572f4d.exee574b32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574b32.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0b76861c541b49745b9bf714a0bdd660_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0b76861c541b49745b9bf714a0bdd660_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e572f4d.exeC:\Users\Admin\AppData\Local\Temp\e572f4d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573076.exeC:\Users\Admin\AppData\Local\Temp\e573076.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e574b32.exeC:\Users\Admin\AppData\Local\Temp\e574b32.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e572f4d.exeFilesize
97KB
MD5c47dd693d8ca9e213f2bd7e4d1312d86
SHA1cdbe66be963bc7aeb0989fbe11f9ef3376063720
SHA25647648b9fd2462abbd0563361a19c05b47659dd3da5c0c4f269214c237cd5fac3
SHA5126d2f6631b2694aadd76172b5335a326b47dc1cabe38b5ca44fd40a8311934cc55abb631deb1801c47fb1130cb1ee17b2b420e30f0950d9f5ef1524e5e5b4d297
-
C:\Windows\SYSTEM.INIFilesize
257B
MD552135f89e8081e6107046f17e7f510df
SHA1805c2ffa6761b425afb884ec8b409ce96596c3f9
SHA25665c8a46f8370bdafe4543cba76a4ccb01f10dd217a3fc2455ecc2094a735f89b
SHA51240e785f67975c29537b9b695fe77a96b3ba530e05bfd593e7d3896c129f4192e05df6582c17527553899ad47de088b9e61f2e806d4f2666d2d25d4bbf04b9dca
-
memory/684-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/684-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/684-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/684-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/684-106-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2636-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2636-150-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/2636-123-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/2636-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2636-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2636-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2636-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3856-20-0x0000000000CB0000-0x0000000000CB2000-memory.dmpFilesize
8KB
-
memory/3856-21-0x0000000003BA0000-0x0000000003BA1000-memory.dmpFilesize
4KB
-
memory/3856-24-0x0000000000CB0000-0x0000000000CB2000-memory.dmpFilesize
8KB
-
memory/3856-33-0x0000000000CB0000-0x0000000000CB2000-memory.dmpFilesize
8KB
-
memory/3856-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4580-42-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-30-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-36-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-37-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-38-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-39-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-40-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-23-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/4580-43-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-28-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-53-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-54-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-55-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-9-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-10-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-12-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-34-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/4580-19-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-27-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-65-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-67-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-70-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-72-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-74-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-77-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-76-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-80-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-82-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-91-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/4580-86-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-18-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-29-0x0000000000730000-0x0000000000732000-memory.dmpFilesize
8KB
-
memory/4580-11-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-102-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4580-6-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/4580-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB