sality | 610eb98abec78e784ec1d07aac77af7438ba6c290c1f09d256c3f360e20aed3a

Analysis

max time kernel
116s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll
Size

120KB
MD5

48de47b466d13b494716389ed860ec30
SHA1

958fd877c96843efaef3e6881eb18f63411a2ae0
SHA256

610eb98abec78e784ec1d07aac77af7438ba6c290c1f09d256c3f360e20aed3a
SHA512

e8f71e4d21bac9ddd038f5c9e7ea6fcba6f0b8839b203f79763679f57049f2a3fe831d7cb30daa17912bd8c156ee2f5bd3a3bc47d8a2ea7302f87e1ea3870846
SSDEEP

3072:3ve1fZjr7BeZ55IsQ+9FMm5RDbXlBeU5:3vsRjr7B8b6a1BeU5

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e574045.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e574045.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e574045.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574045.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574045.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574045.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574045.exe

Executes dropped EXE 3 IoCs

Processes:

e574045.exee5741db.exee576467.exe

pid process

2768 e574045.exe
3452 e5741db.exe
344 e576467.exe

pid	process
2768	e574045.exe
3452	e5741db.exe
344	e576467.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2768-6-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-9-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-20-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-11-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-35-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-34-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-33-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-29-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-21-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-10-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-36-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-37-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-38-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-40-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-39-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-50-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-59-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-60-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-61-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-63-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-65-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-67-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-71-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-72-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-74-0x0000000000760000-0x000000000181A000-memory.dmp	upx
behavioral2/memory/2768-75-0x0000000000760000-0x000000000181A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574045.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574045.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e574045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574045.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e574045.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574045.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574045.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e574045.exe

description	ioc	process
File opened (read-only)	\??\H:	e574045.exe
File opened (read-only)	\??\I:	e574045.exe
File opened (read-only)	\??\J:	e574045.exe
File opened (read-only)	\??\L:	e574045.exe
File opened (read-only)	\??\N:	e574045.exe
File opened (read-only)	\??\E:	e574045.exe
File opened (read-only)	\??\K:	e574045.exe
File opened (read-only)	\??\M:	e574045.exe
File opened (read-only)	\??\O:	e574045.exe
File opened (read-only)	\??\G:	e574045.exe

Drops file in Program Files directory 3 IoCs

Processes:

e574045.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e574045.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e574045.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e574045.exe

Drops file in Windows directory 2 IoCs

Processes:

e574045.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI e574045.exe
File created C:\Windows\e5740a3 e574045.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e574045.exe

pid process

2768 e574045.exe
2768 e574045.exe
2768 e574045.exe
2768 e574045.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	e574045.exe
File created	C:\Windows\e5740a3	e574045.exe

pid	process
2768	e574045.exe
2768	e574045.exe
2768	e574045.exe
2768	e574045.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e574045.exe

description	pid	process
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe
Token: SeDebugPrivilege	2768	e574045.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

rundll32.exerundll32.exee574045.exe

description	pid	process	target process
PID 2256 wrote to memory of 2536	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 2536	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 2536	2256	rundll32.exe	rundll32.exe
PID 2536 wrote to memory of 2768	2536	rundll32.exe	e574045.exe
PID 2536 wrote to memory of 2768	2536	rundll32.exe	e574045.exe
PID 2536 wrote to memory of 2768	2536	rundll32.exe	e574045.exe
PID 2768 wrote to memory of 788	2768	e574045.exe	fontdrvhost.exe
PID 2768 wrote to memory of 796	2768	e574045.exe	fontdrvhost.exe
PID 2768 wrote to memory of 60	2768	e574045.exe	dwm.exe
PID 2768 wrote to memory of 2872	2768	e574045.exe	sihost.exe
PID 2768 wrote to memory of 2996	2768	e574045.exe	svchost.exe
PID 2768 wrote to memory of 2080	2768	e574045.exe	taskhostw.exe
PID 2768 wrote to memory of 3436	2768	e574045.exe	Explorer.EXE
PID 2768 wrote to memory of 3576	2768	e574045.exe	svchost.exe
PID 2768 wrote to memory of 3776	2768	e574045.exe	DllHost.exe
PID 2768 wrote to memory of 3872	2768	e574045.exe	StartMenuExperienceHost.exe
PID 2768 wrote to memory of 3936	2768	e574045.exe	RuntimeBroker.exe
PID 2768 wrote to memory of 4016	2768	e574045.exe	SearchApp.exe
PID 2768 wrote to memory of 3832	2768	e574045.exe	RuntimeBroker.exe
PID 2768 wrote to memory of 4744	2768	e574045.exe	TextInputHost.exe
PID 2768 wrote to memory of 1308	2768	e574045.exe	RuntimeBroker.exe
PID 2768 wrote to memory of 3844	2768	e574045.exe	backgroundTaskHost.exe
PID 2768 wrote to memory of 1400	2768	e574045.exe	backgroundTaskHost.exe
PID 2768 wrote to memory of 2256	2768	e574045.exe	rundll32.exe
PID 2768 wrote to memory of 2536	2768	e574045.exe	rundll32.exe
PID 2768 wrote to memory of 2536	2768	e574045.exe	rundll32.exe
PID 2536 wrote to memory of 3452	2536	rundll32.exe	e5741db.exe
PID 2536 wrote to memory of 3452	2536	rundll32.exe	e5741db.exe
PID 2536 wrote to memory of 3452	2536	rundll32.exe	e5741db.exe
PID 2536 wrote to memory of 344	2536	rundll32.exe	e576467.exe
PID 2536 wrote to memory of 344	2536	rundll32.exe	e576467.exe
PID 2536 wrote to memory of 344	2536	rundll32.exe	e576467.exe
PID 2768 wrote to memory of 788	2768	e574045.exe	fontdrvhost.exe
PID 2768 wrote to memory of 796	2768	e574045.exe	fontdrvhost.exe
PID 2768 wrote to memory of 60	2768	e574045.exe	dwm.exe
PID 2768 wrote to memory of 2872	2768	e574045.exe	sihost.exe
PID 2768 wrote to memory of 2996	2768	e574045.exe	svchost.exe
PID 2768 wrote to memory of 2080	2768	e574045.exe	taskhostw.exe
PID 2768 wrote to memory of 3436	2768	e574045.exe	Explorer.EXE
PID 2768 wrote to memory of 3576	2768	e574045.exe	svchost.exe
PID 2768 wrote to memory of 3776	2768	e574045.exe	DllHost.exe
PID 2768 wrote to memory of 3872	2768	e574045.exe	StartMenuExperienceHost.exe
PID 2768 wrote to memory of 3936	2768	e574045.exe	RuntimeBroker.exe
PID 2768 wrote to memory of 4016	2768	e574045.exe	SearchApp.exe
PID 2768 wrote to memory of 3832	2768	e574045.exe	RuntimeBroker.exe
PID 2768 wrote to memory of 4744	2768	e574045.exe	TextInputHost.exe
PID 2768 wrote to memory of 1308	2768	e574045.exe	RuntimeBroker.exe
PID 2768 wrote to memory of 3844	2768	e574045.exe	backgroundTaskHost.exe
PID 2768 wrote to memory of 1400	2768	e574045.exe	backgroundTaskHost.exe
PID 2768 wrote to memory of 3452	2768	e574045.exe	e5741db.exe
PID 2768 wrote to memory of 3452	2768	e574045.exe	e5741db.exe
PID 2768 wrote to memory of 344	2768	e574045.exe	e576467.exe
PID 2768 wrote to memory of 344	2768	e574045.exe	e576467.exe
PID 2768 wrote to memory of 760	2768	e574045.exe	RuntimeBroker.exe
PID 2768 wrote to memory of 4028	2768	e574045.exe	RuntimeBroker.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e574045.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574045.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574045.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:60

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2996

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll,#1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\e574045.exe
      C:\Users\Admin\AppData\Local\Temp\e574045.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\e5741db.exe
      C:\Users\Admin\AppData\Local\Temp\e5741db.exe
      4⤵
      Executes dropped EXE
      PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\e576467.exe
      C:\Users\Admin\AppData\Local\Temp\e576467.exe
      4⤵
      Executes dropped EXE
      PID:344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1308

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3844

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1400

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e574045.exe

Filesize
97KB

MD5
bb23844c21aff9e48c2ae2a11fd325c5

SHA1
972724c994d7e3750f57fa0cb8b93e038aba08e8

SHA256
b384c4b405a31e72385c056e0491f40a1d4daf28cc4b5cb7a9a53f2a5174c9bd

SHA512
d2c77708614cdfd617e041e396d9572a6d9a10e1ac2b21224f03aa6f26a6eedd4fcfc3a39cfb18bdad036996129c3faece741f2fa929d5e4176e3fd414fabac1

Download Submit
memory/344-102-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/344-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/344-54-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/344-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/344-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2536-32-0x0000000004430000-0x0000000004432000-memory.dmp

Filesize
8KB

Download
memory/2536-16-0x0000000004430000-0x0000000004432000-memory.dmp

Filesize
8KB

Download
memory/2536-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2536-12-0x0000000004430000-0x0000000004432000-memory.dmp

Filesize
8KB

Download
memory/2536-13-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/2768-40-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-9-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-29-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-31-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/2768-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2768-21-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-15-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2768-33-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-34-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-10-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-36-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-37-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-38-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-35-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-39-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-11-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-50-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-98-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2768-20-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-23-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/2768-76-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/2768-6-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-75-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-59-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-60-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-61-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-63-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-65-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-67-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-71-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-72-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/2768-74-0x0000000000760000-0x000000000181A000-memory.dmp

Filesize
16.7MB

Download
memory/3452-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3452-52-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3452-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3452-97-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3452-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download