Malware Analysis Report

2024-11-16 13:16

Sample ID 240519-c8naxaed7z
Target 58d16dd6109d1ddc16fd5859e9135cb0_NeikiAnalytics.exe
SHA256 94fa93dd606301e6fcc63082b7c02c11cb157c320c12ed838995399c2e7d12b0
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94fa93dd606301e6fcc63082b7c02c11cb157c320c12ed838995399c2e7d12b0

Threat Level: Known bad

The file 58d16dd6109d1ddc16fd5859e9135cb0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

UAC bypass

Sality

UPX packed file

Loads dropped DLL

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 02:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 02:44

Reported

2024-05-19 02:47

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f766c4a C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
File created C:\Windows\f761c57 C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 2988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761bea.exe
PID 2024 wrote to memory of 2988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761bea.exe
PID 2024 wrote to memory of 2988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761bea.exe
PID 2024 wrote to memory of 2988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761bea.exe
PID 2988 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\system32\taskhost.exe
PID 2988 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\system32\Dwm.exe
PID 2988 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\Explorer.EXE
PID 2988 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\system32\DllHost.exe
PID 2988 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\system32\rundll32.exe
PID 2988 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 2480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d8f.exe
PID 2024 wrote to memory of 2480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d8f.exe
PID 2024 wrote to memory of 2480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d8f.exe
PID 2024 wrote to memory of 2480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d8f.exe
PID 2024 wrote to memory of 2136 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76424e.exe
PID 2024 wrote to memory of 2136 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76424e.exe
PID 2024 wrote to memory of 2136 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76424e.exe
PID 2024 wrote to memory of 2136 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76424e.exe
PID 2988 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\system32\taskhost.exe
PID 2988 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\system32\Dwm.exe
PID 2988 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Windows\Explorer.EXE
PID 2988 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Users\Admin\AppData\Local\Temp\f761d8f.exe
PID 2988 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Users\Admin\AppData\Local\Temp\f761d8f.exe
PID 2988 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Users\Admin\AppData\Local\Temp\f76424e.exe
PID 2988 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f761bea.exe C:\Users\Admin\AppData\Local\Temp\f76424e.exe
PID 2480 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe C:\Windows\system32\taskhost.exe
PID 2480 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe C:\Windows\system32\Dwm.exe
PID 2480 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761d8f.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761bea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d8f.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\58d16dd6109d1ddc16fd5859e9135cb0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\58d16dd6109d1ddc16fd5859e9135cb0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761bea.exe

C:\Users\Admin\AppData\Local\Temp\f761bea.exe

C:\Users\Admin\AppData\Local\Temp\f761d8f.exe

C:\Users\Admin\AppData\Local\Temp\f761d8f.exe

C:\Users\Admin\AppData\Local\Temp\f76424e.exe

C:\Users\Admin\AppData\Local\Temp\f76424e.exe

Network

N/A

Files

memory/2024-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761bea.exe

MD5 694f1e92dec8417533b84bfc090d6b11
SHA1 ba583059ae987603dca3e34688f9209732b062c4
SHA256 19299228e8f09e631ecfeb753ea94b9e81324982179bd5a19d4b818a8927aeef
SHA512 5f69ff99a23de94221ea36d315ed5c7df7d98ad5dd7a8db1688b9f0b8db7c4c49101e8c3d7c08e86f1a637fdfd6cdac28fff4f8ffdef93edb4c217ff0147116f

memory/2988-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2024-9-0x0000000000110000-0x0000000000122000-memory.dmp

memory/2024-8-0x0000000000110000-0x0000000000122000-memory.dmp

memory/2988-12-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-15-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-17-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-22-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-20-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-48-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

memory/2988-50-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

memory/2988-46-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

memory/2024-45-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2024-36-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2024-35-0x0000000000130000-0x0000000000132000-memory.dmp

memory/1068-28-0x0000000000450000-0x0000000000452000-memory.dmp

memory/2988-18-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-16-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-14-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-21-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-19-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2024-57-0x0000000000130000-0x0000000000132000-memory.dmp

memory/2988-52-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-59-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2480-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2024-61-0x0000000000130000-0x0000000000132000-memory.dmp

memory/2024-60-0x0000000000250000-0x0000000000262000-memory.dmp

memory/2988-63-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-64-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-65-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-67-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2136-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2480-88-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2480-87-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2136-93-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2136-92-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2136-95-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2480-94-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2988-96-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-97-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-99-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-102-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-105-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-106-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-109-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-113-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

memory/2988-138-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2988-139-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 9a43762cbad7b787810f1f9615da03eb
SHA1 745d55647e41dfbec1e5cafe5cf884d2a90ff233
SHA256 04601ca27d5e9771cde92ef8f4c45a1c2acb6bead507c4114e35ae52a62412c4
SHA512 831a1a87402c4c33b73896613bbefc6221e2af4e8524328b1920c670ed881578b603373271a388ad2e924de907ef3ee764719945e0441875bab36696a568052a

memory/2480-151-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2480-177-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2480-176-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2136-181-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 02:44

Reported

2024-05-19 02:47

Platform

win10v2004-20240508-en

Max time kernel

113s

Max time network

121s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57537f C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
File created C:\Windows\e57a6a0 C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1256 wrote to memory of 2028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575321.exe
PID 1256 wrote to memory of 2028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575321.exe
PID 1256 wrote to memory of 2028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575321.exe
PID 2028 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\dwm.exe
PID 2028 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\sihost.exe
PID 2028 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\taskhostw.exe
PID 2028 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\DllHost.exe
PID 2028 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2028 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2028 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2028 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2028 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2028 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\rundll32.exe
PID 2028 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\SysWOW64\rundll32.exe
PID 1256 wrote to memory of 4288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575554.exe
PID 1256 wrote to memory of 4288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575554.exe
PID 1256 wrote to memory of 4288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575554.exe
PID 2028 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\dwm.exe
PID 2028 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\sihost.exe
PID 2028 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\taskhostw.exe
PID 2028 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\DllHost.exe
PID 2028 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2028 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2028 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2028 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2028 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2028 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\system32\rundll32.exe
PID 2028 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Users\Admin\AppData\Local\Temp\e575554.exe
PID 2028 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Users\Admin\AppData\Local\Temp\e575554.exe
PID 2028 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\e575321.exe C:\Windows\System32\RuntimeBroker.exe
PID 1256 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577f03.exe
PID 1256 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577f03.exe
PID 1256 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577f03.exe
PID 2720 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\system32\fontdrvhost.exe
PID 2720 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\system32\fontdrvhost.exe
PID 2720 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\system32\dwm.exe
PID 2720 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\system32\sihost.exe
PID 2720 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\system32\svchost.exe
PID 2720 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\system32\taskhostw.exe
PID 2720 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\Explorer.EXE
PID 2720 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\system32\svchost.exe
PID 2720 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\system32\DllHost.exe
PID 2720 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e577f03.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575321.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577f03.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\58d16dd6109d1ddc16fd5859e9135cb0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\58d16dd6109d1ddc16fd5859e9135cb0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e575321.exe

C:\Users\Admin\AppData\Local\Temp\e575321.exe

C:\Users\Admin\AppData\Local\Temp\e575554.exe

C:\Users\Admin\AppData\Local\Temp\e575554.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e577f03.exe

C:\Users\Admin\AppData\Local\Temp\e577f03.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/1256-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e575321.exe

MD5 694f1e92dec8417533b84bfc090d6b11
SHA1 ba583059ae987603dca3e34688f9209732b062c4
SHA256 19299228e8f09e631ecfeb753ea94b9e81324982179bd5a19d4b818a8927aeef
SHA512 5f69ff99a23de94221ea36d315ed5c7df7d98ad5dd7a8db1688b9f0b8db7c4c49101e8c3d7c08e86f1a637fdfd6cdac28fff4f8ffdef93edb4c217ff0147116f

memory/2028-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2028-6-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-9-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-12-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-13-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4288-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2028-28-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-34-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/2028-20-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1256-22-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/1256-25-0x0000000003CB0000-0x0000000003CB2000-memory.dmp

memory/2028-24-0x00000000040F0000-0x00000000040F1000-memory.dmp

memory/2028-30-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/1256-29-0x00000000007B0000-0x00000000007B3000-memory.dmp

memory/2028-10-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1256-21-0x0000000003CB0000-0x0000000003CB2000-memory.dmp

memory/2028-14-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-11-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-32-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-37-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-36-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-38-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-40-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-39-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4288-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4288-43-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4288-45-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2028-46-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/1256-51-0x0000000003CB0000-0x0000000003CB2000-memory.dmp

memory/2720-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2028-55-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-56-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-58-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-60-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-62-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-63-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-66-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-68-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-80-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/2028-76-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2028-93-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4288-97-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 89b06c2408e240b7080931786ea52c69
SHA1 5961e63d8693e34d1b36739a012b9d635f549b87
SHA256 9dd4f561a33940632db063998002bca7de5e20bc24b8736c5acff011ca96c157
SHA512 c22cea3691a15be886c7af2552b302167c9d69abcafda5f3e0e2d40bcbd85dfca60d54aa698ad39e4b79d9813e1654f432fef67ed0e863e0d4250cee69f3f5dd

memory/2720-116-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/2720-148-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/2720-149-0x0000000000400000-0x0000000000412000-memory.dmp