Analysis
-
max time kernel
21s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 07:30
Static task
static1
Behavioral task
behavioral1
Sample
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe
-
Size
744KB
-
MD5
d26dc22db6445c1ce36114677a5e7240
-
SHA1
97a7668972f7fc8c33eef6ea828b597203470085
-
SHA256
4911224219921b359aff5e4a17efd0ea02039e501a80461aafbab0fa0d2fc3f4
-
SHA512
b21747d8d0ab194429d03118e824b061bb7619eabd45e5f687cf715b2bdb836de550019d1447cf6ac84d3e7060c5153b8d976317199f45e2280329a4313846a1
-
SSDEEP
12288:kTyjXW+48qWywrU4kGFezOAVuJ5PIQww7F5DO3HYffXXjYBw:SIXW/8yw1ez54lImF5SXYHn8y
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rundll32.exe -
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe -
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 2528 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
rundll32.exepid process 2528 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exepid process 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/2908-7-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-10-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-8-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-11-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-13-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-6-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-14-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-12-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-9-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-15-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-16-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-32-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-59-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2908-35-0x0000000002510000-0x000000000359E000-memory.dmp upx behavioral1/memory/2528-70-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-65-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-80-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-82-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-69-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-67-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-83-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-63-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-81-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-68-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-66-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-88-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-90-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-138-0x0000000003950000-0x00000000049DE000-memory.dmp upx behavioral1/memory/2528-193-0x0000000003950000-0x00000000039DD000-memory.dmp upx -
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exepid process 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe 2528 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription pid process Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe Token: SeDebugPrivilege 2528 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exepid process 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe 2528 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription pid process target process PID 2908 wrote to memory of 1040 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Dwm.exe PID 2908 wrote to memory of 1056 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe taskhost.exe PID 2908 wrote to memory of 1100 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Explorer.EXE PID 2908 wrote to memory of 2308 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe DllHost.exe PID 2908 wrote to memory of 2528 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 2908 wrote to memory of 2528 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 2908 wrote to memory of 2528 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 2908 wrote to memory of 2528 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 2908 wrote to memory of 2528 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 2908 wrote to memory of 2528 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 2908 wrote to memory of 2528 2908 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 2528 wrote to memory of 1040 2528 rundll32.exe Dwm.exe PID 2528 wrote to memory of 1056 2528 rundll32.exe taskhost.exe PID 2528 wrote to memory of 1100 2528 rundll32.exe Explorer.EXE -
System policy modification 1 TTPs 2 IoCs
Processes:
rundll32.exed26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
8Hide Artifacts
2Hidden Files and Directories
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F76207C_Rar\rundll32.exeFilesize
664KB
MD52eb5d76180ce7b3241b281fa79ab3483
SHA106293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA51235f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b
-
C:\Windows\SYSTEM.INIFilesize
257B
MD51f925108cdf22315fefcf03ee4394a6c
SHA1b3adfc2201507c5f681fca530433e0c159b6c606
SHA256faf5eb18f5287a948510993c45a3da0853d44ff737317793bec265bab45c3ed2
SHA5124086ac7050d4289ab2d9d5713bc67605d8fd42dd2e6bbddc8303162886c461c5c5f519984c1040331af4d347892f2db3d89ef979fd1ee866e44fbd67deda85c4
-
\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeFilesize
744KB
MD5d26dc22db6445c1ce36114677a5e7240
SHA197a7668972f7fc8c33eef6ea828b597203470085
SHA2564911224219921b359aff5e4a17efd0ea02039e501a80461aafbab0fa0d2fc3f4
SHA512b21747d8d0ab194429d03118e824b061bb7619eabd45e5f687cf715b2bdb836de550019d1447cf6ac84d3e7060c5153b8d976317199f45e2280329a4313846a1
-
memory/1040-17-0x0000000001DA0000-0x0000000001DA2000-memory.dmpFilesize
8KB
-
memory/2528-69-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-150-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2528-193-0x0000000003950000-0x00000000039DD000-memory.dmpFilesize
564KB
-
memory/2528-138-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-90-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-88-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-66-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-68-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-81-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-63-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-83-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-79-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2528-67-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-84-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2528-85-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2528-82-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-57-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2528-80-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-65-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2528-70-0x0000000003950000-0x00000000049DE000-memory.dmpFilesize
16.6MB
-
memory/2908-26-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/2908-13-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-8-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-59-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-10-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-58-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2908-40-0x000000000A810000-0x000000000A8D2000-memory.dmpFilesize
776KB
-
memory/2908-32-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-11-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-0-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2908-25-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/2908-14-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-29-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/2908-30-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/2908-16-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-7-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-28-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/2908-15-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-9-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-12-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-35-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB
-
memory/2908-53-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/2908-6-0x0000000002510000-0x000000000359E000-memory.dmpFilesize
16.6MB