Analysis
-
max time kernel
135s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
5d474feac1117f7231ede9e2eb5c8490_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
5d474feac1117f7231ede9e2eb5c8490_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5d474feac1117f7231ede9e2eb5c8490
-
SHA1
0a9271a9e5530837ec0ea0102508d6c0eef0e7fd
-
SHA256
f7c73c5c22e2f66edd16975f69c6cdc7a50e166e6a4fdaa82c780a83d3048afb
-
SHA512
f7079e4501a1141511156d714cc4190905a2986f76e3b00344602057c336dfaa00e85582ae315c667a2c38a5bf49675ac8005449a4e40cfb4b6f99849b34be2f
-
SSDEEP
1536:A43OHt+Jq8kbq74LtwGTV/P9lIru+irDYeb7ugGSH6IDtU6eVjP4LbtGqd0I7/:ADHtBLtwGvl7N/YqugGiDtUJP4LbYQn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 9 IoCs
Processes:
e572ccd.exee572ee0.exee574892.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574892.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574892.exe -
Processes:
e572ccd.exee572ee0.exee574892.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574892.exe -
Processes:
e572ccd.exee574892.exee572ee0.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574892.exe -
Executes dropped EXE 4 IoCs
Processes:
e572ccd.exee572ee0.exee574892.exee5748b1.exepid process 880 e572ccd.exe 1944 e572ee0.exe 3408 e574892.exe 1688 e5748b1.exe -
Processes:
resource yara_rule behavioral2/memory/880-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-20-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-19-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-22-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-21-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-18-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-42-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-43-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-57-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-59-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-60-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-63-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-76-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-79-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-81-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-83-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-85-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-86-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-89-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-92-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-99-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1944-129-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1944-143-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Processes:
e574892.exee572ccd.exee572ee0.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572ee0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572ccd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574892.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574892.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574892.exe -
Processes:
e572ccd.exee572ee0.exee574892.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574892.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e572ccd.exedescription ioc process File opened (read-only) \??\I: e572ccd.exe File opened (read-only) \??\E: e572ccd.exe File opened (read-only) \??\N: e572ccd.exe File opened (read-only) \??\O: e572ccd.exe File opened (read-only) \??\H: e572ccd.exe File opened (read-only) \??\J: e572ccd.exe File opened (read-only) \??\Q: e572ccd.exe File opened (read-only) \??\R: e572ccd.exe File opened (read-only) \??\S: e572ccd.exe File opened (read-only) \??\G: e572ccd.exe File opened (read-only) \??\K: e572ccd.exe File opened (read-only) \??\L: e572ccd.exe File opened (read-only) \??\M: e572ccd.exe File opened (read-only) \??\P: e572ccd.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e572ccd.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e572ccd.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e572ccd.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e572ccd.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e572ccd.exe -
Drops file in Windows directory 4 IoCs
Processes:
e572ee0.exee574892.exee572ccd.exedescription ioc process File created C:\Windows\e577dcb e572ee0.exe File created C:\Windows\e579700 e574892.exe File created C:\Windows\e572d1b e572ccd.exe File opened for modification C:\Windows\SYSTEM.INI e572ccd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e572ccd.exee572ee0.exepid process 880 e572ccd.exe 880 e572ccd.exe 880 e572ccd.exe 880 e572ccd.exe 1944 e572ee0.exe 1944 e572ee0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e572ccd.exedescription pid process Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe Token: SeDebugPrivilege 880 e572ccd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee572ccd.exee572ee0.exedescription pid process target process PID 1532 wrote to memory of 1456 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1456 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1456 1532 rundll32.exe rundll32.exe PID 1456 wrote to memory of 880 1456 rundll32.exe e572ccd.exe PID 1456 wrote to memory of 880 1456 rundll32.exe e572ccd.exe PID 1456 wrote to memory of 880 1456 rundll32.exe e572ccd.exe PID 880 wrote to memory of 756 880 e572ccd.exe fontdrvhost.exe PID 880 wrote to memory of 764 880 e572ccd.exe fontdrvhost.exe PID 880 wrote to memory of 1020 880 e572ccd.exe dwm.exe PID 880 wrote to memory of 2664 880 e572ccd.exe sihost.exe PID 880 wrote to memory of 2720 880 e572ccd.exe svchost.exe PID 880 wrote to memory of 2960 880 e572ccd.exe taskhostw.exe PID 880 wrote to memory of 3416 880 e572ccd.exe Explorer.EXE PID 880 wrote to memory of 3516 880 e572ccd.exe svchost.exe PID 880 wrote to memory of 3720 880 e572ccd.exe DllHost.exe PID 880 wrote to memory of 3804 880 e572ccd.exe StartMenuExperienceHost.exe PID 880 wrote to memory of 3872 880 e572ccd.exe RuntimeBroker.exe PID 880 wrote to memory of 3952 880 e572ccd.exe SearchApp.exe PID 880 wrote to memory of 4088 880 e572ccd.exe RuntimeBroker.exe PID 880 wrote to memory of 916 880 e572ccd.exe TextInputHost.exe PID 880 wrote to memory of 4588 880 e572ccd.exe RuntimeBroker.exe PID 880 wrote to memory of 1252 880 e572ccd.exe backgroundTaskHost.exe PID 880 wrote to memory of 2400 880 e572ccd.exe backgroundTaskHost.exe PID 880 wrote to memory of 1532 880 e572ccd.exe rundll32.exe PID 880 wrote to memory of 1456 880 e572ccd.exe rundll32.exe PID 880 wrote to memory of 1456 880 e572ccd.exe rundll32.exe PID 1456 wrote to memory of 1944 1456 rundll32.exe e572ee0.exe PID 1456 wrote to memory of 1944 1456 rundll32.exe e572ee0.exe PID 1456 wrote to memory of 1944 1456 rundll32.exe e572ee0.exe PID 1456 wrote to memory of 3408 1456 rundll32.exe e574892.exe PID 1456 wrote to memory of 3408 1456 rundll32.exe e574892.exe PID 1456 wrote to memory of 3408 1456 rundll32.exe e574892.exe PID 1456 wrote to memory of 1688 1456 rundll32.exe e5748b1.exe PID 1456 wrote to memory of 1688 1456 rundll32.exe e5748b1.exe PID 1456 wrote to memory of 1688 1456 rundll32.exe e5748b1.exe PID 880 wrote to memory of 756 880 e572ccd.exe fontdrvhost.exe PID 880 wrote to memory of 764 880 e572ccd.exe fontdrvhost.exe PID 880 wrote to memory of 1020 880 e572ccd.exe dwm.exe PID 880 wrote to memory of 2664 880 e572ccd.exe sihost.exe PID 880 wrote to memory of 2720 880 e572ccd.exe svchost.exe PID 880 wrote to memory of 2960 880 e572ccd.exe taskhostw.exe PID 880 wrote to memory of 3416 880 e572ccd.exe Explorer.EXE PID 880 wrote to memory of 3516 880 e572ccd.exe svchost.exe PID 880 wrote to memory of 3720 880 e572ccd.exe DllHost.exe PID 880 wrote to memory of 3804 880 e572ccd.exe StartMenuExperienceHost.exe PID 880 wrote to memory of 3872 880 e572ccd.exe RuntimeBroker.exe PID 880 wrote to memory of 3952 880 e572ccd.exe SearchApp.exe PID 880 wrote to memory of 4088 880 e572ccd.exe RuntimeBroker.exe PID 880 wrote to memory of 916 880 e572ccd.exe TextInputHost.exe PID 880 wrote to memory of 4588 880 e572ccd.exe RuntimeBroker.exe PID 880 wrote to memory of 1252 880 e572ccd.exe backgroundTaskHost.exe PID 880 wrote to memory of 1944 880 e572ccd.exe e572ee0.exe PID 880 wrote to memory of 1944 880 e572ccd.exe e572ee0.exe PID 880 wrote to memory of 2928 880 e572ccd.exe RuntimeBroker.exe PID 880 wrote to memory of 3540 880 e572ccd.exe RuntimeBroker.exe PID 880 wrote to memory of 3408 880 e572ccd.exe e574892.exe PID 880 wrote to memory of 3408 880 e572ccd.exe e574892.exe PID 880 wrote to memory of 1688 880 e572ccd.exe e5748b1.exe PID 880 wrote to memory of 1688 880 e572ccd.exe e5748b1.exe PID 1944 wrote to memory of 756 1944 e572ee0.exe fontdrvhost.exe PID 1944 wrote to memory of 764 1944 e572ee0.exe fontdrvhost.exe PID 1944 wrote to memory of 1020 1944 e572ee0.exe dwm.exe PID 1944 wrote to memory of 2664 1944 e572ee0.exe sihost.exe PID 1944 wrote to memory of 2720 1944 e572ee0.exe svchost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e572ccd.exee572ee0.exee574892.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572ccd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572ee0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574892.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d474feac1117f7231ede9e2eb5c8490_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d474feac1117f7231ede9e2eb5c8490_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e572ccd.exeC:\Users\Admin\AppData\Local\Temp\e572ccd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e572ee0.exeC:\Users\Admin\AppData\Local\Temp\e572ee0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574892.exeC:\Users\Admin\AppData\Local\Temp\e574892.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5748b1.exeC:\Users\Admin\AppData\Local\Temp\e5748b1.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e572ccd.exeFilesize
97KB
MD5ad91b7722b9454d9d8a97546a2d57cb7
SHA1f68553e2caa03b98a43829a71efc0758466444b2
SHA256a8cab30ec21d47137d7d7dbc48065c024af4fa0e621be21a9eeb3faed26b9706
SHA5124afb93380cb4ad0ce345fc0a91776ce032efdefe2309cf67db5b8711e1d5ca4bf6dafbc039c624df4735171665864e984b06893d155360b560312dc3e203ef51
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5644505bf5b88fc20ad5d3a199cd4013c
SHA12f41f119e69693023677fb1474d3f5644d60e157
SHA2561522648daee864c97a65ece7c3ecbc2d564b7155aa00931821eaa1f632f0a52c
SHA51297c080af62dde2db10676579412932949cf1ab17300d328b7cb50f1f538a94aaf63b5aa9cb089e26b07a50c155a6c46c1eac5f2ba5558d61b63fcbbded5d9ffb
-
memory/880-79-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-9-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-11-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-10-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-8-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-20-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-57-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/880-19-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-117-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/880-22-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-33-0x00000000038E0000-0x00000000038E2000-memory.dmpFilesize
8KB
-
memory/880-99-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-30-0x00000000038E0000-0x00000000038E2000-memory.dmpFilesize
8KB
-
memory/880-21-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-92-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-26-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/880-89-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-18-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-12-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-36-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-37-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-38-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-39-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-40-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-59-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-91-0x00000000038E0000-0x00000000038E2000-memory.dmpFilesize
8KB
-
memory/880-86-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-43-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-6-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-42-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-60-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-85-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-83-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-81-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-76-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/880-63-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1456-23-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/1456-32-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/1456-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1456-27-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/1456-24-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/1688-75-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1688-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1688-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1688-161-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1688-69-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1944-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1944-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1944-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1944-129-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1944-143-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1944-144-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1944-65-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3408-157-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3408-50-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3408-74-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3408-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3408-67-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB