Analysis
-
max time kernel
146s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 06:37
Static task
static1
Behavioral task
behavioral1
Sample
36f591c547a20a185e65eeec19a081b0_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
36f591c547a20a185e65eeec19a081b0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
36f591c547a20a185e65eeec19a081b0
-
SHA1
4b5c1e931295e990314798b35c8a5bfd6e09e73c
-
SHA256
427f90368ac1359c7a111ece12d24123ced88dde1332453a46d268d308c8655e
-
SHA512
09f22831787f2552e4f71746ebfb9368163796714da8e83757dda31e43711e394f6397c3883a39191f7e5d51d5ce7f2568f49e3bef4c5bbbef2dfa6285062447
-
SSDEEP
1536:eaxR3NRSOhb3WN9hskfbCk3/XcQVR2f5CtdOq2lBB8zXCFjm5qB7Ah4:eyRLj69hN5kQyf8tdOq2/gmjmHh4
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e5764a5.exee573ad6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5764a5.exe -
Processes:
e573ad6.exee5764a5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5764a5.exe -
Processes:
e5764a5.exee573ad6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5764a5.exe -
Executes dropped EXE 3 IoCs
Processes:
e573ad6.exee573bff.exee5764a5.exepid process 3208 e573ad6.exe 1404 e573bff.exe 3040 e5764a5.exe -
Processes:
resource yara_rule behavioral2/memory/3208-10-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-11-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-26-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-29-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-34-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-12-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-25-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-9-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-27-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-6-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-36-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-37-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-38-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-39-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-40-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-54-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-55-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-57-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-58-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-59-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-60-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-62-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-69-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-70-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-73-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3208-74-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/3040-109-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/3040-150-0x0000000000830000-0x00000000018EA000-memory.dmp upx -
Processes:
e5764a5.exee573ad6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5764a5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573ad6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5764a5.exe -
Processes:
e5764a5.exee573ad6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5764a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573ad6.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573ad6.exee5764a5.exedescription ioc process File opened (read-only) \??\G: e573ad6.exe File opened (read-only) \??\H: e573ad6.exe File opened (read-only) \??\I: e573ad6.exe File opened (read-only) \??\M: e573ad6.exe File opened (read-only) \??\E: e5764a5.exe File opened (read-only) \??\E: e573ad6.exe File opened (read-only) \??\N: e573ad6.exe File opened (read-only) \??\H: e5764a5.exe File opened (read-only) \??\J: e573ad6.exe File opened (read-only) \??\G: e5764a5.exe File opened (read-only) \??\I: e5764a5.exe File opened (read-only) \??\K: e573ad6.exe File opened (read-only) \??\L: e573ad6.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e573ad6.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e573ad6.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573ad6.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573ad6.exe -
Drops file in Windows directory 3 IoCs
Processes:
e573ad6.exee5764a5.exedescription ioc process File created C:\Windows\e573b34 e573ad6.exe File opened for modification C:\Windows\SYSTEM.INI e573ad6.exe File created C:\Windows\e578d2c e5764a5.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e573ad6.exee5764a5.exepid process 3208 e573ad6.exe 3208 e573ad6.exe 3208 e573ad6.exe 3208 e573ad6.exe 3040 e5764a5.exe 3040 e5764a5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573ad6.exedescription pid process Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe Token: SeDebugPrivilege 3208 e573ad6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee573ad6.exee5764a5.exedescription pid process target process PID 928 wrote to memory of 1616 928 rundll32.exe rundll32.exe PID 928 wrote to memory of 1616 928 rundll32.exe rundll32.exe PID 928 wrote to memory of 1616 928 rundll32.exe rundll32.exe PID 1616 wrote to memory of 3208 1616 rundll32.exe e573ad6.exe PID 1616 wrote to memory of 3208 1616 rundll32.exe e573ad6.exe PID 1616 wrote to memory of 3208 1616 rundll32.exe e573ad6.exe PID 3208 wrote to memory of 776 3208 e573ad6.exe fontdrvhost.exe PID 3208 wrote to memory of 780 3208 e573ad6.exe fontdrvhost.exe PID 3208 wrote to memory of 316 3208 e573ad6.exe dwm.exe PID 3208 wrote to memory of 2696 3208 e573ad6.exe sihost.exe PID 3208 wrote to memory of 2716 3208 e573ad6.exe svchost.exe PID 3208 wrote to memory of 3028 3208 e573ad6.exe taskhostw.exe PID 3208 wrote to memory of 3508 3208 e573ad6.exe Explorer.EXE PID 3208 wrote to memory of 3668 3208 e573ad6.exe svchost.exe PID 3208 wrote to memory of 3864 3208 e573ad6.exe DllHost.exe PID 3208 wrote to memory of 3956 3208 e573ad6.exe StartMenuExperienceHost.exe PID 3208 wrote to memory of 4020 3208 e573ad6.exe RuntimeBroker.exe PID 3208 wrote to memory of 732 3208 e573ad6.exe SearchApp.exe PID 3208 wrote to memory of 3920 3208 e573ad6.exe RuntimeBroker.exe PID 3208 wrote to memory of 4728 3208 e573ad6.exe TextInputHost.exe PID 3208 wrote to memory of 4836 3208 e573ad6.exe RuntimeBroker.exe PID 3208 wrote to memory of 1020 3208 e573ad6.exe backgroundTaskHost.exe PID 3208 wrote to memory of 368 3208 e573ad6.exe backgroundTaskHost.exe PID 3208 wrote to memory of 928 3208 e573ad6.exe rundll32.exe PID 3208 wrote to memory of 1616 3208 e573ad6.exe rundll32.exe PID 3208 wrote to memory of 1616 3208 e573ad6.exe rundll32.exe PID 1616 wrote to memory of 1404 1616 rundll32.exe e573bff.exe PID 1616 wrote to memory of 1404 1616 rundll32.exe e573bff.exe PID 1616 wrote to memory of 1404 1616 rundll32.exe e573bff.exe PID 3208 wrote to memory of 776 3208 e573ad6.exe fontdrvhost.exe PID 3208 wrote to memory of 780 3208 e573ad6.exe fontdrvhost.exe PID 3208 wrote to memory of 316 3208 e573ad6.exe dwm.exe PID 3208 wrote to memory of 2696 3208 e573ad6.exe sihost.exe PID 3208 wrote to memory of 2716 3208 e573ad6.exe svchost.exe PID 3208 wrote to memory of 3028 3208 e573ad6.exe taskhostw.exe PID 3208 wrote to memory of 3508 3208 e573ad6.exe Explorer.EXE PID 3208 wrote to memory of 3668 3208 e573ad6.exe svchost.exe PID 3208 wrote to memory of 3864 3208 e573ad6.exe DllHost.exe PID 3208 wrote to memory of 3956 3208 e573ad6.exe StartMenuExperienceHost.exe PID 3208 wrote to memory of 4020 3208 e573ad6.exe RuntimeBroker.exe PID 3208 wrote to memory of 732 3208 e573ad6.exe SearchApp.exe PID 3208 wrote to memory of 3920 3208 e573ad6.exe RuntimeBroker.exe PID 3208 wrote to memory of 4728 3208 e573ad6.exe TextInputHost.exe PID 3208 wrote to memory of 4836 3208 e573ad6.exe RuntimeBroker.exe PID 3208 wrote to memory of 1020 3208 e573ad6.exe backgroundTaskHost.exe PID 3208 wrote to memory of 368 3208 e573ad6.exe backgroundTaskHost.exe PID 3208 wrote to memory of 928 3208 e573ad6.exe rundll32.exe PID 3208 wrote to memory of 1404 3208 e573ad6.exe e573bff.exe PID 3208 wrote to memory of 1404 3208 e573ad6.exe e573bff.exe PID 3208 wrote to memory of 2516 3208 e573ad6.exe BackgroundTaskHost.exe PID 1616 wrote to memory of 3040 1616 rundll32.exe e5764a5.exe PID 1616 wrote to memory of 3040 1616 rundll32.exe e5764a5.exe PID 1616 wrote to memory of 3040 1616 rundll32.exe e5764a5.exe PID 3040 wrote to memory of 776 3040 e5764a5.exe fontdrvhost.exe PID 3040 wrote to memory of 780 3040 e5764a5.exe fontdrvhost.exe PID 3040 wrote to memory of 316 3040 e5764a5.exe dwm.exe PID 3040 wrote to memory of 2696 3040 e5764a5.exe sihost.exe PID 3040 wrote to memory of 2716 3040 e5764a5.exe svchost.exe PID 3040 wrote to memory of 3028 3040 e5764a5.exe taskhostw.exe PID 3040 wrote to memory of 3508 3040 e5764a5.exe Explorer.EXE PID 3040 wrote to memory of 3668 3040 e5764a5.exe svchost.exe PID 3040 wrote to memory of 3864 3040 e5764a5.exe DllHost.exe PID 3040 wrote to memory of 3956 3040 e5764a5.exe StartMenuExperienceHost.exe PID 3040 wrote to memory of 4020 3040 e5764a5.exe RuntimeBroker.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e573ad6.exee5764a5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573ad6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5764a5.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2716
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3028
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36f591c547a20a185e65eeec19a081b0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36f591c547a20a185e65eeec19a081b0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\e573ad6.exeC:\Users\Admin\AppData\Local\Temp\e573ad6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\e573bff.exeC:\Users\Admin\AppData\Local\Temp\e573bff.exe4⤵
- Executes dropped EXE
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\e5764a5.exeC:\Users\Admin\AppData\Local\Temp\e5764a5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:732
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4728
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4836
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1020
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:368
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:2516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4708
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573ad6.exeFilesize
97KB
MD5aeaea93a42ca59c7cf9ff997284d1a37
SHA1b892a10e285c936b080be525dd42bdb7ddaabeeb
SHA256bb8723c7b8e11b1767a3b26526ddf1cefa9a750e135b7b48384e4030dd79d142
SHA5125102885cab9db639c7cf7794221e43470c828a4875383f9ede3fa97a6a5f4d73a9c9168c998ee1ed2370821658dff84cf92034770da092331589f541a81675fc
-
C:\Windows\SYSTEM.INIFilesize
257B
MD577008971919be9f0a9abb49ebe3d7652
SHA122ffa1433134decc910a735efe6692fbb7158eeb
SHA25699919a11c6adbd1bd20e10937dc56e2c022b965f7456f0c31062ffcf94c9a8ed
SHA512d5fb66333948ec4c009dddc2553b0217e6b94d579e18ee192988fe529259e75e52af3b174c8e463f4900bfe9985f2114026caeb7719ffd08aa1663f03a132421
-
memory/1404-44-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/1404-47-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1404-46-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1404-94-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1404-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1404-97-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1616-17-0x0000000004430000-0x0000000004432000-memory.dmpFilesize
8KB
-
memory/1616-31-0x0000000004430000-0x0000000004432000-memory.dmpFilesize
8KB
-
memory/1616-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1616-14-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/1616-50-0x0000000004430000-0x0000000004432000-memory.dmpFilesize
8KB
-
memory/1616-13-0x0000000004430000-0x0000000004432000-memory.dmpFilesize
8KB
-
memory/3040-109-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/3040-119-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/3040-118-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/3040-150-0x0000000000830000-0x00000000018EA000-memory.dmpFilesize
16.7MB
-
memory/3040-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3040-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3208-25-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-59-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-37-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-38-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-39-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-40-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-6-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-27-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-16-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/3208-9-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-30-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3208-54-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-55-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-57-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-58-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-36-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-60-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-62-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-69-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-70-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-73-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-74-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-83-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3208-93-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3208-28-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3208-12-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-34-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-29-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-26-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-11-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-10-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3208-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB