Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 18:53
Static task
static1
Behavioral task
behavioral1
Sample
bca6cf563f093794214072664a387890_NeikiAnalytics.dll
Resource
win7-20240215-en
General
-
Target
bca6cf563f093794214072664a387890_NeikiAnalytics.dll
-
Size
120KB
-
MD5
bca6cf563f093794214072664a387890
-
SHA1
d4a430e2489620a47b5af88206db91c2addecc8d
-
SHA256
842e6d8d30ef9db4827529fc42bda2a1c36efd7e1316ce132ee5fc85a8a04dcc
-
SHA512
679c263888d089a16d8a934aa0788071d658cf0b9db600fc9491eaa2072d667a932207f7e09636d54aef4b735c54f72a2a85e052416df102d2b5516b9457cb2a
-
SSDEEP
3072:w5YfdVHWjpKA2ARJN2/OsZlIbyyB6VXDI:w5Yfdw8iR/Q0bxBf
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e5753cd.exee576f83.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576f83.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576f83.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576f83.exe -
Processes:
e5753cd.exee576f83.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576f83.exe -
Processes:
e5753cd.exee576f83.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5753cd.exe -
Executes dropped EXE 3 IoCs
Processes:
e5753cd.exee575525.exee576f83.exepid process 816 e5753cd.exe 4244 e575525.exe 4112 e576f83.exe -
Processes:
resource yara_rule behavioral2/memory/816-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-13-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-15-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-29-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-28-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-14-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-41-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-43-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-44-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-53-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-55-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-56-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-66-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-67-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-71-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-72-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-75-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-76-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-84-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-85-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-87-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-86-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/816-89-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4112-129-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4112-143-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e5753cd.exee576f83.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576f83.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576f83.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5753cd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576f83.exe -
Processes:
e5753cd.exee576f83.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576f83.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e5753cd.exedescription ioc process File opened (read-only) \??\E: e5753cd.exe File opened (read-only) \??\Q: e5753cd.exe File opened (read-only) \??\M: e5753cd.exe File opened (read-only) \??\S: e5753cd.exe File opened (read-only) \??\G: e5753cd.exe File opened (read-only) \??\J: e5753cd.exe File opened (read-only) \??\N: e5753cd.exe File opened (read-only) \??\O: e5753cd.exe File opened (read-only) \??\H: e5753cd.exe File opened (read-only) \??\I: e5753cd.exe File opened (read-only) \??\K: e5753cd.exe File opened (read-only) \??\L: e5753cd.exe File opened (read-only) \??\P: e5753cd.exe File opened (read-only) \??\R: e5753cd.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e5753cd.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e5753cd.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5753cd.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5753cd.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5753cd.exe -
Drops file in Windows directory 3 IoCs
Processes:
e576f83.exee5753cd.exedescription ioc process File created C:\Windows\e57bdf1 e576f83.exe File created C:\Windows\e57541b e5753cd.exe File opened for modification C:\Windows\SYSTEM.INI e5753cd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e5753cd.exee576f83.exepid process 816 e5753cd.exe 816 e5753cd.exe 816 e5753cd.exe 816 e5753cd.exe 4112 e576f83.exe 4112 e576f83.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e5753cd.exedescription pid process Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe Token: SeDebugPrivilege 816 e5753cd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee5753cd.exee576f83.exedescription pid process target process PID 1396 wrote to memory of 532 1396 rundll32.exe rundll32.exe PID 1396 wrote to memory of 532 1396 rundll32.exe rundll32.exe PID 1396 wrote to memory of 532 1396 rundll32.exe rundll32.exe PID 532 wrote to memory of 816 532 rundll32.exe e5753cd.exe PID 532 wrote to memory of 816 532 rundll32.exe e5753cd.exe PID 532 wrote to memory of 816 532 rundll32.exe e5753cd.exe PID 816 wrote to memory of 796 816 e5753cd.exe fontdrvhost.exe PID 816 wrote to memory of 804 816 e5753cd.exe fontdrvhost.exe PID 816 wrote to memory of 380 816 e5753cd.exe dwm.exe PID 816 wrote to memory of 3128 816 e5753cd.exe sihost.exe PID 816 wrote to memory of 3144 816 e5753cd.exe svchost.exe PID 816 wrote to memory of 3212 816 e5753cd.exe taskhostw.exe PID 816 wrote to memory of 3484 816 e5753cd.exe Explorer.EXE PID 816 wrote to memory of 3608 816 e5753cd.exe svchost.exe PID 816 wrote to memory of 3808 816 e5753cd.exe DllHost.exe PID 816 wrote to memory of 3896 816 e5753cd.exe StartMenuExperienceHost.exe PID 816 wrote to memory of 3964 816 e5753cd.exe RuntimeBroker.exe PID 816 wrote to memory of 4080 816 e5753cd.exe SearchApp.exe PID 816 wrote to memory of 4140 816 e5753cd.exe RuntimeBroker.exe PID 816 wrote to memory of 4252 816 e5753cd.exe RuntimeBroker.exe PID 816 wrote to memory of 1796 816 e5753cd.exe TextInputHost.exe PID 816 wrote to memory of 968 816 e5753cd.exe backgroundTaskHost.exe PID 816 wrote to memory of 1396 816 e5753cd.exe rundll32.exe PID 816 wrote to memory of 532 816 e5753cd.exe rundll32.exe PID 816 wrote to memory of 532 816 e5753cd.exe rundll32.exe PID 532 wrote to memory of 4244 532 rundll32.exe e575525.exe PID 532 wrote to memory of 4244 532 rundll32.exe e575525.exe PID 532 wrote to memory of 4244 532 rundll32.exe e575525.exe PID 532 wrote to memory of 4112 532 rundll32.exe e576f83.exe PID 532 wrote to memory of 4112 532 rundll32.exe e576f83.exe PID 532 wrote to memory of 4112 532 rundll32.exe e576f83.exe PID 816 wrote to memory of 796 816 e5753cd.exe fontdrvhost.exe PID 816 wrote to memory of 804 816 e5753cd.exe fontdrvhost.exe PID 816 wrote to memory of 380 816 e5753cd.exe dwm.exe PID 816 wrote to memory of 3128 816 e5753cd.exe sihost.exe PID 816 wrote to memory of 3144 816 e5753cd.exe svchost.exe PID 816 wrote to memory of 3212 816 e5753cd.exe taskhostw.exe PID 816 wrote to memory of 3484 816 e5753cd.exe Explorer.EXE PID 816 wrote to memory of 3608 816 e5753cd.exe svchost.exe PID 816 wrote to memory of 3808 816 e5753cd.exe DllHost.exe PID 816 wrote to memory of 3896 816 e5753cd.exe StartMenuExperienceHost.exe PID 816 wrote to memory of 3964 816 e5753cd.exe RuntimeBroker.exe PID 816 wrote to memory of 4080 816 e5753cd.exe SearchApp.exe PID 816 wrote to memory of 4140 816 e5753cd.exe RuntimeBroker.exe PID 816 wrote to memory of 4252 816 e5753cd.exe RuntimeBroker.exe PID 816 wrote to memory of 1796 816 e5753cd.exe TextInputHost.exe PID 816 wrote to memory of 4244 816 e5753cd.exe e575525.exe PID 816 wrote to memory of 4244 816 e5753cd.exe e575525.exe PID 816 wrote to memory of 1228 816 e5753cd.exe RuntimeBroker.exe PID 816 wrote to memory of 4248 816 e5753cd.exe RuntimeBroker.exe PID 816 wrote to memory of 4112 816 e5753cd.exe e576f83.exe PID 816 wrote to memory of 4112 816 e5753cd.exe e576f83.exe PID 4112 wrote to memory of 796 4112 e576f83.exe fontdrvhost.exe PID 4112 wrote to memory of 804 4112 e576f83.exe fontdrvhost.exe PID 4112 wrote to memory of 380 4112 e576f83.exe dwm.exe PID 4112 wrote to memory of 3128 4112 e576f83.exe sihost.exe PID 4112 wrote to memory of 3144 4112 e576f83.exe svchost.exe PID 4112 wrote to memory of 3212 4112 e576f83.exe taskhostw.exe PID 4112 wrote to memory of 3484 4112 e576f83.exe Explorer.EXE PID 4112 wrote to memory of 3608 4112 e576f83.exe svchost.exe PID 4112 wrote to memory of 3808 4112 e576f83.exe DllHost.exe PID 4112 wrote to memory of 3896 4112 e576f83.exe StartMenuExperienceHost.exe PID 4112 wrote to memory of 3964 4112 e576f83.exe RuntimeBroker.exe PID 4112 wrote to memory of 4080 4112 e576f83.exe SearchApp.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e5753cd.exee576f83.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5753cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576f83.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3144
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3212
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bca6cf563f093794214072664a387890_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bca6cf563f093794214072664a387890_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\e5753cd.exeC:\Users\Admin\AppData\Local\Temp\e5753cd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:816
-
-
C:\Users\Admin\AppData\Local\Temp\e575525.exeC:\Users\Admin\AppData\Local\Temp\e575525.exe4⤵
- Executes dropped EXE
PID:4244
-
-
C:\Users\Admin\AppData\Local\Temp\e576f83.exeC:\Users\Admin\AppData\Local\Temp\e576f83.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4112
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3808
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4252
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1796
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1228
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4248
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57c4a9b779b1d5db662fd181d7bf42564
SHA1d2ed3a5e093ee2139ae1fddcf118ad84bf5ffcea
SHA256eabcdd55bd80bf17e4cdd7c6f1d22d1a280c73e8d6ffd81e73b0719f12c6b386
SHA512d6088ff755cfb7e7619dd9dc0c721be3d9178180bc327100cc743802c203481119411e4ad7c9065ecab19ddcc8704fffbddb3fef90769dce767586d0356624c0
-
Filesize
257B
MD5f1c3d480ab998dbf82263cb114a5f253
SHA12a5c38f386920920a15fef1ca0c7c236be719dad
SHA256fee3451d12eeb14bad7ead3ee3874ec760ec43a7ea541fbe2d45b28402842232
SHA51213872437370267dd4e9228e47473bfcb64f7fe02740c443d5ff2dd6aa1fe3732bef41699bf80ee9a0938d4c2a4ef4f2fc82925a3d0e4bb9384406c7b7bb6fa63