sality | b57d98b97263d8b0c1d77ec8adcf372c023ce2b7788c12e441219e61f1c42414

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f34cccba312f445f7a9d22e4e7c7490_NeikiAnalytics.dll
Size

120KB
MD5

7f34cccba312f445f7a9d22e4e7c7490
SHA1

24268adff4bb5a64fd6c385e24bb550455fcd4a7
SHA256

b57d98b97263d8b0c1d77ec8adcf372c023ce2b7788c12e441219e61f1c42414
SHA512

ea83771ab2a8d3d4ec602a4e53bb337a9fddee406cb20e0c5886a2588d1c6ca1f66ab813181c4e85e0b729c98c08b3f6b0c4316b1b563a96487bac637f393fc8
SSDEEP

1536:P5mACH2t+f8yVfuF0nhpb3Y05oKSCWNRUWMxt9i6/fTOIMzZg:EAq2g5VfpzbIOSzNRUWMxt9iqiF

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e5749ea.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5749ea.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e5749ea.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5749ea.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5749ea.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e576580.exee5749ea.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e576580.exe

Executes dropped EXE 3 IoCs

Processes:

e5749ea.exee574b22.exee576580.exe

pid process

2712 e5749ea.exe
224 e574b22.exe
1960 e576580.exe

pid	process
2712	e5749ea.exe
224	e574b22.exe
1960	e576580.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2712-6-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-8-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-18-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-31-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-26-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-11-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-17-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-19-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-9-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-10-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-27-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-36-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-37-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-38-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-40-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-39-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-42-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-43-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-52-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-54-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-55-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-65-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-66-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-70-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-72-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-74-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-76-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-78-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-80-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-81-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/2712-99-0x0000000000830000-0x00000000018EA000-memory.dmp	upx
behavioral2/memory/1960-112-0x0000000000B70000-0x0000000001C2A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5749ea.exee576580.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5749ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5749ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e576580.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e576580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e576580.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e5749ea.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5749ea.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5749ea.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e5749ea.exe

description	ioc	process
File opened (read-only)	\??\E:	e5749ea.exe
File opened (read-only)	\??\N:	e5749ea.exe
File opened (read-only)	\??\O:	e5749ea.exe
File opened (read-only)	\??\J:	e5749ea.exe
File opened (read-only)	\??\G:	e5749ea.exe
File opened (read-only)	\??\I:	e5749ea.exe
File opened (read-only)	\??\Q:	e5749ea.exe
File opened (read-only)	\??\S:	e5749ea.exe
File opened (read-only)	\??\R:	e5749ea.exe
File opened (read-only)	\??\H:	e5749ea.exe
File opened (read-only)	\??\K:	e5749ea.exe
File opened (read-only)	\??\L:	e5749ea.exe
File opened (read-only)	\??\M:	e5749ea.exe
File opened (read-only)	\??\P:	e5749ea.exe

Drops file in Program Files directory 4 IoCs

Processes:

e5749ea.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e5749ea.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e5749ea.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e5749ea.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e5749ea.exe

Drops file in Windows directory 2 IoCs

Processes:

e5749ea.exe

description ioc process

File created C:\Windows\e574a38 e5749ea.exe
File opened for modification C:\Windows\SYSTEM.INI e5749ea.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e5749ea.exe

pid process

2712 e5749ea.exe
2712 e5749ea.exe
2712 e5749ea.exe
2712 e5749ea.exe

description	ioc	process
File created	C:\Windows\e574a38	e5749ea.exe
File opened for modification	C:\Windows\SYSTEM.INI	e5749ea.exe

pid	process
2712	e5749ea.exe
2712	e5749ea.exe
2712	e5749ea.exe
2712	e5749ea.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e5749ea.exe

description	pid	process
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe
Token: SeDebugPrivilege	2712	e5749ea.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

rundll32.exerundll32.exee5749ea.exe

description	pid	process	target process
PID 4080 wrote to memory of 3216	4080	rundll32.exe	rundll32.exe
PID 4080 wrote to memory of 3216	4080	rundll32.exe	rundll32.exe
PID 4080 wrote to memory of 3216	4080	rundll32.exe	rundll32.exe
PID 3216 wrote to memory of 2712	3216	rundll32.exe	e5749ea.exe
PID 3216 wrote to memory of 2712	3216	rundll32.exe	e5749ea.exe
PID 3216 wrote to memory of 2712	3216	rundll32.exe	e5749ea.exe
PID 2712 wrote to memory of 792	2712	e5749ea.exe	fontdrvhost.exe
PID 2712 wrote to memory of 796	2712	e5749ea.exe	fontdrvhost.exe
PID 2712 wrote to memory of 380	2712	e5749ea.exe	dwm.exe
PID 2712 wrote to memory of 2452	2712	e5749ea.exe	sihost.exe
PID 2712 wrote to memory of 2468	2712	e5749ea.exe	svchost.exe
PID 2712 wrote to memory of 2724	2712	e5749ea.exe	taskhostw.exe
PID 2712 wrote to memory of 3544	2712	e5749ea.exe	Explorer.EXE
PID 2712 wrote to memory of 3692	2712	e5749ea.exe	svchost.exe
PID 2712 wrote to memory of 3880	2712	e5749ea.exe	DllHost.exe
PID 2712 wrote to memory of 3968	2712	e5749ea.exe	StartMenuExperienceHost.exe
PID 2712 wrote to memory of 4032	2712	e5749ea.exe	RuntimeBroker.exe
PID 2712 wrote to memory of 1028	2712	e5749ea.exe	SearchApp.exe
PID 2712 wrote to memory of 3784	2712	e5749ea.exe	RuntimeBroker.exe
PID 2712 wrote to memory of 4356	2712	e5749ea.exe	RuntimeBroker.exe
PID 2712 wrote to memory of 2312	2712	e5749ea.exe	TextInputHost.exe
PID 2712 wrote to memory of 1632	2712	e5749ea.exe	backgroundTaskHost.exe
PID 2712 wrote to memory of 4080	2712	e5749ea.exe	rundll32.exe
PID 2712 wrote to memory of 3216	2712	e5749ea.exe	rundll32.exe
PID 2712 wrote to memory of 3216	2712	e5749ea.exe	rundll32.exe
PID 3216 wrote to memory of 224	3216	rundll32.exe	e574b22.exe
PID 3216 wrote to memory of 224	3216	rundll32.exe	e574b22.exe
PID 3216 wrote to memory of 224	3216	rundll32.exe	e574b22.exe
PID 3216 wrote to memory of 1960	3216	rundll32.exe	e576580.exe
PID 3216 wrote to memory of 1960	3216	rundll32.exe	e576580.exe
PID 3216 wrote to memory of 1960	3216	rundll32.exe	e576580.exe
PID 2712 wrote to memory of 792	2712	e5749ea.exe	fontdrvhost.exe
PID 2712 wrote to memory of 796	2712	e5749ea.exe	fontdrvhost.exe
PID 2712 wrote to memory of 380	2712	e5749ea.exe	dwm.exe
PID 2712 wrote to memory of 2452	2712	e5749ea.exe	sihost.exe
PID 2712 wrote to memory of 2468	2712	e5749ea.exe	svchost.exe
PID 2712 wrote to memory of 2724	2712	e5749ea.exe	taskhostw.exe
PID 2712 wrote to memory of 3544	2712	e5749ea.exe	Explorer.EXE
PID 2712 wrote to memory of 3692	2712	e5749ea.exe	svchost.exe
PID 2712 wrote to memory of 3880	2712	e5749ea.exe	DllHost.exe
PID 2712 wrote to memory of 3968	2712	e5749ea.exe	StartMenuExperienceHost.exe
PID 2712 wrote to memory of 4032	2712	e5749ea.exe	RuntimeBroker.exe
PID 2712 wrote to memory of 1028	2712	e5749ea.exe	SearchApp.exe
PID 2712 wrote to memory of 3784	2712	e5749ea.exe	RuntimeBroker.exe
PID 2712 wrote to memory of 4356	2712	e5749ea.exe	RuntimeBroker.exe
PID 2712 wrote to memory of 2312	2712	e5749ea.exe	TextInputHost.exe
PID 2712 wrote to memory of 224	2712	e5749ea.exe	e574b22.exe
PID 2712 wrote to memory of 224	2712	e5749ea.exe	e574b22.exe
PID 2712 wrote to memory of 4868	2712	e5749ea.exe	RuntimeBroker.exe
PID 2712 wrote to memory of 4280	2712	e5749ea.exe	RuntimeBroker.exe
PID 2712 wrote to memory of 1960	2712	e5749ea.exe	e576580.exe
PID 2712 wrote to memory of 1960	2712	e5749ea.exe	e576580.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e5749ea.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5749ea.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5749ea.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2468

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2724

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3544
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f34cccba312f445f7a9d22e4e7c7490_NeikiAnalytics.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f34cccba312f445f7a9d22e4e7c7490_NeikiAnalytics.dll,#1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\e5749ea.exe
      C:\Users\Admin\AppData\Local\Temp\e5749ea.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\e574b22.exe
      C:\Users\Admin\AppData\Local\Temp\e574b22.exe
      4⤵
      Executes dropped EXE
      PID:224
  - - C:\Users\Admin\AppData\Local\Temp\e576580.exe
      C:\Users\Admin\AppData\Local\Temp\e576580.exe
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4032

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4356

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2312

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5749ea.exe

Filesize
97KB

MD5
c2d9750805735363961ffc57ec75527f

SHA1
58fcb0c68fc6bf9fe884283e5d2c85540f90f72f

SHA256
b541bbadb4421f2be1c86ecc477e352b971545e7ca4c0f57b13c73c37f31cfda

SHA512
e1612d97c94e644e2cf6d1fddc02e91ee38f0b9d86fc14082cc0078e2586d0f2c03658aee0a9667d58d33901567383d370b556ea75a456ce85f5a9bccff5aca3

Download Submit
memory/224-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/224-106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/224-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/224-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/224-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1960-112-0x0000000000B70000-0x0000000001C2A000-memory.dmp

Filesize
16.7MB

Download
memory/1960-111-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1960-113-0x0000000000B70000-0x0000000001C2A000-memory.dmp

Filesize
16.7MB

Download
memory/1960-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1960-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1960-48-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1960-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2712-70-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-26-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-6-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-17-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-19-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-9-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-10-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-27-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-36-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-37-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-38-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-40-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-39-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-42-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-43-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-8-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-102-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-52-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-54-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-55-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-11-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-31-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-32-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/2712-18-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-29-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/2712-23-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2712-65-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-66-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-99-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-72-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-74-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-76-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-78-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-80-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-81-0x0000000000830000-0x00000000018EA000-memory.dmp

Filesize
16.7MB

Download
memory/2712-91-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/3216-24-0x0000000002680000-0x0000000002682000-memory.dmp

Filesize
8KB

Download
memory/3216-28-0x0000000002680000-0x0000000002682000-memory.dmp

Filesize
8KB

Download
memory/3216-49-0x0000000002680000-0x0000000002682000-memory.dmp

Filesize
8KB

Download
memory/3216-20-0x0000000002680000-0x0000000002682000-memory.dmp

Filesize
8KB

Download
memory/3216-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3216-21-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download