sality | 205bc3cde95a32e67e056451023a64f65acc3cae6288c55e107766f0924b458d

General

Target

0b33e2a6802abca5224471ab911ba080_NeikiAnalytics.dll
Size

120KB
MD5

0b33e2a6802abca5224471ab911ba080
SHA1

448a50e9e802b5be86192ff5e1e0240bf6044864
SHA256

205bc3cde95a32e67e056451023a64f65acc3cae6288c55e107766f0924b458d
SHA512

8da0a5dee6240b066675e5f8d13399a7d8c08f084969eb6ea76661a1a70f9b87b85f392c6d3e667cfbb55059cd39f8c38532be15899a4b80466433a9d287a005
SSDEEP

1536:YE5jvAELOC4Sm49h5QPOdaKG8sAMfsLW9toPZJZy8+Q49ymp:vjvrfD1dq8dM0mtoF+

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e57f09a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57f09a.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e57f09a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f09a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57f09a.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57f09a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57f09a.exe

Executes dropped EXE 4 IoCs

Processes:

e57f09a.exee57f712.exee580579.exee580606.exe

pid process

2076 e57f09a.exe
1720 e57f712.exe
1584 e580579.exe
2196 e580606.exe

pid	process
2076	e57f09a.exe
1720	e57f712.exe
1584	e580579.exe
2196	e580606.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2076-7-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-9-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-11-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-20-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-21-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-22-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-14-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-12-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-13-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-10-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-38-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-37-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-39-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-53-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-54-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-56-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-57-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-59-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-60-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-70-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-72-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-77-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-79-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-83-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-82-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-85-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-88-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-91-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/2076-98-0x0000000000750000-0x000000000180A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57f09a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57f09a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57f09a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57f09a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e57f09a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f09a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57f09a.exe

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e57f09a.exe

description	ioc	process
File opened (read-only)	\??\E:	e57f09a.exe
File opened (read-only)	\??\K:	e57f09a.exe
File opened (read-only)	\??\L:	e57f09a.exe
File opened (read-only)	\??\M:	e57f09a.exe
File opened (read-only)	\??\N:	e57f09a.exe
File opened (read-only)	\??\O:	e57f09a.exe
File opened (read-only)	\??\G:	e57f09a.exe
File opened (read-only)	\??\H:	e57f09a.exe
File opened (read-only)	\??\I:	e57f09a.exe
File opened (read-only)	\??\J:	e57f09a.exe
File opened (read-only)	\??\P:	e57f09a.exe

Drops file in Windows directory 2 IoCs

Processes:

e57f09a.exe

description ioc process

File created C:\Windows\e57f433 e57f09a.exe
File opened for modification C:\Windows\SYSTEM.INI e57f09a.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e57f09a.exe

pid process

2076 e57f09a.exe
2076 e57f09a.exe
2076 e57f09a.exe
2076 e57f09a.exe

description	ioc	process
File created	C:\Windows\e57f433	e57f09a.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57f09a.exe

pid	process
2076	e57f09a.exe
2076	e57f09a.exe
2076	e57f09a.exe
2076	e57f09a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57f09a.exe

description	pid	process
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe
Token: SeDebugPrivilege	2076	e57f09a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee57f09a.exe

description	pid	process	target process
PID 1420 wrote to memory of 1528	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1528	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1528	1420	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 2076	1528	rundll32.exe	e57f09a.exe
PID 1528 wrote to memory of 2076	1528	rundll32.exe	e57f09a.exe
PID 1528 wrote to memory of 2076	1528	rundll32.exe	e57f09a.exe
PID 2076 wrote to memory of 784	2076	e57f09a.exe	fontdrvhost.exe
PID 2076 wrote to memory of 792	2076	e57f09a.exe	fontdrvhost.exe
PID 2076 wrote to memory of 388	2076	e57f09a.exe	dwm.exe
PID 2076 wrote to memory of 2808	2076	e57f09a.exe	sihost.exe
PID 2076 wrote to memory of 2848	2076	e57f09a.exe	svchost.exe
PID 2076 wrote to memory of 2952	2076	e57f09a.exe	taskhostw.exe
PID 2076 wrote to memory of 3372	2076	e57f09a.exe	Explorer.EXE
PID 2076 wrote to memory of 3564	2076	e57f09a.exe	svchost.exe
PID 2076 wrote to memory of 3756	2076	e57f09a.exe	DllHost.exe
PID 2076 wrote to memory of 3880	2076	e57f09a.exe	StartMenuExperienceHost.exe
PID 2076 wrote to memory of 3972	2076	e57f09a.exe	RuntimeBroker.exe
PID 2076 wrote to memory of 4056	2076	e57f09a.exe	SearchApp.exe
PID 2076 wrote to memory of 4108	2076	e57f09a.exe	RuntimeBroker.exe
PID 2076 wrote to memory of 4800	2076	e57f09a.exe	RuntimeBroker.exe
PID 2076 wrote to memory of 2272	2076	e57f09a.exe	TextInputHost.exe
PID 2076 wrote to memory of 3848	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 1292	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 3312	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 3112	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 3428	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 4128	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 3892	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 1420	2076	e57f09a.exe	rundll32.exe
PID 2076 wrote to memory of 1528	2076	e57f09a.exe	rundll32.exe
PID 2076 wrote to memory of 1528	2076	e57f09a.exe	rundll32.exe
PID 1528 wrote to memory of 1720	1528	rundll32.exe	e57f712.exe
PID 1528 wrote to memory of 1720	1528	rundll32.exe	e57f712.exe
PID 1528 wrote to memory of 1720	1528	rundll32.exe	e57f712.exe
PID 1528 wrote to memory of 1584	1528	rundll32.exe	e580579.exe
PID 1528 wrote to memory of 1584	1528	rundll32.exe	e580579.exe
PID 1528 wrote to memory of 1584	1528	rundll32.exe	e580579.exe
PID 1528 wrote to memory of 2196	1528	rundll32.exe	e580606.exe
PID 1528 wrote to memory of 2196	1528	rundll32.exe	e580606.exe
PID 1528 wrote to memory of 2196	1528	rundll32.exe	e580606.exe
PID 2076 wrote to memory of 784	2076	e57f09a.exe	fontdrvhost.exe
PID 2076 wrote to memory of 792	2076	e57f09a.exe	fontdrvhost.exe
PID 2076 wrote to memory of 388	2076	e57f09a.exe	dwm.exe
PID 2076 wrote to memory of 2808	2076	e57f09a.exe	sihost.exe
PID 2076 wrote to memory of 2848	2076	e57f09a.exe	svchost.exe
PID 2076 wrote to memory of 2952	2076	e57f09a.exe	taskhostw.exe
PID 2076 wrote to memory of 3372	2076	e57f09a.exe	Explorer.EXE
PID 2076 wrote to memory of 3564	2076	e57f09a.exe	svchost.exe
PID 2076 wrote to memory of 3756	2076	e57f09a.exe	DllHost.exe
PID 2076 wrote to memory of 3880	2076	e57f09a.exe	StartMenuExperienceHost.exe
PID 2076 wrote to memory of 3972	2076	e57f09a.exe	RuntimeBroker.exe
PID 2076 wrote to memory of 4056	2076	e57f09a.exe	SearchApp.exe
PID 2076 wrote to memory of 4108	2076	e57f09a.exe	RuntimeBroker.exe
PID 2076 wrote to memory of 4800	2076	e57f09a.exe	RuntimeBroker.exe
PID 2076 wrote to memory of 2272	2076	e57f09a.exe	TextInputHost.exe
PID 2076 wrote to memory of 3848	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 1292	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 3312	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 3112	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 3428	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 4128	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 3892	2076	e57f09a.exe	msedge.exe
PID 2076 wrote to memory of 1720	2076	e57f09a.exe	e57f712.exe
PID 2076 wrote to memory of 1720	2076	e57f09a.exe	e57f712.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e57f09a.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f09a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57f09a.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2848

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2952

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b33e2a6802abca5224471ab911ba080_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0b33e2a6802abca5224471ab911ba080_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\e57f09a.exe
C:\Users\Admin\AppData\Local\Temp\e57f09a.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2076

C:\Users\Admin\AppData\Local\Temp\e57f712.exe
C:\Users\Admin\AppData\Local\Temp\e57f712.exe
4⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\e580579.exe
C:\Users\Admin\AppData\Local\Temp\e580579.exe
4⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\Temp\e580606.exe
C:\Users\Admin\AppData\Local\Temp\e580606.exe
4⤵
- Executes dropped EXE
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4800

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x214,0x7ff825262e98,0x7ff825262ea4,0x7ff825262eb0
2⤵
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2740 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:2
2⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2800 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:3
2⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
2⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1
2⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5544 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1
2⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3968 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
2⤵
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Modify Registry

5

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57f09a.exe
Filesize
97KB

MD5
92ac594734f20256378a9e29f0f5657e

SHA1
cd8c3a462e90b7bd129dd3a5c76c3d2ff53b30ce

SHA256
c2fc813d5403fe9c996f8056ec10f08a2c38080a461da272e44296c73fd484dd

SHA512
782fbcd8014f885ed01dc9fc9422f7e824f0c8bdc095d4c9dcb233a71fcec3505e08e37b25402e8c0916f3e9c7b3e85bc1537392b6b3ab99bb24bbb4f2a50323

Download Submit
memory/1528-23-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/1528-0-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1528-31-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/1528-30-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/1528-29-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/1584-75-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1584-44-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1584-122-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1720-113-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1720-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1720-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1720-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1720-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-56-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-79-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-12-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-13-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-10-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-38-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-37-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-39-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-32-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/2076-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-53-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-54-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-35-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/2076-57-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-59-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-60-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-98-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-26-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2076-22-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-91-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-21-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-20-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-11-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-114-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2076-70-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-9-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-72-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-77-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-14-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-83-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-82-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-85-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-88-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2076-95-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/2076-7-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/2196-76-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2196-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2196-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2196-118-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2196-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads