Malware Analysis Report

2024-09-11 12:58

Sample ID 240612-cwe4rsyfnr
Target 17ef6d11d8cf38d2bd6f410a692c98e0_NeikiAnalytics.exe
SHA256 862b8557042d2990c9a7ee93ce3d502c66c5ec9c58d437763cb4d86ce2b306da
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

862b8557042d2990c9a7ee93ce3d502c66c5ec9c58d437763cb4d86ce2b306da

Threat Level: Known bad

The file 17ef6d11d8cf38d2bd6f410a692c98e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Modifies firewall policy service

Windows security bypass

Windows security modification

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 02:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 02:25

Reported

2024-06-12 02:27

Platform

win7-20240508-en

Max time kernel

122s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76231a C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
File created C:\Windows\f76730e C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 2100 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7622ad.exe
PID 2972 wrote to memory of 2100 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7622ad.exe
PID 2972 wrote to memory of 2100 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7622ad.exe
PID 2972 wrote to memory of 2100 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7622ad.exe
PID 2100 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\system32\taskhost.exe
PID 2100 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\system32\Dwm.exe
PID 2100 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\Explorer.EXE
PID 2100 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\system32\DllHost.exe
PID 2100 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\system32\rundll32.exe
PID 2100 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762433.exe
PID 2972 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762433.exe
PID 2972 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762433.exe
PID 2972 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762433.exe
PID 2972 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763e86.exe
PID 2972 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763e86.exe
PID 2972 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763e86.exe
PID 2972 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763e86.exe
PID 2100 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\system32\taskhost.exe
PID 2100 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\system32\Dwm.exe
PID 2100 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Windows\Explorer.EXE
PID 2100 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Users\Admin\AppData\Local\Temp\f762433.exe
PID 2100 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Users\Admin\AppData\Local\Temp\f762433.exe
PID 2100 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Users\Admin\AppData\Local\Temp\f763e86.exe
PID 2100 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f7622ad.exe C:\Users\Admin\AppData\Local\Temp\f763e86.exe
PID 2584 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe C:\Windows\system32\taskhost.exe
PID 2584 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe C:\Windows\system32\Dwm.exe
PID 2584 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f763e86.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7622ad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763e86.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\17ef6d11d8cf38d2bd6f410a692c98e0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\17ef6d11d8cf38d2bd6f410a692c98e0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7622ad.exe

C:\Users\Admin\AppData\Local\Temp\f7622ad.exe

C:\Users\Admin\AppData\Local\Temp\f762433.exe

C:\Users\Admin\AppData\Local\Temp\f762433.exe

C:\Users\Admin\AppData\Local\Temp\f763e86.exe

C:\Users\Admin\AppData\Local\Temp\f763e86.exe

Network

N/A

Files

memory/2972-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f7622ad.exe

MD5 d0e0283deeb9250bc53672d9b1f983b9
SHA1 a1da07c0ea5658f756bb19621be3e3882207aa04
SHA256 2984b1094fd83b0b9f51936facb6f61d61b9b025d81bcbf25db632e9a90b7052
SHA512 93d24234e5dcf76fc4f1ec664b2c52615602164b3539274c8717d4e4810e74d91da5db87020655fded0536c4ea03614b2139eb2e285d1a9acbf9a7dadbdee4bc

memory/2100-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2972-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2100-16-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-13-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-19-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-17-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-15-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2972-44-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2100-47-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/2100-20-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-45-0x0000000003D20000-0x0000000003D21000-memory.dmp

memory/2732-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2972-36-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2972-35-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2972-58-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/1120-28-0x0000000000310000-0x0000000000312000-memory.dmp

memory/2100-18-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2972-57-0x0000000000240000-0x0000000000252000-memory.dmp

memory/2100-14-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-22-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-21-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-56-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/2972-54-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2100-60-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-61-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-62-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-63-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-64-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-66-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-67-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2584-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2972-76-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2100-80-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-82-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-85-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2584-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2584-99-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2732-94-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2732-93-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2584-102-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2732-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2100-103-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-104-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-126-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2100-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2100-152-0x00000000005D0000-0x000000000168A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f63450dd7ecb8436b2d496373cb0ec4b
SHA1 c52fba1471636d989168694161b1024a06f8e113
SHA256 234987e788dd24bf447ea6335da55ff24ba60df404552a7827cfca657a27f58a
SHA512 024edb5214077a455eb2da4b8e3c084a2e2b393c850d50964681362ccc0287eb05dd2d92fb92f2caf22d4c31743a7b661bda547cf1f1be654a453f917ab8ca2d

memory/2584-167-0x00000000009B0000-0x0000000001A6A000-memory.dmp

memory/2732-173-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2584-206-0x00000000009B0000-0x0000000001A6A000-memory.dmp

memory/2584-207-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 02:25

Reported

2024-06-12 02:27

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

56s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57755f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e577465 C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
File created C:\Windows\e57de69 C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 1344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 464 wrote to memory of 1344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 464 wrote to memory of 1344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 5052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577426.exe
PID 1344 wrote to memory of 5052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577426.exe
PID 1344 wrote to memory of 5052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577426.exe
PID 5052 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\fontdrvhost.exe
PID 5052 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\fontdrvhost.exe
PID 5052 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\dwm.exe
PID 5052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\sihost.exe
PID 5052 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\svchost.exe
PID 5052 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\taskhostw.exe
PID 5052 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\Explorer.EXE
PID 5052 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\svchost.exe
PID 5052 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\DllHost.exe
PID 5052 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5052 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\System32\RuntimeBroker.exe
PID 5052 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5052 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\System32\RuntimeBroker.exe
PID 5052 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\System32\RuntimeBroker.exe
PID 5052 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5052 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\rundll32.exe
PID 5052 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\SysWOW64\rundll32.exe
PID 5052 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 4840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57755f.exe
PID 1344 wrote to memory of 4840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57755f.exe
PID 1344 wrote to memory of 4840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57755f.exe
PID 1344 wrote to memory of 4868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57900b.exe
PID 1344 wrote to memory of 4868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57900b.exe
PID 1344 wrote to memory of 4868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57900b.exe
PID 5052 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\fontdrvhost.exe
PID 5052 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\fontdrvhost.exe
PID 5052 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\dwm.exe
PID 5052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\sihost.exe
PID 5052 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\svchost.exe
PID 5052 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\taskhostw.exe
PID 5052 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\Explorer.EXE
PID 5052 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\svchost.exe
PID 5052 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\system32\DllHost.exe
PID 5052 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5052 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\System32\RuntimeBroker.exe
PID 5052 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5052 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\System32\RuntimeBroker.exe
PID 5052 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\System32\RuntimeBroker.exe
PID 5052 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5052 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Users\Admin\AppData\Local\Temp\e57755f.exe
PID 5052 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Users\Admin\AppData\Local\Temp\e57755f.exe
PID 5052 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Users\Admin\AppData\Local\Temp\e57900b.exe
PID 5052 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\e577426.exe C:\Users\Admin\AppData\Local\Temp\e57900b.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57900b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577426.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\17ef6d11d8cf38d2bd6f410a692c98e0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\17ef6d11d8cf38d2bd6f410a692c98e0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e577426.exe

C:\Users\Admin\AppData\Local\Temp\e577426.exe

C:\Users\Admin\AppData\Local\Temp\e57755f.exe

C:\Users\Admin\AppData\Local\Temp\e57755f.exe

C:\Users\Admin\AppData\Local\Temp\e57900b.exe

C:\Users\Admin\AppData\Local\Temp\e57900b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e577426.exe

MD5 d0e0283deeb9250bc53672d9b1f983b9
SHA1 a1da07c0ea5658f756bb19621be3e3882207aa04
SHA256 2984b1094fd83b0b9f51936facb6f61d61b9b025d81bcbf25db632e9a90b7052
SHA512 93d24234e5dcf76fc4f1ec664b2c52615602164b3539274c8717d4e4810e74d91da5db87020655fded0536c4ea03614b2139eb2e285d1a9acbf9a7dadbdee4bc

memory/5052-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1344-4-0x0000000010000000-0x0000000010020000-memory.dmp

memory/5052-10-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-11-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-26-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/5052-27-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-17-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-30-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/1344-29-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

memory/1344-23-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

memory/5052-22-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/1344-20-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/1344-19-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

memory/5052-18-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-6-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-9-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/4840-33-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5052-34-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-35-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-28-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-36-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-37-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-38-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-39-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-40-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-42-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-43-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/4868-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5052-52-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-54-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-55-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/4840-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4868-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4868-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4868-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4840-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4840-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/5052-65-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-67-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-70-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-73-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-74-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-76-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-78-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-79-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-80-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-81-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-83-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/5052-92-0x0000000001A30000-0x0000000001A32000-memory.dmp

memory/5052-102-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4840-106-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 a32fa491b15009c8b627b89f8c8d2e15
SHA1 4b4f3d84bd025c9cbd3132b9dd18bcb3f213d490
SHA256 6189ca775110efac2bd02add33b588bbff755b8d1f773cd71ae293282472a9e0
SHA512 2d8de0bc9c03f08b3b0c833ebd503d1e72fa52c35e02a9d4872d76171fe6807cbe23090801da487976052b8b839a38d1d84affb0749ba8f4b988b813bd9f92c8

memory/4868-123-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4868-121-0x0000000000B50000-0x0000000001C0A000-memory.dmp