Malware Analysis Report

2024-09-11 12:59

Sample ID 240613-dlyc2awbpk
Target 5985d59cc101387bdba5d924195b1fb0_NeikiAnalytics.exe
SHA256 f267cef458a6d5ce8303d06826536528442c81cdcee88f46818c4a368cbb7923
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f267cef458a6d5ce8303d06826536528442c81cdcee88f46818c4a368cbb7923

Threat Level: Known bad

The file 5985d59cc101387bdba5d924195b1fb0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

Sality

UAC bypass

Executes dropped EXE

Windows security modification

Loads dropped DLL

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:06

Reported

2024-06-13 03:08

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762730.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760bf2 C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
File created C:\Windows\f765b88 C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 2648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 2216 wrote to memory of 2648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 2216 wrote to memory of 2648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 2216 wrote to memory of 2648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 2648 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\system32\taskhost.exe
PID 2648 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\system32\Dwm.exe
PID 2648 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\Explorer.EXE
PID 2648 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\system32\DllHost.exe
PID 2648 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\system32\rundll32.exe
PID 2648 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 2380 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760d1b.exe
PID 2216 wrote to memory of 2380 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760d1b.exe
PID 2216 wrote to memory of 2380 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760d1b.exe
PID 2216 wrote to memory of 2380 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760d1b.exe
PID 2216 wrote to memory of 1428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762730.exe
PID 2216 wrote to memory of 1428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762730.exe
PID 2216 wrote to memory of 1428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762730.exe
PID 2216 wrote to memory of 1428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762730.exe
PID 2648 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\system32\taskhost.exe
PID 2648 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\system32\Dwm.exe
PID 2648 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Windows\Explorer.EXE
PID 2648 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Users\Admin\AppData\Local\Temp\f760d1b.exe
PID 2648 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Users\Admin\AppData\Local\Temp\f760d1b.exe
PID 2648 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Users\Admin\AppData\Local\Temp\f762730.exe
PID 2648 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe C:\Users\Admin\AppData\Local\Temp\f762730.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760d1b.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5985d59cc101387bdba5d924195b1fb0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5985d59cc101387bdba5d924195b1fb0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760b85.exe

C:\Users\Admin\AppData\Local\Temp\f760b85.exe

C:\Users\Admin\AppData\Local\Temp\f760d1b.exe

C:\Users\Admin\AppData\Local\Temp\f760d1b.exe

C:\Users\Admin\AppData\Local\Temp\f762730.exe

C:\Users\Admin\AppData\Local\Temp\f762730.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f760b85.exe

MD5 b148a100789cc9bdea7a0a090d6221db
SHA1 22f841b63ef7da0a956ff8beda7b7592ef56f040
SHA256 86b9ef9c832decf95e8f90e227b31c6e2c9fd452b7d27a5a17a38b773108de20
SHA512 05d246e8b48cfe964227b99174886fe82e6c300f76711123d0eb548fe2430561a925b37307030d7d6626a9bc50469faefe807584de14ae7040ac8faeb0f5312d

memory/2216-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2216-9-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2216-8-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2648-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2648-14-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-23-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1060-24-0x0000000000210000-0x0000000000212000-memory.dmp

memory/2648-15-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2216-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2216-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2380-63-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2648-21-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-51-0x0000000000430000-0x0000000000432000-memory.dmp

memory/2216-49-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2648-48-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2648-20-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-17-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-22-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-19-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-18-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2216-60-0x0000000000780000-0x0000000000792000-memory.dmp

memory/2648-59-0x0000000000430000-0x0000000000432000-memory.dmp

memory/2648-16-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2216-34-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2216-33-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2648-64-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-65-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-66-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-67-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-68-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2216-77-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2648-81-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-82-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-83-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2380-92-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2380-91-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1428-97-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1428-99-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2380-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1428-101-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2648-102-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-104-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-105-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2648-120-0x0000000000430000-0x0000000000432000-memory.dmp

memory/2648-146-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2648-145-0x00000000005A0000-0x000000000165A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 17f8d4a03481688f7ae1c0e13f4918ec
SHA1 a54d66da7e09aa1edfe893941f09dd1a67b2bec6
SHA256 d857e9993a850d5691b684b3bf39df6b509b214c2e23c9286fb4847d5a6b5c9b
SHA512 a4f5a24f5e90118949a0f34f797787af03c7f71dc7ab16d3a7134f873c9a8889c7cff881cb2b3e3a066d8cd72cc3b99c5a3237a209a43104029f568d9b0caf27

memory/2380-169-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2380-164-0x00000000009B0000-0x0000000001A6A000-memory.dmp

memory/1428-173-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:06

Reported

2024-06-13 03:08

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

56s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5775ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e577474 C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
File created C:\Windows\e57c4e6 C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4640 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4640 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 1448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577445.exe
PID 2300 wrote to memory of 1448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577445.exe
PID 2300 wrote to memory of 1448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577445.exe
PID 1448 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\fontdrvhost.exe
PID 1448 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\fontdrvhost.exe
PID 1448 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\dwm.exe
PID 1448 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\sihost.exe
PID 1448 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\svchost.exe
PID 1448 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\taskhostw.exe
PID 1448 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\Explorer.EXE
PID 1448 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\svchost.exe
PID 1448 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\DllHost.exe
PID 1448 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1448 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\System32\RuntimeBroker.exe
PID 1448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1448 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\System32\RuntimeBroker.exe
PID 1448 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\System32\RuntimeBroker.exe
PID 1448 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1448 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\rundll32.exe
PID 1448 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\SysWOW64\rundll32.exe
PID 1448 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 4840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5775ad.exe
PID 2300 wrote to memory of 4840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5775ad.exe
PID 2300 wrote to memory of 4840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5775ad.exe
PID 2300 wrote to memory of 1200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579143.exe
PID 2300 wrote to memory of 1200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579143.exe
PID 2300 wrote to memory of 1200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e579143.exe
PID 1448 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\fontdrvhost.exe
PID 1448 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\fontdrvhost.exe
PID 1448 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\dwm.exe
PID 1448 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\sihost.exe
PID 1448 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\svchost.exe
PID 1448 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\taskhostw.exe
PID 1448 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\Explorer.EXE
PID 1448 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\svchost.exe
PID 1448 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\system32\DllHost.exe
PID 1448 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1448 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\System32\RuntimeBroker.exe
PID 1448 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1448 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\System32\RuntimeBroker.exe
PID 1448 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\System32\RuntimeBroker.exe
PID 1448 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1448 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Users\Admin\AppData\Local\Temp\e5775ad.exe
PID 1448 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Users\Admin\AppData\Local\Temp\e5775ad.exe
PID 1448 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Users\Admin\AppData\Local\Temp\e579143.exe
PID 1448 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\e577445.exe C:\Users\Admin\AppData\Local\Temp\e579143.exe
PID 1200 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\system32\fontdrvhost.exe
PID 1200 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\system32\fontdrvhost.exe
PID 1200 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\system32\dwm.exe
PID 1200 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\system32\sihost.exe
PID 1200 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\system32\svchost.exe
PID 1200 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\system32\taskhostw.exe
PID 1200 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\Explorer.EXE
PID 1200 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\system32\svchost.exe
PID 1200 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\system32\DllHost.exe
PID 1200 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1200 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\System32\RuntimeBroker.exe
PID 1200 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1200 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\System32\RuntimeBroker.exe
PID 1200 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\System32\RuntimeBroker.exe
PID 1200 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e579143.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577445.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e579143.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5985d59cc101387bdba5d924195b1fb0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5985d59cc101387bdba5d924195b1fb0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e577445.exe

C:\Users\Admin\AppData\Local\Temp\e577445.exe

C:\Users\Admin\AppData\Local\Temp\e5775ad.exe

C:\Users\Admin\AppData\Local\Temp\e5775ad.exe

C:\Users\Admin\AppData\Local\Temp\e579143.exe

C:\Users\Admin\AppData\Local\Temp\e579143.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2300-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e577445.exe

MD5 b148a100789cc9bdea7a0a090d6221db
SHA1 22f841b63ef7da0a956ff8beda7b7592ef56f040
SHA256 86b9ef9c832decf95e8f90e227b31c6e2c9fd452b7d27a5a17a38b773108de20
SHA512 05d246e8b48cfe964227b99174886fe82e6c300f76711123d0eb548fe2430561a925b37307030d7d6626a9bc50469faefe807584de14ae7040ac8faeb0f5312d

memory/1448-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1448-6-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-8-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-10-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-17-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-19-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/4840-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1448-34-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/1448-28-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-32-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/2300-33-0x00000000007D0000-0x00000000007D2000-memory.dmp

memory/1448-27-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-29-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/1448-11-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/2300-24-0x00000000007D0000-0x00000000007D2000-memory.dmp

memory/1448-23-0x0000000000600000-0x0000000000601000-memory.dmp

memory/2300-21-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

memory/2300-20-0x00000000007D0000-0x00000000007D2000-memory.dmp

memory/1448-18-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-9-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-37-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-36-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-38-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-40-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-39-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-42-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-43-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-51-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-53-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-54-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/4840-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4840-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1200-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1200-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1200-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4840-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1448-65-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-66-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-69-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-71-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-73-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-74-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-76-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-78-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-79-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-82-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1448-90-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/1448-101-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1448-85-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/4840-105-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f2bd9c9ca90ef6605ce2ea45fefd70a8
SHA1 0b301d250d2459265d7fe6c1cd7a7716d3bbc936
SHA256 799773bc7ab44587d819284d59f5ccd1c8bf29a1d2795317b21c08683c95caaf
SHA512 02cebf6c2248b92a3df36f26526871f02f440ea38ee41570f776a0fd7f24f19a10ae10811ef3a7c5dc3419e513f1e56c4c857c224a05e93bae03438d2ec20d6c

memory/1200-117-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/1200-150-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1200-149-0x0000000000B20000-0x0000000001BDA000-memory.dmp