Malware Analysis Report

2024-09-11 12:59

Sample ID 240613-dmhc7sscqg
Target 59a08dbcb985c1c9cd9a4071d5c0e2c0_NeikiAnalytics.exe
SHA256 d9e9efaee57ab4a214055dc0647917c475f5976afa545a686a4d38168b79027b
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9e9efaee57ab4a214055dc0647917c475f5976afa545a686a4d38168b79027b

Threat Level: Known bad

The file 59a08dbcb985c1c9cd9a4071d5c0e2c0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Modifies firewall policy service

UAC bypass

Sality

Windows security modification

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:07

Reported

2024-06-13 03:09

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761a35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76194b C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
File created C:\Windows\f76697d C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7618fd.exe
PID 3024 wrote to memory of 2108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7618fd.exe
PID 3024 wrote to memory of 2108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7618fd.exe
PID 3024 wrote to memory of 2108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7618fd.exe
PID 2108 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\system32\taskhost.exe
PID 2108 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\system32\Dwm.exe
PID 2108 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\Explorer.EXE
PID 2108 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\system32\DllHost.exe
PID 2108 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\system32\rundll32.exe
PID 2108 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2108 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a35.exe
PID 3024 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a35.exe
PID 3024 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a35.exe
PID 3024 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761a35.exe
PID 3024 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634b7.exe
PID 3024 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634b7.exe
PID 3024 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634b7.exe
PID 3024 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634b7.exe
PID 2108 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\system32\taskhost.exe
PID 2108 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\system32\Dwm.exe
PID 2108 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Windows\Explorer.EXE
PID 2108 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Users\Admin\AppData\Local\Temp\f761a35.exe
PID 2108 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Users\Admin\AppData\Local\Temp\f761a35.exe
PID 2108 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Users\Admin\AppData\Local\Temp\f7634b7.exe
PID 2108 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f7618fd.exe C:\Users\Admin\AppData\Local\Temp\f7634b7.exe
PID 2504 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe C:\Windows\system32\taskhost.exe
PID 2504 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe C:\Windows\system32\Dwm.exe
PID 2504 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f7634b7.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7618fd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7634b7.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\59a08dbcb985c1c9cd9a4071d5c0e2c0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\59a08dbcb985c1c9cd9a4071d5c0e2c0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7618fd.exe

C:\Users\Admin\AppData\Local\Temp\f7618fd.exe

C:\Users\Admin\AppData\Local\Temp\f761a35.exe

C:\Users\Admin\AppData\Local\Temp\f761a35.exe

C:\Users\Admin\AppData\Local\Temp\f7634b7.exe

C:\Users\Admin\AppData\Local\Temp\f7634b7.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f7618fd.exe

MD5 7426275e38a167daed4b1a2d3811cebd
SHA1 c54c6e7c33dd41c6ed62d6651acbe9b25bb00e88
SHA256 21654774e8151fedf3ecd74e28829986b6678196b23d0715bfaef066073ac156
SHA512 23d74aeb6b07d86bb44e0b4ba256cfa79be63f49b625924095cc3ef773174a6d4711111ae8bf4fc79ff741663ff27a517181dba1e1ea623ded97ac3cc453da14

memory/3024-8-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3024-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2108-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3024-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2108-13-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-16-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2440-55-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3024-54-0x0000000000160000-0x0000000000162000-memory.dmp

memory/3024-53-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3024-51-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2108-15-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-37-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2108-20-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-39-0x0000000000690000-0x000000000174A000-memory.dmp

memory/3024-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2108-43-0x0000000000290000-0x0000000000292000-memory.dmp

memory/2108-40-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-38-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-19-0x0000000000690000-0x000000000174A000-memory.dmp

memory/3024-42-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2108-17-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-41-0x0000000000290000-0x0000000000292000-memory.dmp

memory/3024-28-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1260-21-0x0000000000320000-0x0000000000322000-memory.dmp

memory/2108-18-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-61-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-62-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-63-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-64-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-65-0x0000000000690000-0x000000000174A000-memory.dmp

memory/3024-75-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2504-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2108-79-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-80-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-82-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-83-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2504-98-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2504-97-0x0000000000370000-0x0000000000371000-memory.dmp

memory/2440-93-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2440-92-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2504-100-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2440-99-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2108-101-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-103-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-105-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-111-0x0000000000290000-0x0000000000292000-memory.dmp

memory/2108-145-0x0000000000690000-0x000000000174A000-memory.dmp

memory/2108-146-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2440-147-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 c62d8389d11d3a690be22fe3c28681d1
SHA1 4116a381484d50a58a914252523500bbf683dcd4
SHA256 80c5bd182fce5db0c3d4549ba11dd03fba463a266261a23c9361faf5283a62f1
SHA512 afe98d3d5b3c620274b287986c8751b26a1bc2ed6015140d5a99ba5b9b450a7a0c79408d9c84479e3f80ddda13982689f5c148101bec2d131c5e0248c192c34e

memory/2504-160-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2504-197-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2504-198-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:07

Reported

2024-06-13 03:09

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

95s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573b24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576244.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576263.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e573a69 C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1788 wrote to memory of 4760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1788 wrote to memory of 4760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1788 wrote to memory of 4760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4760 wrote to memory of 4208 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5739ec.exe
PID 4760 wrote to memory of 4208 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5739ec.exe
PID 4760 wrote to memory of 4208 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5739ec.exe
PID 4208 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\fontdrvhost.exe
PID 4208 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\fontdrvhost.exe
PID 4208 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\dwm.exe
PID 4208 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\sihost.exe
PID 4208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\svchost.exe
PID 4208 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\taskhostw.exe
PID 4208 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\Explorer.EXE
PID 4208 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\svchost.exe
PID 4208 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\DllHost.exe
PID 4208 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4208 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\System32\RuntimeBroker.exe
PID 4208 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4208 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\System32\RuntimeBroker.exe
PID 4208 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4208 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\System32\RuntimeBroker.exe
PID 4208 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4208 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4208 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\rundll32.exe
PID 4208 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4208 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4760 wrote to memory of 1656 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573b24.exe
PID 4760 wrote to memory of 1656 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573b24.exe
PID 4760 wrote to memory of 1656 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573b24.exe
PID 4760 wrote to memory of 3616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576244.exe
PID 4760 wrote to memory of 3616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576244.exe
PID 4760 wrote to memory of 3616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576244.exe
PID 4760 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576263.exe
PID 4760 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576263.exe
PID 4760 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576263.exe
PID 4208 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\fontdrvhost.exe
PID 4208 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\fontdrvhost.exe
PID 4208 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\dwm.exe
PID 4208 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\sihost.exe
PID 4208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\svchost.exe
PID 4208 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\taskhostw.exe
PID 4208 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\Explorer.EXE
PID 4208 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\svchost.exe
PID 4208 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\DllHost.exe
PID 4208 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4208 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\System32\RuntimeBroker.exe
PID 4208 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4208 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\System32\RuntimeBroker.exe
PID 4208 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4208 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\System32\RuntimeBroker.exe
PID 4208 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4208 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4208 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Users\Admin\AppData\Local\Temp\e573b24.exe
PID 4208 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Users\Admin\AppData\Local\Temp\e573b24.exe
PID 4208 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\System32\RuntimeBroker.exe
PID 4208 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Windows\System32\RuntimeBroker.exe
PID 4208 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Users\Admin\AppData\Local\Temp\e576244.exe
PID 4208 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Users\Admin\AppData\Local\Temp\e576244.exe
PID 4208 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Users\Admin\AppData\Local\Temp\e576263.exe
PID 4208 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\e5739ec.exe C:\Users\Admin\AppData\Local\Temp\e576263.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5739ec.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\59a08dbcb985c1c9cd9a4071d5c0e2c0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\59a08dbcb985c1c9cd9a4071d5c0e2c0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5739ec.exe

C:\Users\Admin\AppData\Local\Temp\e5739ec.exe

C:\Users\Admin\AppData\Local\Temp\e573b24.exe

C:\Users\Admin\AppData\Local\Temp\e573b24.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e576244.exe

C:\Users\Admin\AppData\Local\Temp\e576244.exe

C:\Users\Admin\AppData\Local\Temp\e576263.exe

C:\Users\Admin\AppData\Local\Temp\e576263.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4760-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5739ec.exe

MD5 7426275e38a167daed4b1a2d3811cebd
SHA1 c54c6e7c33dd41c6ed62d6651acbe9b25bb00e88
SHA256 21654774e8151fedf3ecd74e28829986b6678196b23d0715bfaef066073ac156
SHA512 23d74aeb6b07d86bb44e0b4ba256cfa79be63f49b625924095cc3ef773174a6d4711111ae8bf4fc79ff741663ff27a517181dba1e1ea623ded97ac3cc453da14

memory/4208-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4208-9-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-10-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4760-17-0x00000000035E0000-0x00000000035E2000-memory.dmp

memory/4208-28-0x0000000000730000-0x0000000000732000-memory.dmp

memory/4760-33-0x00000000035E0000-0x00000000035E2000-memory.dmp

memory/4208-29-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-26-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-25-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-12-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-27-0x0000000000730000-0x0000000000732000-memory.dmp

memory/4208-11-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-16-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/4760-14-0x0000000003B00000-0x0000000003B01000-memory.dmp

memory/4760-13-0x00000000035E0000-0x00000000035E2000-memory.dmp

memory/4208-8-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-6-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-30-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-34-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-35-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-36-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-37-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-38-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/3616-45-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4760-49-0x00000000035E0000-0x00000000035E2000-memory.dmp

memory/2172-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4208-53-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/2172-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2172-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3616-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3616-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3616-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1656-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2172-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1656-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1656-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4208-66-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-68-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-69-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-70-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-73-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-74-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-75-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-81-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-82-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-85-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-86-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-89-0x0000000000840000-0x00000000018FA000-memory.dmp

memory/4208-95-0x0000000000730000-0x0000000000732000-memory.dmp

memory/4208-105-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1656-109-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3616-113-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2172-117-0x0000000000400000-0x0000000000412000-memory.dmp