Malware Analysis Report

2024-09-11 12:21

Sample ID 240614-grbm1axflb
Target a7ea8da2f707570fec542bc493fa4f70_NeikiAnalytics.exe
SHA256 269c6d99aa0644752845d2226fab1a90a758942a1374a9cdb964792efd41b3d6
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

269c6d99aa0644752845d2226fab1a90a758942a1374a9cdb964792efd41b3d6

Threat Level: Known bad

The file a7ea8da2f707570fec542bc493fa4f70_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Windows security bypass

Modifies firewall policy service

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:01

Reported

2024-06-14 06:04

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760751.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760619 C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
File created C:\Windows\f7655ed C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1096 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1096 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1096 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1096 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1096 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1096 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2296 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76057d.exe
PID 2296 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76057d.exe
PID 2296 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76057d.exe
PID 2296 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76057d.exe
PID 2252 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\system32\taskhost.exe
PID 2252 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\system32\Dwm.exe
PID 2252 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\Explorer.EXE
PID 2252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\system32\DllHost.exe
PID 2252 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\system32\rundll32.exe
PID 2252 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2252 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2296 wrote to memory of 2528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760751.exe
PID 2296 wrote to memory of 2528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760751.exe
PID 2296 wrote to memory of 2528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760751.exe
PID 2296 wrote to memory of 2528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760751.exe
PID 2296 wrote to memory of 3016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762127.exe
PID 2296 wrote to memory of 3016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762127.exe
PID 2296 wrote to memory of 3016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762127.exe
PID 2296 wrote to memory of 3016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762127.exe
PID 2252 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\system32\taskhost.exe
PID 2252 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\system32\Dwm.exe
PID 2252 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Windows\Explorer.EXE
PID 2252 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Users\Admin\AppData\Local\Temp\f760751.exe
PID 2252 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Users\Admin\AppData\Local\Temp\f760751.exe
PID 2252 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Users\Admin\AppData\Local\Temp\f762127.exe
PID 2252 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\f76057d.exe C:\Users\Admin\AppData\Local\Temp\f762127.exe
PID 3016 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe C:\Windows\system32\taskhost.exe
PID 3016 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe C:\Windows\system32\Dwm.exe
PID 3016 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\f762127.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762127.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76057d.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ea8da2f707570fec542bc493fa4f70_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ea8da2f707570fec542bc493fa4f70_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76057d.exe

C:\Users\Admin\AppData\Local\Temp\f76057d.exe

C:\Users\Admin\AppData\Local\Temp\f760751.exe

C:\Users\Admin\AppData\Local\Temp\f760751.exe

C:\Users\Admin\AppData\Local\Temp\f762127.exe

C:\Users\Admin\AppData\Local\Temp\f762127.exe

Network

N/A

Files

memory/2296-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f76057d.exe

MD5 c21997e7b450e15a3c69f03eafe9346d
SHA1 7e5a654de5bbbf5f0b1d151ada1608a8e742330e
SHA256 f1251865cc407a1c914bfad03282fa31c69484edc9f71a895bb9b297f1801ad3
SHA512 9fc988d2f71647f4620f63fbc986e7b5e01194410b7fd4a3e60656ed3c6f23d78fb67a19b5c68e95ae7a0d7e2b2d00b9850feb59beb85d17e6dcf54be7f5192a

memory/2296-9-0x0000000000150000-0x0000000000162000-memory.dmp

memory/2252-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2296-10-0x0000000000150000-0x0000000000162000-memory.dmp

memory/2252-14-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-12-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2296-30-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2252-15-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2296-55-0x0000000000190000-0x00000000001A2000-memory.dmp

memory/2528-58-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2296-56-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2252-18-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-17-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2296-54-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2252-20-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1224-22-0x0000000002010000-0x0000000002012000-memory.dmp

memory/2296-29-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2252-37-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2252-42-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2252-19-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-40-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2252-16-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2296-39-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2252-21-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-38-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-60-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-59-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-61-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-62-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-63-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2296-73-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2252-76-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-77-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-79-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2528-88-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2528-87-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/3016-92-0x0000000000260000-0x0000000000262000-memory.dmp

memory/3016-93-0x0000000000330000-0x0000000000331000-memory.dmp

memory/3016-95-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2528-94-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2252-97-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-98-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-100-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-101-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-106-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-108-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2252-144-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2252-145-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3016-154-0x0000000000920000-0x00000000019DA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f731e28b9318aa3afe95121cd654560c
SHA1 629e310cb77a077e510dd017d109d7a4394ebfaf
SHA256 d90b30e1c944c853989ee95a43a1f8a942838e1848342cd64ec5d34261891667
SHA512 c4f9cd36749be4fe9c08d2dc8c574c88b6c26a5ce76be300c399bf468fe31fa9547a8f30672fcef96e4157fbae6cad79fae6238931debf9d0227ce75082a41e4

memory/2528-155-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3016-197-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3016-198-0x0000000000920000-0x00000000019DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:01

Reported

2024-06-14 06:04

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574d26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574c6a C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
File created C:\Windows\e57b66f C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 2420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 2420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 2420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 4044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574c1c.exe
PID 2420 wrote to memory of 4044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574c1c.exe
PID 2420 wrote to memory of 4044 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574c1c.exe
PID 4044 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\fontdrvhost.exe
PID 4044 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\fontdrvhost.exe
PID 4044 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\dwm.exe
PID 4044 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\sihost.exe
PID 4044 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\svchost.exe
PID 4044 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\taskhostw.exe
PID 4044 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\Explorer.EXE
PID 4044 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\svchost.exe
PID 4044 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\DllHost.exe
PID 4044 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4044 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\System32\RuntimeBroker.exe
PID 4044 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4044 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\System32\RuntimeBroker.exe
PID 4044 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\System32\RuntimeBroker.exe
PID 4044 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4044 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4044 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\rundll32.exe
PID 4044 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 3652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574d26.exe
PID 2420 wrote to memory of 3652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574d26.exe
PID 2420 wrote to memory of 3652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574d26.exe
PID 2420 wrote to memory of 3812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5767f1.exe
PID 2420 wrote to memory of 3812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5767f1.exe
PID 2420 wrote to memory of 3812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5767f1.exe
PID 4044 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\fontdrvhost.exe
PID 4044 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\fontdrvhost.exe
PID 4044 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\dwm.exe
PID 4044 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\sihost.exe
PID 4044 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\svchost.exe
PID 4044 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\taskhostw.exe
PID 4044 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\Explorer.EXE
PID 4044 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\svchost.exe
PID 4044 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\system32\DllHost.exe
PID 4044 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4044 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\System32\RuntimeBroker.exe
PID 4044 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4044 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\System32\RuntimeBroker.exe
PID 4044 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\System32\RuntimeBroker.exe
PID 4044 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4044 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Users\Admin\AppData\Local\Temp\e574d26.exe
PID 4044 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Users\Admin\AppData\Local\Temp\e574d26.exe
PID 4044 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\System32\RuntimeBroker.exe
PID 4044 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Windows\System32\RuntimeBroker.exe
PID 4044 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Users\Admin\AppData\Local\Temp\e5767f1.exe
PID 4044 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\e574c1c.exe C:\Users\Admin\AppData\Local\Temp\e5767f1.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574c1c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5767f1.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ea8da2f707570fec542bc493fa4f70_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ea8da2f707570fec542bc493fa4f70_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574c1c.exe

C:\Users\Admin\AppData\Local\Temp\e574c1c.exe

C:\Users\Admin\AppData\Local\Temp\e574d26.exe

C:\Users\Admin\AppData\Local\Temp\e574d26.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5767f1.exe

C:\Users\Admin\AppData\Local\Temp\e5767f1.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\e574c1c.exe

MD5 c21997e7b450e15a3c69f03eafe9346d
SHA1 7e5a654de5bbbf5f0b1d151ada1608a8e742330e
SHA256 f1251865cc407a1c914bfad03282fa31c69484edc9f71a895bb9b297f1801ad3
SHA512 9fc988d2f71647f4620f63fbc986e7b5e01194410b7fd4a3e60656ed3c6f23d78fb67a19b5c68e95ae7a0d7e2b2d00b9850feb59beb85d17e6dcf54be7f5192a

memory/2420-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/4044-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4044-6-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2420-20-0x0000000000A00000-0x0000000000A02000-memory.dmp

memory/4044-9-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-22-0x0000000003520000-0x0000000003522000-memory.dmp

memory/4044-17-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-25-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-31-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-33-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-35-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-34-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-21-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-23-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2420-19-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

memory/4044-8-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2420-15-0x0000000000A00000-0x0000000000A02000-memory.dmp

memory/4044-14-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

memory/2420-11-0x0000000000A00000-0x0000000000A02000-memory.dmp

memory/4044-10-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-36-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-37-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-38-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-39-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-40-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-42-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3812-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4044-51-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-52-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-54-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3812-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3812-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3652-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3652-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3812-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3652-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4044-63-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-65-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-66-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-70-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-72-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-74-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-75-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-77-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-79-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-85-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-88-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-90-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4044-107-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3652-111-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 c2efcb6ffa1fad1a36d6a4dc1dd9c1fd
SHA1 61a7dec252ae2ae7f19d00f89f4ce0720723e0be
SHA256 7bcafbfa9072e4fe52fe318f831439a409121fcba9ad5b3d3ca1be4e84765dfb
SHA512 ed443239a901069787cb6230d6a9b029191e2d9cdb98a0d62277fa1638eb1e401e91ed39070f584b9352ed45aa701076d871e68dd6c5026750e9475099546520

memory/3812-130-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3812-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp