Malware Analysis Report

2024-09-11 12:11

Sample ID 240616-khq8wa1arr
Target e4c8e1122b75826bc432c0ffc55c45c0_NeikiAnalytics.exe
SHA256 0acb2b2682ae062c269eba0ba6f9b569e4f4020b13729200e2faa5e7147f80a0
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0acb2b2682ae062c269eba0ba6f9b569e4f4020b13729200e2faa5e7147f80a0

Threat Level: Known bad

The file e4c8e1122b75826bc432c0ffc55c45c0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Sality

Modifies firewall policy service

UAC bypass

Windows security modification

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 08:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 08:36

Reported

2024-06-16 08:38

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576968.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e578405.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5768cc C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 3432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3788 wrote to memory of 3432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3788 wrote to memory of 3432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3432 wrote to memory of 2796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57687e.exe
PID 3432 wrote to memory of 2796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57687e.exe
PID 3432 wrote to memory of 2796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57687e.exe
PID 2796 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\fontdrvhost.exe
PID 2796 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\fontdrvhost.exe
PID 2796 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\dwm.exe
PID 2796 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\sihost.exe
PID 2796 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\svchost.exe
PID 2796 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\taskhostw.exe
PID 2796 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\Explorer.EXE
PID 2796 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\svchost.exe
PID 2796 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\DllHost.exe
PID 2796 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2796 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2796 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2796 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2796 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2796 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2796 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2796 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\rundll32.exe
PID 2796 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\SysWOW64\rundll32.exe
PID 3432 wrote to memory of 4352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 3432 wrote to memory of 4352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 3432 wrote to memory of 4352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 3432 wrote to memory of 3240 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578405.exe
PID 3432 wrote to memory of 3240 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578405.exe
PID 3432 wrote to memory of 3240 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e578405.exe
PID 2796 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\fontdrvhost.exe
PID 2796 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\fontdrvhost.exe
PID 2796 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\dwm.exe
PID 2796 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\sihost.exe
PID 2796 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\svchost.exe
PID 2796 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\taskhostw.exe
PID 2796 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\Explorer.EXE
PID 2796 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\svchost.exe
PID 2796 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\system32\DllHost.exe
PID 2796 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2796 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2796 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2796 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2796 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2796 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2796 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 2796 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Users\Admin\AppData\Local\Temp\e576968.exe
PID 2796 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2796 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2796 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Users\Admin\AppData\Local\Temp\e578405.exe
PID 2796 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\e57687e.exe C:\Users\Admin\AppData\Local\Temp\e578405.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57687e.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4c8e1122b75826bc432c0ffc55c45c0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4c8e1122b75826bc432c0ffc55c45c0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57687e.exe

C:\Users\Admin\AppData\Local\Temp\e57687e.exe

C:\Users\Admin\AppData\Local\Temp\e576968.exe

C:\Users\Admin\AppData\Local\Temp\e576968.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e578405.exe

C:\Users\Admin\AppData\Local\Temp\e578405.exe

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp

Files

memory/3432-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57687e.exe

MD5 48544c11b725f40c2976d22129c78194
SHA1 2781bf3e6ba29bcff9c366b9dc5ba3570d442553
SHA256 b3a5c96d8cb32e967081a7e513645109074bb5d6a826f88ffcba7ec7e1199d6a
SHA512 343d4f12490fb7dafa4218441d9d47616304e64b187aa011d2b47e71c409a75732e50cd9ed975e6ff8292b31737125dfdee7ab605826274489b10f139ffc4d95

memory/2796-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2796-6-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-8-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3432-16-0x0000000003F30000-0x0000000003F32000-memory.dmp

memory/2796-25-0x0000000001A70000-0x0000000001A72000-memory.dmp

memory/3432-32-0x0000000003F30000-0x0000000003F32000-memory.dmp

memory/2796-33-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-23-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-31-0x0000000001A70000-0x0000000001A72000-memory.dmp

memory/2796-34-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4352-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2796-24-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-20-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-11-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-15-0x0000000001A80000-0x0000000001A81000-memory.dmp

memory/3432-13-0x0000000004480000-0x0000000004481000-memory.dmp

memory/3432-12-0x0000000003F30000-0x0000000003F32000-memory.dmp

memory/2796-10-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-35-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-36-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-37-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-38-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-39-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-40-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-42-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-43-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3240-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2796-52-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-54-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-55-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3240-64-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/4352-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3240-62-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/3240-61-0x0000000000420000-0x0000000000421000-memory.dmp

memory/4352-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4352-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2796-65-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-67-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-71-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-72-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-74-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-76-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-83-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-85-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-87-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2796-89-0x0000000001A70000-0x0000000001A72000-memory.dmp

memory/2796-91-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4352-112-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2796-108-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3240-116-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 08:36

Reported

2024-06-16 08:39

Platform

win7-20240611-en

Max time kernel

122s

Max time network

127s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f769425.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7679f1 C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
File created C:\Windows\f76ca8f C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767935.exe
PID 1916 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767935.exe
PID 1916 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767935.exe
PID 1916 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767935.exe
PID 2716 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\system32\taskhost.exe
PID 2716 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\system32\Dwm.exe
PID 2716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\Explorer.EXE
PID 2716 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\system32\DllHost.exe
PID 2716 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\system32\rundll32.exe
PID 2716 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 2512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767c32.exe
PID 1916 wrote to memory of 2512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767c32.exe
PID 1916 wrote to memory of 2512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767c32.exe
PID 1916 wrote to memory of 2512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767c32.exe
PID 1916 wrote to memory of 464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769425.exe
PID 1916 wrote to memory of 464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769425.exe
PID 1916 wrote to memory of 464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769425.exe
PID 1916 wrote to memory of 464 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769425.exe
PID 2716 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\system32\taskhost.exe
PID 2716 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\system32\Dwm.exe
PID 2716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Windows\Explorer.EXE
PID 2716 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Users\Admin\AppData\Local\Temp\f767c32.exe
PID 2716 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Users\Admin\AppData\Local\Temp\f767c32.exe
PID 2716 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Users\Admin\AppData\Local\Temp\f769425.exe
PID 2716 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\f767935.exe C:\Users\Admin\AppData\Local\Temp\f769425.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767935.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767c32.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4c8e1122b75826bc432c0ffc55c45c0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4c8e1122b75826bc432c0ffc55c45c0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f767935.exe

C:\Users\Admin\AppData\Local\Temp\f767935.exe

C:\Users\Admin\AppData\Local\Temp\f767c32.exe

C:\Users\Admin\AppData\Local\Temp\f767c32.exe

C:\Users\Admin\AppData\Local\Temp\f769425.exe

C:\Users\Admin\AppData\Local\Temp\f769425.exe

Network

N/A

Files

memory/1916-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f767935.exe

MD5 48544c11b725f40c2976d22129c78194
SHA1 2781bf3e6ba29bcff9c366b9dc5ba3570d442553
SHA256 b3a5c96d8cb32e967081a7e513645109074bb5d6a826f88ffcba7ec7e1199d6a
SHA512 343d4f12490fb7dafa4218441d9d47616304e64b187aa011d2b47e71c409a75732e50cd9ed975e6ff8292b31737125dfdee7ab605826274489b10f139ffc4d95

memory/1916-9-0x00000000000F0000-0x0000000000102000-memory.dmp

memory/2716-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1916-8-0x00000000000F0000-0x0000000000102000-memory.dmp

memory/2716-15-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-18-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-12-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-19-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1916-52-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2716-43-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1916-37-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2716-22-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2512-57-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1916-56-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2716-20-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-21-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-45-0x00000000002C0000-0x00000000002C2000-memory.dmp

memory/2716-17-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-16-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1916-55-0x00000000002E0000-0x00000000002F2000-memory.dmp

memory/2716-54-0x00000000002C0000-0x00000000002C2000-memory.dmp

memory/1916-36-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1916-35-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1104-28-0x0000000001BC0000-0x0000000001BC2000-memory.dmp

memory/2716-14-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-59-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-58-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-60-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-62-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-61-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-64-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-65-0x0000000000590000-0x000000000164A000-memory.dmp

memory/464-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1916-76-0x00000000000F0000-0x00000000000F6000-memory.dmp

memory/2716-79-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-81-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-83-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-84-0x0000000000590000-0x000000000164A000-memory.dmp

memory/464-99-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/464-101-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2512-100-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/464-98-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2512-92-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2512-91-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2716-103-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-118-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-125-0x00000000002C0000-0x00000000002C2000-memory.dmp

memory/2716-145-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2716-144-0x0000000000590000-0x000000000164A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 32f66e9ab494443c367ba8fce664e0ad
SHA1 1c9b3ca16781f4d1342f82197e8084d9a3e376c4
SHA256 24437777f8c99dd7bc444e7468f1fa426e8fab792cbd0ed58c4d1de92a0ce2a3
SHA512 a12a7316d8b7e4c906f6e9d891c4ca362231f8b05fc5ab1a59b20b801bd527635eb0993a9eeaed78bf916b763a7d011770ba9dbafb85353b0bc4a21f7014a31b

memory/2512-164-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2512-171-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2512-170-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/464-175-0x0000000000400000-0x0000000000412000-memory.dmp