Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 02:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.dll
Resource
win7-20240611-en
windows7-x64
15 signatures
150 seconds
General
-
Target
36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.dll
-
Size
120KB
-
MD5
36caf71ae0233577a44af1f9d7bd2370
-
SHA1
1a6f7d80e13481180c8f4f506d66b5ae8ec90d3d
-
SHA256
529661c8cc256ead74a598e70a73fd28a7f4f1653e6d90854e235c1cde3b2aec
-
SHA512
33f1e1bdbc0a9dda52682b0035be6a73434b233e7ff7dae2d2c3f81ad521d41a4bf1456b1af4950441e3cb6ab5243cbceb402322010810cf68a55178c222fe01
-
SSDEEP
1536:zIU426bHiV1w3Xk0TvsDYLiPErzTNDev1iqbRM5L2+ZxaLeZ7oNjwNdEXADz:0ULh1a0saYRNDs1iqVM6+OLooBwNV
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575479.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575479.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5788b8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575479.exe -
Executes dropped EXE 3 IoCs
pid Process 228 e575479.exe 608 e5755e0.exe 1460 e5788b8.exe -
resource yara_rule behavioral2/memory/228-6-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-8-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-10-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-32-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-27-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-17-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-26-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-11-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-9-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-18-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-31-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-37-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-38-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-39-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-41-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-40-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-55-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-56-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-57-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-59-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-61-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-62-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/228-63-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/1460-97-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1460-94-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1460-90-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1460-88-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1460-95-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1460-136-0x0000000000890000-0x000000000194A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5788b8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575479.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575479.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5788b8.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e575479.exe File opened (read-only) \??\K: e575479.exe File opened (read-only) \??\G: e5788b8.exe File opened (read-only) \??\H: e5788b8.exe File opened (read-only) \??\G: e575479.exe File opened (read-only) \??\I: e575479.exe File opened (read-only) \??\J: e575479.exe File opened (read-only) \??\E: e5788b8.exe File opened (read-only) \??\E: e575479.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5754c7 e575479.exe File opened for modification C:\Windows\SYSTEM.INI e575479.exe File created C:\Windows\e57b026 e5788b8.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 228 e575479.exe 228 e575479.exe 228 e575479.exe 228 e575479.exe 1460 e5788b8.exe 1460 e5788b8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe Token: SeDebugPrivilege 228 e575479.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1848 2160 rundll32.exe 82 PID 2160 wrote to memory of 1848 2160 rundll32.exe 82 PID 2160 wrote to memory of 1848 2160 rundll32.exe 82 PID 1848 wrote to memory of 228 1848 rundll32.exe 83 PID 1848 wrote to memory of 228 1848 rundll32.exe 83 PID 1848 wrote to memory of 228 1848 rundll32.exe 83 PID 228 wrote to memory of 792 228 e575479.exe 9 PID 228 wrote to memory of 800 228 e575479.exe 10 PID 228 wrote to memory of 336 228 e575479.exe 13 PID 228 wrote to memory of 3048 228 e575479.exe 50 PID 228 wrote to memory of 508 228 e575479.exe 51 PID 228 wrote to memory of 772 228 e575479.exe 52 PID 228 wrote to memory of 3392 228 e575479.exe 56 PID 228 wrote to memory of 3516 228 e575479.exe 57 PID 228 wrote to memory of 3724 228 e575479.exe 58 PID 228 wrote to memory of 3848 228 e575479.exe 59 PID 228 wrote to memory of 3940 228 e575479.exe 60 PID 228 wrote to memory of 4020 228 e575479.exe 61 PID 228 wrote to memory of 3916 228 e575479.exe 62 PID 228 wrote to memory of 2156 228 e575479.exe 64 PID 228 wrote to memory of 2136 228 e575479.exe 75 PID 228 wrote to memory of 1760 228 e575479.exe 79 PID 228 wrote to memory of 4480 228 e575479.exe 80 PID 228 wrote to memory of 2160 228 e575479.exe 81 PID 228 wrote to memory of 1848 228 e575479.exe 82 PID 228 wrote to memory of 1848 228 e575479.exe 82 PID 1848 wrote to memory of 608 1848 rundll32.exe 84 PID 1848 wrote to memory of 608 1848 rundll32.exe 84 PID 1848 wrote to memory of 608 1848 rundll32.exe 84 PID 228 wrote to memory of 792 228 e575479.exe 9 PID 228 wrote to memory of 800 228 e575479.exe 10 PID 228 wrote to memory of 336 228 e575479.exe 13 PID 228 wrote to memory of 3048 228 e575479.exe 50 PID 228 wrote to memory of 508 228 e575479.exe 51 PID 228 wrote to memory of 772 228 e575479.exe 52 PID 228 wrote to memory of 3392 228 e575479.exe 56 PID 228 wrote to memory of 3516 228 e575479.exe 57 PID 228 wrote to memory of 3724 228 e575479.exe 58 PID 228 wrote to memory of 3848 228 e575479.exe 59 PID 228 wrote to memory of 3940 228 e575479.exe 60 PID 228 wrote to memory of 4020 228 e575479.exe 61 PID 228 wrote to memory of 3916 228 e575479.exe 62 PID 228 wrote to memory of 2156 228 e575479.exe 64 PID 228 wrote to memory of 2136 228 e575479.exe 75 PID 228 wrote to memory of 1760 228 e575479.exe 79 PID 228 wrote to memory of 2160 228 e575479.exe 81 PID 228 wrote to memory of 608 228 e575479.exe 84 PID 228 wrote to memory of 608 228 e575479.exe 84 PID 228 wrote to memory of 1180 228 e575479.exe 86 PID 228 wrote to memory of 1604 228 e575479.exe 87 PID 1848 wrote to memory of 1460 1848 rundll32.exe 88 PID 1848 wrote to memory of 1460 1848 rundll32.exe 88 PID 1848 wrote to memory of 1460 1848 rundll32.exe 88 PID 1460 wrote to memory of 792 1460 e5788b8.exe 9 PID 1460 wrote to memory of 800 1460 e5788b8.exe 10 PID 1460 wrote to memory of 336 1460 e5788b8.exe 13 PID 1460 wrote to memory of 3048 1460 e5788b8.exe 50 PID 1460 wrote to memory of 508 1460 e5788b8.exe 51 PID 1460 wrote to memory of 772 1460 e5788b8.exe 52 PID 1460 wrote to memory of 3392 1460 e5788b8.exe 56 PID 1460 wrote to memory of 3516 1460 e5788b8.exe 57 PID 1460 wrote to memory of 3724 1460 e5788b8.exe 58 PID 1460 wrote to memory of 3848 1460 e5788b8.exe 59 PID 1460 wrote to memory of 3940 1460 e5788b8.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5788b8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575479.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:508
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:772
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\e575479.exeC:\Users\Admin\AppData\Local\Temp\e575479.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:228
-
-
C:\Users\Admin\AppData\Local\Temp\e5755e0.exeC:\Users\Admin\AppData\Local\Temp\e5755e0.exe4⤵
- Executes dropped EXE
PID:608
-
-
C:\Users\Admin\AppData\Local\Temp\e5788b8.exeC:\Users\Admin\AppData\Local\Temp\e5788b8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1460
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3516
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2136
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1760
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4480
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1180
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1604
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f63518108553bfb1b3be8706448d9994
SHA14ea755e63164445e305c6a26ca0c465c44ebfc57
SHA2568b7ded898e122afaf09cbe9ec9833eefb8edb89e3862b6fc531ac154d5f1fac5
SHA5128654dd56d32284bf15e9703ee779b30e4083af603e72f6e9d5cdd30ba02f333ab1ab4a7bab53717d92c62e995776e14322fda35fb248732185556bebb7ad25b1
-
Filesize
257B
MD56253e63e758adc93066a51fd756a8990
SHA1acf11588f1d15add33ab6065409e95650f1521af
SHA2569773b7b464d1b575a9d5243deceee267231137a00bbb6b9b6a6fa09f82dbf11b
SHA51252e3f8457546b3aaf8c1a76d49f0b7cd02b21a7e5f969ee0155be6c1c2e865c8994853cca1600e51c5d003916223316c45ce78ae6974ad83bccc55c835936a8c