Malware Analysis Report

2024-09-11 11:53

Sample ID 240617-dbmtjs1bqe
Target 39fd95fc77ee75dd9b8aa2307ff15690_NeikiAnalytics.exe
SHA256 f1de03b355788ab926d998a161cf0bb5962677e3eeac33fbd329df1b67c1e399
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1de03b355788ab926d998a161cf0bb5962677e3eeac33fbd329df1b67c1e399

Threat Level: Known bad

The file 39fd95fc77ee75dd9b8aa2307ff15690_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Windows security bypass

Modifies firewall policy service

Sality

Loads dropped DLL

Windows security modification

Executes dropped EXE

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 02:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 02:50

Reported

2024-06-17 02:52

Platform

win7-20240611-en

Max time kernel

119s

Max time network

127s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f768797.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f769ede.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
File created C:\Windows\f7685f2 C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1152 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 1308 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768575.exe
PID 2112 wrote to memory of 1308 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768575.exe
PID 2112 wrote to memory of 1308 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768575.exe
PID 2112 wrote to memory of 1308 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768575.exe
PID 1308 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\system32\taskhost.exe
PID 1308 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\system32\Dwm.exe
PID 1308 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\Explorer.EXE
PID 1308 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\system32\DllHost.exe
PID 1308 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\system32\rundll32.exe
PID 1308 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\SysWOW64\rundll32.exe
PID 1308 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768797.exe
PID 2112 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768797.exe
PID 2112 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768797.exe
PID 2112 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f768797.exe
PID 2112 wrote to memory of 2268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769ede.exe
PID 2112 wrote to memory of 2268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769ede.exe
PID 2112 wrote to memory of 2268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769ede.exe
PID 2112 wrote to memory of 2268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f769ede.exe
PID 1308 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\system32\taskhost.exe
PID 1308 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\system32\Dwm.exe
PID 1308 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Windows\Explorer.EXE
PID 1308 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Users\Admin\AppData\Local\Temp\f768797.exe
PID 1308 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Users\Admin\AppData\Local\Temp\f768797.exe
PID 1308 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Users\Admin\AppData\Local\Temp\f769ede.exe
PID 1308 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f768575.exe C:\Users\Admin\AppData\Local\Temp\f769ede.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f768575.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\39fd95fc77ee75dd9b8aa2307ff15690_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\39fd95fc77ee75dd9b8aa2307ff15690_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f768575.exe

C:\Users\Admin\AppData\Local\Temp\f768575.exe

C:\Users\Admin\AppData\Local\Temp\f768797.exe

C:\Users\Admin\AppData\Local\Temp\f768797.exe

C:\Users\Admin\AppData\Local\Temp\f769ede.exe

C:\Users\Admin\AppData\Local\Temp\f769ede.exe

Network

N/A

Files

memory/1308-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2112-10-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f768575.exe

MD5 5fd291379e2f5415ed4fb0da2a743156
SHA1 69c3418225b47354512d320e9757bd4df55d81bc
SHA256 2233d1902ee2051ddf66643222f54469cf7c21df48e8ccb108605e54fa100043
SHA512 2ec163fa88324dea5e6628c86e3fe5fd2cef5919504aade15266052ef3c724bc6e690e1e3389b2eeaaf461b40b4ab5168428cf8dc0b7769f770a727d76b94b68

memory/1308-12-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2112-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2112-55-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2924-57-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2112-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1308-34-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2112-27-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1308-17-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-37-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-36-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-19-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-15-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-39-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2112-38-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1308-35-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2112-26-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1092-20-0x0000000001CA0000-0x0000000001CA2000-memory.dmp

memory/1308-14-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-45-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1308-16-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-18-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2112-53-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1308-59-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-58-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2112-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1308-60-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-62-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-61-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-64-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2112-75-0x0000000000210000-0x0000000000222000-memory.dmp

memory/2112-72-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2268-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1308-77-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-80-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-82-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-84-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2268-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2924-102-0x0000000000360000-0x0000000000362000-memory.dmp

memory/1308-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2268-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2268-99-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2924-93-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1308-105-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-107-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1308-150-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1308-149-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2924-148-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2268-154-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 02:50

Reported

2024-06-17 02:52

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

100s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573bf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e573a59 C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
File created C:\Windows\e578b38 C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 2556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4804 wrote to memory of 2556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4804 wrote to memory of 2556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 4552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573a1b.exe
PID 2556 wrote to memory of 4552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573a1b.exe
PID 2556 wrote to memory of 4552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573a1b.exe
PID 4552 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\fontdrvhost.exe
PID 4552 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\fontdrvhost.exe
PID 4552 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\dwm.exe
PID 4552 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\sihost.exe
PID 4552 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\svchost.exe
PID 4552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\taskhostw.exe
PID 4552 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\Explorer.EXE
PID 4552 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\svchost.exe
PID 4552 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\DllHost.exe
PID 4552 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4552 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4552 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4552 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4552 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4552 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4552 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4552 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\rundll32.exe
PID 4552 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\SysWOW64\rundll32.exe
PID 4552 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 2556 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 2556 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 2556 wrote to memory of 4120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5755c1.exe
PID 2556 wrote to memory of 4120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5755c1.exe
PID 2556 wrote to memory of 4120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5755c1.exe
PID 4552 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\fontdrvhost.exe
PID 4552 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\fontdrvhost.exe
PID 4552 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\dwm.exe
PID 4552 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\sihost.exe
PID 4552 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\svchost.exe
PID 4552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\taskhostw.exe
PID 4552 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\Explorer.EXE
PID 4552 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\svchost.exe
PID 4552 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\system32\DllHost.exe
PID 4552 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4552 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4552 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4552 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4552 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4552 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4552 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 4552 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Users\Admin\AppData\Local\Temp\e573bf0.exe
PID 4552 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4552 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4552 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Users\Admin\AppData\Local\Temp\e5755c1.exe
PID 4552 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\e573a1b.exe C:\Users\Admin\AppData\Local\Temp\e5755c1.exe
PID 4120 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\system32\fontdrvhost.exe
PID 4120 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\system32\fontdrvhost.exe
PID 4120 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\system32\dwm.exe
PID 4120 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\system32\sihost.exe
PID 4120 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\system32\svchost.exe
PID 4120 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\system32\taskhostw.exe
PID 4120 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\Explorer.EXE
PID 4120 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\system32\svchost.exe
PID 4120 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\system32\DllHost.exe
PID 4120 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4120 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\System32\RuntimeBroker.exe
PID 4120 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\e5755c1.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5755c1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573a1b.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\39fd95fc77ee75dd9b8aa2307ff15690_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\39fd95fc77ee75dd9b8aa2307ff15690_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e573a1b.exe

C:\Users\Admin\AppData\Local\Temp\e573a1b.exe

C:\Users\Admin\AppData\Local\Temp\e573bf0.exe

C:\Users\Admin\AppData\Local\Temp\e573bf0.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5755c1.exe

C:\Users\Admin\AppData\Local\Temp\e5755c1.exe

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

memory/2556-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/4552-4-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e573a1b.exe

MD5 5fd291379e2f5415ed4fb0da2a743156
SHA1 69c3418225b47354512d320e9757bd4df55d81bc
SHA256 2233d1902ee2051ddf66643222f54469cf7c21df48e8ccb108605e54fa100043
SHA512 2ec163fa88324dea5e6628c86e3fe5fd2cef5919504aade15266052ef3c724bc6e690e1e3389b2eeaaf461b40b4ab5168428cf8dc0b7769f770a727d76b94b68

memory/4552-6-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-9-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-13-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-20-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-28-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4920-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4552-31-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/4552-19-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/2556-25-0x0000000001180000-0x0000000001182000-memory.dmp

memory/2556-30-0x0000000001180000-0x0000000001182000-memory.dmp

memory/4552-24-0x0000000001B50000-0x0000000001B51000-memory.dmp

memory/2556-22-0x0000000004670000-0x0000000004671000-memory.dmp

memory/2556-21-0x0000000001180000-0x0000000001182000-memory.dmp

memory/4552-29-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/4552-12-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-10-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-11-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-33-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-37-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-36-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-38-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-39-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-40-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-42-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-43-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4120-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4552-52-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-54-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-55-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4920-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4120-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4120-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4120-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4920-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4920-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4552-66-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-67-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-70-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-72-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-73-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-75-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-74-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-77-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-80-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-83-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4552-90-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/4552-102-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4552-85-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4920-106-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1c4af8364ba85cb1eb3090656019751a
SHA1 15d163dbad41902a67c739c16e6a1212cf40e6b1
SHA256 9bfd4a2dd7908d1f5579ae9a15b5a4a1103335afc60368c7fc8a19852c87e3a4
SHA512 846dd2554e1c2e3fe2e1e41504a73f307a78c86d5faf00b9272a40327563cbd2e07f2c3832164d34d88d7f08ef680780cbfb83a659f56a73cf4666bd611db9d6

memory/4120-118-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/4120-149-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4120-148-0x0000000000B20000-0x0000000001BDA000-memory.dmp