Malware Analysis Report

2024-09-11 12:17

Sample ID 240618-1jlb1s1fql
Target 57d82c0498c078851cc82b17d73c1520_NeikiAnalytics.exe
SHA256 07d130f17f41f6a1c46f5d927d8f3b94a1d2f4637891a9b7c7f4422b76ced9d3
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07d130f17f41f6a1c46f5d927d8f3b94a1d2f4637891a9b7c7f4422b76ced9d3

Threat Level: Known bad

The file 57d82c0498c078851cc82b17d73c1520_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Modifies firewall policy service

UAC bypass

Sality

UPX packed file

Loads dropped DLL

Executes dropped EXE

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 21:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 21:40

Reported

2024-06-18 21:43

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761803.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7616cb C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
File created C:\Windows\f7666ed C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 3004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76166e.exe
PID 3012 wrote to memory of 3004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76166e.exe
PID 3012 wrote to memory of 3004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76166e.exe
PID 3012 wrote to memory of 3004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76166e.exe
PID 3004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\system32\taskhost.exe
PID 3004 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\system32\Dwm.exe
PID 3004 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\Explorer.EXE
PID 3004 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\system32\DllHost.exe
PID 3004 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\system32\rundll32.exe
PID 3004 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 2684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761803.exe
PID 3012 wrote to memory of 2684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761803.exe
PID 3012 wrote to memory of 2684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761803.exe
PID 3012 wrote to memory of 2684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761803.exe
PID 3012 wrote to memory of 1644 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7631f9.exe
PID 3012 wrote to memory of 1644 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7631f9.exe
PID 3012 wrote to memory of 1644 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7631f9.exe
PID 3012 wrote to memory of 1644 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7631f9.exe
PID 3004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\system32\taskhost.exe
PID 3004 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\system32\Dwm.exe
PID 3004 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Windows\Explorer.EXE
PID 3004 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Users\Admin\AppData\Local\Temp\f761803.exe
PID 3004 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Users\Admin\AppData\Local\Temp\f761803.exe
PID 3004 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Users\Admin\AppData\Local\Temp\f7631f9.exe
PID 3004 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\f76166e.exe C:\Users\Admin\AppData\Local\Temp\f7631f9.exe
PID 1644 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe C:\Windows\system32\taskhost.exe
PID 1644 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe C:\Windows\system32\Dwm.exe
PID 1644 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f7631f9.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76166e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7631f9.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\57d82c0498c078851cc82b17d73c1520_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\57d82c0498c078851cc82b17d73c1520_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76166e.exe

C:\Users\Admin\AppData\Local\Temp\f76166e.exe

C:\Users\Admin\AppData\Local\Temp\f761803.exe

C:\Users\Admin\AppData\Local\Temp\f761803.exe

C:\Users\Admin\AppData\Local\Temp\f7631f9.exe

C:\Users\Admin\AppData\Local\Temp\f7631f9.exe

Network

N/A

Files

memory/3012-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f76166e.exe

MD5 03f4281c094b003da95d0cb2a9097ac0
SHA1 79ab900872d57b1d4065494c17cda29a753203d6
SHA256 259b7af75fe98383b3b8dd765aa3b7361b4218a66c86a5bba27be883fffe086b
SHA512 1f13973bf09fd12ba6ac84980e1178cf4564a63134a4079ed59407c0eaaac742f3a51174fc3b7de3d8438a9da1bdd44a31e05d4f2985633fb9d211bec0c8afea

memory/3004-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3012-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3012-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3004-18-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-21-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-15-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-17-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3012-37-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1112-29-0x0000000002030000-0x0000000002032000-memory.dmp

memory/3004-19-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-20-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-16-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3012-47-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/3004-49-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

memory/3004-51-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

memory/3004-23-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-48-0x0000000003C20000-0x0000000003C21000-memory.dmp

memory/3012-38-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/3004-14-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-22-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3012-59-0x0000000000210000-0x0000000000222000-memory.dmp

memory/2684-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3012-61-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/3012-58-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/3004-63-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-64-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-65-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-67-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-66-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-69-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-70-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/1644-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3004-83-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-85-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-88-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/1644-103-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1644-105-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2684-98-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2684-97-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1644-107-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2684-106-0x0000000000260000-0x0000000000262000-memory.dmp

memory/3004-126-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

memory/3004-157-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3004-156-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 e370fc21a1cd3d1dba738e51f4eec1f4
SHA1 afe730e0eedec680b05b8e3b221dbbf417f82f80
SHA256 195ee48f27e09e7a56c4d90b6f2ba4c2ea19beef3e242aecebaeefc6a8ec0b73
SHA512 b2f12de16a4d8bc71a5bc03307b2a738c9cc3e9554cefe5fe9228af46a7bda07f29f25c082dc8425485cbe8b2a31d903f19ac37efb0d41d9a1f001443a243127

memory/1644-174-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2684-184-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1644-212-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/1644-211-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 21:40

Reported

2024-06-18 21:43

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57468e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57611b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5745a4 C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
File created C:\Windows\e57afe7 C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 3076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 3076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 3076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3076 wrote to memory of 4188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574546.exe
PID 3076 wrote to memory of 4188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574546.exe
PID 3076 wrote to memory of 4188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574546.exe
PID 4188 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\fontdrvhost.exe
PID 4188 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\fontdrvhost.exe
PID 4188 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\dwm.exe
PID 4188 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\sihost.exe
PID 4188 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\svchost.exe
PID 4188 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\taskhostw.exe
PID 4188 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\Explorer.EXE
PID 4188 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\svchost.exe
PID 4188 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\DllHost.exe
PID 4188 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4188 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\System32\RuntimeBroker.exe
PID 4188 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4188 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\System32\RuntimeBroker.exe
PID 4188 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4188 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4188 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\rundll32.exe
PID 4188 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\SysWOW64\rundll32.exe
PID 4188 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\SysWOW64\rundll32.exe
PID 3076 wrote to memory of 3636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57468e.exe
PID 3076 wrote to memory of 3636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57468e.exe
PID 3076 wrote to memory of 3636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57468e.exe
PID 3076 wrote to memory of 4812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57611b.exe
PID 3076 wrote to memory of 4812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57611b.exe
PID 3076 wrote to memory of 4812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57611b.exe
PID 3076 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57614a.exe
PID 3076 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57614a.exe
PID 3076 wrote to memory of 2024 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57614a.exe
PID 4188 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\fontdrvhost.exe
PID 4188 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\fontdrvhost.exe
PID 4188 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\dwm.exe
PID 4188 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\sihost.exe
PID 4188 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\svchost.exe
PID 4188 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\taskhostw.exe
PID 4188 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\Explorer.EXE
PID 4188 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\svchost.exe
PID 4188 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\system32\DllHost.exe
PID 4188 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4188 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\System32\RuntimeBroker.exe
PID 4188 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4188 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\System32\RuntimeBroker.exe
PID 4188 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4188 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Users\Admin\AppData\Local\Temp\e57468e.exe
PID 4188 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Users\Admin\AppData\Local\Temp\e57468e.exe
PID 4188 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\System32\RuntimeBroker.exe
PID 4188 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Windows\System32\RuntimeBroker.exe
PID 4188 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Users\Admin\AppData\Local\Temp\e57611b.exe
PID 4188 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Users\Admin\AppData\Local\Temp\e57611b.exe
PID 4188 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Users\Admin\AppData\Local\Temp\e57614a.exe
PID 4188 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\e574546.exe C:\Users\Admin\AppData\Local\Temp\e57614a.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57614a.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\57d82c0498c078851cc82b17d73c1520_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\57d82c0498c078851cc82b17d73c1520_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574546.exe

C:\Users\Admin\AppData\Local\Temp\e574546.exe

C:\Users\Admin\AppData\Local\Temp\e57468e.exe

C:\Users\Admin\AppData\Local\Temp\e57468e.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57611b.exe

C:\Users\Admin\AppData\Local\Temp\e57611b.exe

C:\Users\Admin\AppData\Local\Temp\e57614a.exe

C:\Users\Admin\AppData\Local\Temp\e57614a.exe

Network

Files

memory/3076-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574546.exe

MD5 03f4281c094b003da95d0cb2a9097ac0
SHA1 79ab900872d57b1d4065494c17cda29a753203d6
SHA256 259b7af75fe98383b3b8dd765aa3b7361b4218a66c86a5bba27be883fffe086b
SHA512 1f13973bf09fd12ba6ac84980e1178cf4564a63134a4079ed59407c0eaaac742f3a51174fc3b7de3d8438a9da1bdd44a31e05d4f2985633fb9d211bec0c8afea

memory/4188-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4188-9-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/4188-6-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-10-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-8-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3076-26-0x0000000003E60000-0x0000000003E62000-memory.dmp

memory/4188-25-0x0000000000640000-0x0000000000641000-memory.dmp

memory/3076-22-0x0000000003E60000-0x0000000003E62000-memory.dmp

memory/4188-20-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-11-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3076-23-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/4188-13-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-12-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-29-0x0000000000630000-0x0000000000632000-memory.dmp

memory/4188-14-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-28-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3636-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4188-21-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-32-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3076-31-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/4188-36-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-37-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-38-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-39-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-40-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-42-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-43-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3076-51-0x0000000003E60000-0x0000000003E62000-memory.dmp

memory/4812-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2024-55-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4188-57-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-59-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-60-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4812-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3636-71-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2024-69-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2024-73-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/4812-72-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/4812-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3636-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3636-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4188-74-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-76-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-78-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-81-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-82-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-83-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-84-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-86-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-90-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-91-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-93-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-114-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/4188-97-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4188-113-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4188-101-0x0000000000630000-0x0000000000632000-memory.dmp

memory/3636-118-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4812-122-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 77f696fffd85e3f3563bbd00d0052c52
SHA1 0bbe8a1f059d71fd274f874ec1663420505ebfa1
SHA256 c87da76c05cc351c33b491d24f3a79abf7545df25bc9ac932c96467a1bd1a117
SHA512 5042581d48ec9ae9db06742db9f799fc4580abe38ebd5041c88da13a5df061d6ac1ec1fd4f3723bb7b8bedc7f2700283bcae5a9377fc814282790b8219621261

memory/2024-134-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2024-148-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2024-147-0x0000000000400000-0x0000000000412000-memory.dmp