Analysis
-
max time kernel
146s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
9278f7e4298d6e46b1b5c12cc66d9bd0
-
SHA1
53f96e01207ab8827a2e60b34eeaa543e6f2241a
-
SHA256
0b9e26e1c94d4506b254d1a99717fc0b037370fe7fba7ba0aff509e150231732
-
SHA512
7abeff7631a2c984cd17de2b4f27aa5cf568fd7e590e44329fa2299b052b2ac4dece1fc0e53cc1d67812d82b9a4607c86a99d55854011c6a740c13bae5bd25aa
-
SSDEEP
1536:RNC4Kd9hL4cKlsuZ5MBDT/8AIoJactXkCuO7K0jw5CodtetfizMKbYH:mRUlXfM+zeactXkyqeti0
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
Processes:
e57d4a5.exee57db3d.exee57f77f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f77f.exe -
Processes:
e57db3d.exee57f77f.exee57d4a5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d4a5.exe -
Processes:
e57d4a5.exee57db3d.exee57f77f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57db3d.exe -
Executes dropped EXE 3 IoCs
Processes:
e57d4a5.exee57db3d.exee57f77f.exepid process 3636 e57d4a5.exe 840 e57db3d.exe 3276 e57f77f.exe -
Processes:
resource yara_rule behavioral2/memory/3636-6-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-8-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-10-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-11-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-13-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-9-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-12-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-19-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-21-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-22-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-20-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-30-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-23-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-38-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-39-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-40-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-50-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-51-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-53-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-62-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-64-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-65-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-66-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-69-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-71-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-72-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-74-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3636-75-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/840-106-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/840-120-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/3276-144-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e57f77f.exee57d4a5.exee57db3d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57db3d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f77f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f77f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d4a5.exe -
Processes:
e57d4a5.exee57db3d.exee57f77f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f77f.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e57d4a5.exedescription ioc process File opened (read-only) \??\O: e57d4a5.exe File opened (read-only) \??\E: e57d4a5.exe File opened (read-only) \??\G: e57d4a5.exe File opened (read-only) \??\H: e57d4a5.exe File opened (read-only) \??\I: e57d4a5.exe File opened (read-only) \??\J: e57d4a5.exe File opened (read-only) \??\K: e57d4a5.exe File opened (read-only) \??\L: e57d4a5.exe File opened (read-only) \??\M: e57d4a5.exe File opened (read-only) \??\N: e57d4a5.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e57d4a5.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e57d4a5.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57d4a5.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57d4a5.exe -
Drops file in Windows directory 4 IoCs
Processes:
e57d4a5.exee57db3d.exee57f77f.exedescription ioc process File created C:\Windows\e57d4f3 e57d4a5.exe File opened for modification C:\Windows\SYSTEM.INI e57d4a5.exe File created C:\Windows\e5829da e57db3d.exe File created C:\Windows\e5845ed e57f77f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e57d4a5.exee57db3d.exepid process 3636 e57d4a5.exe 3636 e57d4a5.exe 3636 e57d4a5.exe 3636 e57d4a5.exe 840 e57db3d.exe 840 e57db3d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e57d4a5.exedescription pid process Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe Token: SeDebugPrivilege 3636 e57d4a5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee57d4a5.exedescription pid process target process PID 1036 wrote to memory of 512 1036 rundll32.exe rundll32.exe PID 1036 wrote to memory of 512 1036 rundll32.exe rundll32.exe PID 1036 wrote to memory of 512 1036 rundll32.exe rundll32.exe PID 512 wrote to memory of 3636 512 rundll32.exe e57d4a5.exe PID 512 wrote to memory of 3636 512 rundll32.exe e57d4a5.exe PID 512 wrote to memory of 3636 512 rundll32.exe e57d4a5.exe PID 3636 wrote to memory of 760 3636 e57d4a5.exe fontdrvhost.exe PID 3636 wrote to memory of 768 3636 e57d4a5.exe fontdrvhost.exe PID 3636 wrote to memory of 316 3636 e57d4a5.exe dwm.exe PID 3636 wrote to memory of 2548 3636 e57d4a5.exe sihost.exe PID 3636 wrote to memory of 2568 3636 e57d4a5.exe svchost.exe PID 3636 wrote to memory of 2672 3636 e57d4a5.exe taskhostw.exe PID 3636 wrote to memory of 3540 3636 e57d4a5.exe Explorer.EXE PID 3636 wrote to memory of 3656 3636 e57d4a5.exe svchost.exe PID 3636 wrote to memory of 3860 3636 e57d4a5.exe DllHost.exe PID 3636 wrote to memory of 3952 3636 e57d4a5.exe StartMenuExperienceHost.exe PID 3636 wrote to memory of 4020 3636 e57d4a5.exe RuntimeBroker.exe PID 3636 wrote to memory of 620 3636 e57d4a5.exe SearchApp.exe PID 3636 wrote to memory of 4200 3636 e57d4a5.exe RuntimeBroker.exe PID 3636 wrote to memory of 4580 3636 e57d4a5.exe TextInputHost.exe PID 3636 wrote to memory of 3172 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 3752 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 4052 3636 e57d4a5.exe RuntimeBroker.exe PID 3636 wrote to memory of 4088 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 3524 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 4756 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 696 3636 e57d4a5.exe backgroundTaskHost.exe PID 3636 wrote to memory of 3828 3636 e57d4a5.exe backgroundTaskHost.exe PID 3636 wrote to memory of 1036 3636 e57d4a5.exe rundll32.exe PID 3636 wrote to memory of 512 3636 e57d4a5.exe rundll32.exe PID 3636 wrote to memory of 512 3636 e57d4a5.exe rundll32.exe PID 512 wrote to memory of 840 512 rundll32.exe e57db3d.exe PID 512 wrote to memory of 840 512 rundll32.exe e57db3d.exe PID 512 wrote to memory of 840 512 rundll32.exe e57db3d.exe PID 512 wrote to memory of 3276 512 rundll32.exe e57f77f.exe PID 512 wrote to memory of 3276 512 rundll32.exe e57f77f.exe PID 512 wrote to memory of 3276 512 rundll32.exe e57f77f.exe PID 3636 wrote to memory of 760 3636 e57d4a5.exe fontdrvhost.exe PID 3636 wrote to memory of 768 3636 e57d4a5.exe fontdrvhost.exe PID 3636 wrote to memory of 316 3636 e57d4a5.exe dwm.exe PID 3636 wrote to memory of 2548 3636 e57d4a5.exe sihost.exe PID 3636 wrote to memory of 2568 3636 e57d4a5.exe svchost.exe PID 3636 wrote to memory of 2672 3636 e57d4a5.exe taskhostw.exe PID 3636 wrote to memory of 3540 3636 e57d4a5.exe Explorer.EXE PID 3636 wrote to memory of 3656 3636 e57d4a5.exe svchost.exe PID 3636 wrote to memory of 3860 3636 e57d4a5.exe DllHost.exe PID 3636 wrote to memory of 3952 3636 e57d4a5.exe StartMenuExperienceHost.exe PID 3636 wrote to memory of 4020 3636 e57d4a5.exe RuntimeBroker.exe PID 3636 wrote to memory of 620 3636 e57d4a5.exe SearchApp.exe PID 3636 wrote to memory of 4200 3636 e57d4a5.exe RuntimeBroker.exe PID 3636 wrote to memory of 4580 3636 e57d4a5.exe TextInputHost.exe PID 3636 wrote to memory of 3172 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 3752 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 4052 3636 e57d4a5.exe RuntimeBroker.exe PID 3636 wrote to memory of 4088 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 3524 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 4756 3636 e57d4a5.exe msedge.exe PID 3636 wrote to memory of 696 3636 e57d4a5.exe backgroundTaskHost.exe PID 3636 wrote to memory of 3828 3636 e57d4a5.exe backgroundTaskHost.exe PID 3636 wrote to memory of 840 3636 e57d4a5.exe e57db3d.exe PID 3636 wrote to memory of 840 3636 e57d4a5.exe e57db3d.exe PID 3636 wrote to memory of 3872 3636 e57d4a5.exe RuntimeBroker.exe PID 3636 wrote to memory of 4584 3636 e57d4a5.exe RuntimeBroker.exe PID 3636 wrote to memory of 436 3636 e57d4a5.exe msedge.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e57d4a5.exee57db3d.exee57f77f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d4a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57db3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f77f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57d4a5.exeC:\Users\Admin\AppData\Local\Temp\e57d4a5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57db3d.exeC:\Users\Admin\AppData\Local\Temp\e57db3d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57f77f.exeC:\Users\Admin\AppData\Local\Temp\e57f77f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x250,0x7ff95ed54ef8,0x7ff95ed54f04,0x7ff95ed54f102⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1712,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1884,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2392,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:82⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57d4a5.exeFilesize
97KB
MD535d6c814d11fe50533ce6b64ac522302
SHA115750ed485678b400f7507f14a77c98bc79ff26f
SHA256e99bd1752ec86b9c651ec9f58274dd1a58615e0f58051b9c028900280fc60f88
SHA5123337c761ff4097c3b184a0af429a05ee7d1247578381194f019bfed0d364233e6be00e9b92c28ff7c234ef4a1a15f9348272ebd741fd0cadc2fba2599cb7d03c
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5bd8f399fcc1385a983a0850c33f9eda3
SHA1998b8ecb10a35f988ba440c0be36590cfb16440c
SHA256588a5e2067d668df01ad090972e0f4c18e25b839eb0d96a4b8cd539314daa831
SHA5124f0402f825f4f7e40b441fa707c1863c85ea85d692d3bc6eb814a142da61120ae856d4db03ac44a45f6b9246f7100a4199b9a0b7859349d060accde17839f108
-
memory/512-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/512-24-0x0000000004900000-0x0000000004902000-memory.dmpFilesize
8KB
-
memory/512-33-0x0000000004900000-0x0000000004902000-memory.dmpFilesize
8KB
-
memory/512-25-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/512-28-0x0000000004900000-0x0000000004902000-memory.dmpFilesize
8KB
-
memory/840-119-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/840-106-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/840-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/840-120-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/840-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/840-37-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/840-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3276-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3276-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3276-57-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3276-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3276-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3276-144-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3276-145-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3636-39-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-64-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-32-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3636-38-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-34-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3636-40-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-23-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-50-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-51-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-53-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-30-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-20-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-22-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-21-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-19-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-12-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-62-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-27-0x0000000001B40000-0x0000000001B41000-memory.dmpFilesize
4KB
-
memory/3636-65-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-66-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-69-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-71-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-72-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-74-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-75-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-80-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/3636-94-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3636-9-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-13-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-11-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-10-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-8-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-6-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/3636-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB