Analysis
-
max time kernel
130s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
1d44bd5243dc388769a3d7b25031f303eebaab59570f51d7048db23248b31748_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
1d44bd5243dc388769a3d7b25031f303eebaab59570f51d7048db23248b31748_NeikiAnalytics.dll
-
Size
120KB
-
MD5
4d558bdb87887942d3737b5b09a79e30
-
SHA1
dd990a0d6c9d64bc7d58c05a316f2a9547de2422
-
SHA256
1d44bd5243dc388769a3d7b25031f303eebaab59570f51d7048db23248b31748
-
SHA512
4ec17498f6c9e8c4a9f5f02c7e927ac04465a157021a4da55e4a899ce15c3d94be84bc70e7b8c929cfb6620e95e3bcbdfdbecbea408d67527e6ab2a6f43517d5
-
SSDEEP
1536:wvShYbZYPQdt1R/njNoc5CW+bYw3i9mgFwrREUMg7XQeYuriWglBEfkEnMAp0+F:waO6Qdt1phoc552Uml6UMqY9Wgl4++F
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e573817.exee5736bf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573817.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573817.exe -
Processes:
e5736bf.exee573817.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573817.exe -
Processes:
e5736bf.exee573817.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5736bf.exe -
Executes dropped EXE 3 IoCs
Processes:
e5736bf.exee573817.exee5757a5.exepid process 4384 e5736bf.exe 4040 e573817.exe 2436 e5757a5.exe -
Processes:
resource yara_rule behavioral2/memory/4384-6-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-20-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-18-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-12-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-19-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-27-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-28-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-40-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-42-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-51-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-52-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-62-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-63-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-65-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-67-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-70-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-71-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-73-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-74-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-75-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-81-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-84-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4384-86-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4040-115-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4040-133-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e5736bf.exee573817.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5736bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573817.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573817.exe -
Processes:
e5736bf.exee573817.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5736bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573817.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e5736bf.exedescription ioc process File opened (read-only) \??\H: e5736bf.exe File opened (read-only) \??\J: e5736bf.exe File opened (read-only) \??\M: e5736bf.exe File opened (read-only) \??\N: e5736bf.exe File opened (read-only) \??\E: e5736bf.exe File opened (read-only) \??\I: e5736bf.exe File opened (read-only) \??\K: e5736bf.exe File opened (read-only) \??\L: e5736bf.exe File opened (read-only) \??\O: e5736bf.exe File opened (read-only) \??\P: e5736bf.exe File opened (read-only) \??\Q: e5736bf.exe File opened (read-only) \??\G: e5736bf.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e5736bf.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e5736bf.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5736bf.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5736bf.exe -
Drops file in Windows directory 3 IoCs
Processes:
e573817.exee5736bf.exedescription ioc process File created C:\Windows\e5787ed e573817.exe File created C:\Windows\e57370e e5736bf.exe File opened for modification C:\Windows\SYSTEM.INI e5736bf.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e5736bf.exee573817.exepid process 4384 e5736bf.exe 4384 e5736bf.exe 4384 e5736bf.exe 4384 e5736bf.exe 4040 e573817.exe 4040 e573817.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e5736bf.exedescription pid process Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe Token: SeDebugPrivilege 4384 e5736bf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee5736bf.exee573817.exedescription pid process target process PID 3364 wrote to memory of 2660 3364 rundll32.exe rundll32.exe PID 3364 wrote to memory of 2660 3364 rundll32.exe rundll32.exe PID 3364 wrote to memory of 2660 3364 rundll32.exe rundll32.exe PID 2660 wrote to memory of 4384 2660 rundll32.exe e5736bf.exe PID 2660 wrote to memory of 4384 2660 rundll32.exe e5736bf.exe PID 2660 wrote to memory of 4384 2660 rundll32.exe e5736bf.exe PID 4384 wrote to memory of 784 4384 e5736bf.exe fontdrvhost.exe PID 4384 wrote to memory of 788 4384 e5736bf.exe fontdrvhost.exe PID 4384 wrote to memory of 332 4384 e5736bf.exe dwm.exe PID 4384 wrote to memory of 2896 4384 e5736bf.exe sihost.exe PID 4384 wrote to memory of 2904 4384 e5736bf.exe svchost.exe PID 4384 wrote to memory of 3012 4384 e5736bf.exe taskhostw.exe PID 4384 wrote to memory of 3448 4384 e5736bf.exe Explorer.EXE PID 4384 wrote to memory of 3640 4384 e5736bf.exe svchost.exe PID 4384 wrote to memory of 3844 4384 e5736bf.exe DllHost.exe PID 4384 wrote to memory of 3952 4384 e5736bf.exe StartMenuExperienceHost.exe PID 4384 wrote to memory of 4020 4384 e5736bf.exe RuntimeBroker.exe PID 4384 wrote to memory of 3520 4384 e5736bf.exe SearchApp.exe PID 4384 wrote to memory of 4252 4384 e5736bf.exe RuntimeBroker.exe PID 4384 wrote to memory of 1088 4384 e5736bf.exe TextInputHost.exe PID 4384 wrote to memory of 1844 4384 e5736bf.exe RuntimeBroker.exe PID 4384 wrote to memory of 1196 4384 e5736bf.exe backgroundTaskHost.exe PID 4384 wrote to memory of 60 4384 e5736bf.exe backgroundTaskHost.exe PID 4384 wrote to memory of 3364 4384 e5736bf.exe rundll32.exe PID 4384 wrote to memory of 2660 4384 e5736bf.exe rundll32.exe PID 4384 wrote to memory of 2660 4384 e5736bf.exe rundll32.exe PID 2660 wrote to memory of 4040 2660 rundll32.exe e573817.exe PID 2660 wrote to memory of 4040 2660 rundll32.exe e573817.exe PID 2660 wrote to memory of 4040 2660 rundll32.exe e573817.exe PID 2660 wrote to memory of 2436 2660 rundll32.exe e5757a5.exe PID 2660 wrote to memory of 2436 2660 rundll32.exe e5757a5.exe PID 2660 wrote to memory of 2436 2660 rundll32.exe e5757a5.exe PID 4384 wrote to memory of 784 4384 e5736bf.exe fontdrvhost.exe PID 4384 wrote to memory of 788 4384 e5736bf.exe fontdrvhost.exe PID 4384 wrote to memory of 332 4384 e5736bf.exe dwm.exe PID 4384 wrote to memory of 2896 4384 e5736bf.exe sihost.exe PID 4384 wrote to memory of 2904 4384 e5736bf.exe svchost.exe PID 4384 wrote to memory of 3012 4384 e5736bf.exe taskhostw.exe PID 4384 wrote to memory of 3448 4384 e5736bf.exe Explorer.EXE PID 4384 wrote to memory of 3640 4384 e5736bf.exe svchost.exe PID 4384 wrote to memory of 3844 4384 e5736bf.exe DllHost.exe PID 4384 wrote to memory of 3952 4384 e5736bf.exe StartMenuExperienceHost.exe PID 4384 wrote to memory of 4020 4384 e5736bf.exe RuntimeBroker.exe PID 4384 wrote to memory of 3520 4384 e5736bf.exe SearchApp.exe PID 4384 wrote to memory of 4252 4384 e5736bf.exe RuntimeBroker.exe PID 4384 wrote to memory of 1088 4384 e5736bf.exe TextInputHost.exe PID 4384 wrote to memory of 1844 4384 e5736bf.exe RuntimeBroker.exe PID 4384 wrote to memory of 1196 4384 e5736bf.exe backgroundTaskHost.exe PID 4384 wrote to memory of 4040 4384 e5736bf.exe e573817.exe PID 4384 wrote to memory of 4040 4384 e5736bf.exe e573817.exe PID 4384 wrote to memory of 4788 4384 e5736bf.exe RuntimeBroker.exe PID 4384 wrote to memory of 3736 4384 e5736bf.exe RuntimeBroker.exe PID 4384 wrote to memory of 2628 4384 e5736bf.exe DllHost.exe PID 4384 wrote to memory of 2436 4384 e5736bf.exe e5757a5.exe PID 4384 wrote to memory of 2436 4384 e5736bf.exe e5757a5.exe PID 4040 wrote to memory of 784 4040 e573817.exe fontdrvhost.exe PID 4040 wrote to memory of 788 4040 e573817.exe fontdrvhost.exe PID 4040 wrote to memory of 332 4040 e573817.exe dwm.exe PID 4040 wrote to memory of 2896 4040 e573817.exe sihost.exe PID 4040 wrote to memory of 2904 4040 e573817.exe svchost.exe PID 4040 wrote to memory of 3012 4040 e573817.exe taskhostw.exe PID 4040 wrote to memory of 3448 4040 e573817.exe Explorer.EXE PID 4040 wrote to memory of 3640 4040 e573817.exe svchost.exe PID 4040 wrote to memory of 3844 4040 e573817.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e573817.exee5736bf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573817.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5736bf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2904
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3012
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d44bd5243dc388769a3d7b25031f303eebaab59570f51d7048db23248b31748_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d44bd5243dc388769a3d7b25031f303eebaab59570f51d7048db23248b31748_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\e5736bf.exeC:\Users\Admin\AppData\Local\Temp\e5736bf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\e573817.exeC:\Users\Admin\AppData\Local\Temp\e573817.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\e5757a5.exeC:\Users\Admin\AppData\Local\Temp\e5757a5.exe4⤵
- Executes dropped EXE
PID:2436
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3520
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4252
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1844
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1196
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:60
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4788
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3736
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2628
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD55a99dff5626879f699ac7b2e29492349
SHA1dd93df5d0c236cf86025350c8c458ee17abb48ce
SHA256bb5869fb8826268b97422a89e3b8c7f9399f21dcaece6a39af1ce113aecd90b7
SHA512d2e9656f2364b59df87aa4d7844493b12a266e013abb53d51191987069893d0559b23f5d0e84a4e9a66b5634975bfa9c836b7cd3780fd8b00a947bdee2df89c0
-
Filesize
257B
MD51205ab1fa6fce7e3152bc81bd4b66873
SHA15a57e58801d9d77fb76628b04901b33b1ba5e147
SHA256c62dd8df923d0d072072095553a8a06c98fdcc834fe5cbb7198a443ff9e1462f
SHA51208d906c90bb6198558ff469675febcaab6fbed9a418508dcca3ff8ddce0d2b9764ceb91cea7834d6be965fe000b04f61e75f0f8ad759cd542ea9a3d170905d24