Malware Analysis Report

2024-11-16 13:15

Sample ID 240625-ftddyasbmg
Target 334041f047ac21a074668b1ce150f122aa8368627b9ff028a620befe47709744_NeikiAnalytics.exe
SHA256 334041f047ac21a074668b1ce150f122aa8368627b9ff028a620befe47709744
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

334041f047ac21a074668b1ce150f122aa8368627b9ff028a620befe47709744

Threat Level: Known bad

The file 334041f047ac21a074668b1ce150f122aa8368627b9ff028a620befe47709744_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

UAC bypass

Windows security bypass

Sality

Loads dropped DLL

UPX packed file

Windows security modification

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 05:09

Reported

2024-06-25 05:12

Platform

win7-20240220-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7608d7 C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
File created C:\Windows\f7658e9 C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2928 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760889.exe
PID 2268 wrote to memory of 2928 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760889.exe
PID 2268 wrote to memory of 2928 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760889.exe
PID 2268 wrote to memory of 2928 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760889.exe
PID 2928 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\system32\Dwm.exe
PID 2928 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\Explorer.EXE
PID 2928 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\system32\taskhost.exe
PID 2928 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\system32\DllHost.exe
PID 2928 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7609f0.exe
PID 2268 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7609f0.exe
PID 2268 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7609f0.exe
PID 2268 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7609f0.exe
PID 2268 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762472.exe
PID 2268 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762472.exe
PID 2268 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762472.exe
PID 2268 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762472.exe
PID 2928 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\system32\Dwm.exe
PID 2928 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\Explorer.EXE
PID 2928 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Windows\system32\taskhost.exe
PID 2928 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Users\Admin\AppData\Local\Temp\f7609f0.exe
PID 2928 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Users\Admin\AppData\Local\Temp\f7609f0.exe
PID 2928 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Users\Admin\AppData\Local\Temp\f762472.exe
PID 2928 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\f760889.exe C:\Users\Admin\AppData\Local\Temp\f762472.exe
PID 2420 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe C:\Windows\system32\Dwm.exe
PID 2420 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe C:\Windows\Explorer.EXE
PID 2420 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f7609f0.exe C:\Windows\system32\taskhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760889.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7609f0.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\334041f047ac21a074668b1ce150f122aa8368627b9ff028a620befe47709744_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\334041f047ac21a074668b1ce150f122aa8368627b9ff028a620befe47709744_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760889.exe

C:\Users\Admin\AppData\Local\Temp\f760889.exe

C:\Users\Admin\AppData\Local\Temp\f7609f0.exe

C:\Users\Admin\AppData\Local\Temp\f7609f0.exe

C:\Users\Admin\AppData\Local\Temp\f762472.exe

C:\Users\Admin\AppData\Local\Temp\f762472.exe

Network

N/A

Files

memory/2268-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760889.exe

MD5 1dfcefab37457f3ffbfd54ed3c79b99f
SHA1 6e9055332272a3777e083275507906f09116f604
SHA256 89cb63fdaa435520d5cb8b2c660beb9952ce33bc7a68fab380e5440906284a50
SHA512 a745f4deca81b628368ad0bbb5bf6128ccfdf9679dbcfdf4f09525f822418a5bcefd55477c8751afdc08023a41dd9ad7f2f6f8d3a1833dcdf55d5f837a50df10

memory/2268-9-0x0000000000180000-0x0000000000192000-memory.dmp

memory/2268-8-0x0000000000180000-0x0000000000192000-memory.dmp

memory/2928-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2928-17-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-14-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-19-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-12-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-20-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-18-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-16-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-22-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-15-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-47-0x00000000017A0000-0x00000000017A1000-memory.dmp

memory/2928-49-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2268-46-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2928-21-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2268-37-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2268-36-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1040-28-0x0000000001F90000-0x0000000001F92000-memory.dmp

memory/2928-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2268-57-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2268-59-0x00000000001D0000-0x00000000001E2000-memory.dmp

memory/2420-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2268-60-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2928-62-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-63-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-64-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-65-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-66-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2268-78-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2928-80-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-81-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-83-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2420-91-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2420-92-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1748-98-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1748-97-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2420-99-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1748-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2928-102-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-103-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-106-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-111-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2928-142-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2928-143-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 2d778ecda2f0520558f440c436c48751
SHA1 63aee4bd51762294d65bb96bc917d28e31cf4e8e
SHA256 cf90941ab1acb835774a52f185334115ca45c58bf37f955be101f06330f51ea2
SHA512 c4f163b798c8c97b035b5f3f7dd6f659b7757fe86621c5831ef5575e017195efe809cfebe1eace7891274221a07799a1dd36dc21c1271732cf2afdbaaf554fb4

memory/2420-155-0x00000000009A0000-0x0000000001A5A000-memory.dmp

memory/2420-177-0x00000000009A0000-0x0000000001A5A000-memory.dmp

memory/2420-176-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1748-181-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 05:09

Reported

2024-06-25 05:12

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574026 C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
File created C:\Windows\e57aa3a C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 4864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4068 wrote to memory of 4864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4068 wrote to memory of 4864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4864 wrote to memory of 4032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573ff7.exe
PID 4864 wrote to memory of 4032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573ff7.exe
PID 4864 wrote to memory of 4032 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573ff7.exe
PID 4032 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\fontdrvhost.exe
PID 4032 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\fontdrvhost.exe
PID 4032 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\dwm.exe
PID 4032 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\sihost.exe
PID 4032 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\svchost.exe
PID 4032 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\taskhostw.exe
PID 4032 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\Explorer.EXE
PID 4032 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\svchost.exe
PID 4032 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\DllHost.exe
PID 4032 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4032 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\System32\RuntimeBroker.exe
PID 4032 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4032 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\System32\RuntimeBroker.exe
PID 4032 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\System32\RuntimeBroker.exe
PID 4032 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4032 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\rundll32.exe
PID 4032 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\SysWOW64\rundll32.exe
PID 4032 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\SysWOW64\rundll32.exe
PID 4864 wrote to memory of 3580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57412f.exe
PID 4864 wrote to memory of 3580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57412f.exe
PID 4864 wrote to memory of 3580 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57412f.exe
PID 4864 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575bcc.exe
PID 4864 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575bcc.exe
PID 4864 wrote to memory of 972 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575bcc.exe
PID 4032 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\fontdrvhost.exe
PID 4032 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\fontdrvhost.exe
PID 4032 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\dwm.exe
PID 4032 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\sihost.exe
PID 4032 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\svchost.exe
PID 4032 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\taskhostw.exe
PID 4032 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\Explorer.EXE
PID 4032 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\svchost.exe
PID 4032 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\system32\DllHost.exe
PID 4032 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4032 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\System32\RuntimeBroker.exe
PID 4032 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4032 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\System32\RuntimeBroker.exe
PID 4032 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\System32\RuntimeBroker.exe
PID 4032 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Users\Admin\AppData\Local\Temp\e57412f.exe
PID 4032 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Users\Admin\AppData\Local\Temp\e57412f.exe
PID 4032 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Users\Admin\AppData\Local\Temp\e575bcc.exe
PID 4032 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\e573ff7.exe C:\Users\Admin\AppData\Local\Temp\e575bcc.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573ff7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575bcc.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\334041f047ac21a074668b1ce150f122aa8368627b9ff028a620befe47709744_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\334041f047ac21a074668b1ce150f122aa8368627b9ff028a620befe47709744_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e573ff7.exe

C:\Users\Admin\AppData\Local\Temp\e573ff7.exe

C:\Users\Admin\AppData\Local\Temp\e57412f.exe

C:\Users\Admin\AppData\Local\Temp\e57412f.exe

C:\Users\Admin\AppData\Local\Temp\e575bcc.exe

C:\Users\Admin\AppData\Local\Temp\e575bcc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4864-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e573ff7.exe

MD5 1dfcefab37457f3ffbfd54ed3c79b99f
SHA1 6e9055332272a3777e083275507906f09116f604
SHA256 89cb63fdaa435520d5cb8b2c660beb9952ce33bc7a68fab380e5440906284a50
SHA512 a745f4deca81b628368ad0bbb5bf6128ccfdf9679dbcfdf4f09525f822418a5bcefd55477c8751afdc08023a41dd9ad7f2f6f8d3a1833dcdf55d5f837a50df10

memory/4032-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4032-9-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-12-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-11-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-8-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-18-0x0000000000570000-0x0000000000571000-memory.dmp

memory/4032-6-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-13-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-27-0x0000000000560000-0x0000000000562000-memory.dmp

memory/4032-24-0x0000000000850000-0x000000000190A000-memory.dmp

memory/3580-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4032-32-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-31-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4864-25-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

memory/4032-10-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-29-0x0000000000560000-0x0000000000562000-memory.dmp

memory/4864-28-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

memory/4864-16-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/4864-15-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

memory/4032-14-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-36-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-37-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-38-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-39-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-40-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-42-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4864-47-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

memory/972-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4032-51-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-52-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-54-0x0000000000850000-0x000000000190A000-memory.dmp

memory/972-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3580-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3580-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/972-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3580-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/972-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4032-63-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-66-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-67-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-69-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-71-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-73-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-74-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-75-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-79-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-85-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-87-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-88-0x0000000000850000-0x000000000190A000-memory.dmp

memory/4032-107-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4032-95-0x0000000000560000-0x0000000000562000-memory.dmp

memory/3580-111-0x0000000000B40000-0x0000000001BFA000-memory.dmp

memory/3580-112-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 a4f2e67722a6940438630085fe66ea8c
SHA1 17125b3d78d3267a4d82a83931577f448000f2b9
SHA256 e115e2fa7a04fe11b5ab0ac7f6a795274b3c2af64bd4b1aefcd2b8b0d92ae552
SHA512 140417698247b0108e7ecc8d95dbbe06be0f293bed3e642f1ad7709e2e9aad8dc0077d13ca520bde28446fe01659b3f735ac582c6285f6a13f56ea42cf267aec

memory/972-136-0x0000000000B40000-0x0000000001BFA000-memory.dmp

memory/972-137-0x0000000000400000-0x0000000000412000-memory.dmp