Malware Analysis Report

2024-11-16 13:15

Sample ID 240625-h82q7azbqj
Target 4087b2959336541849b505ff74668721581b2516338e6dd1e3d0936cfefc24c1_NeikiAnalytics.exe
SHA256 4087b2959336541849b505ff74668721581b2516338e6dd1e3d0936cfefc24c1
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4087b2959336541849b505ff74668721581b2516338e6dd1e3d0936cfefc24c1

Threat Level: Known bad

The file 4087b2959336541849b505ff74668721581b2516338e6dd1e3d0936cfefc24c1_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

UAC bypass

Sality

Modifies firewall policy service

Loads dropped DLL

UPX packed file

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 07:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 07:25

Reported

2024-06-25 07:27

Platform

win7-20240419-en

Max time kernel

117s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f762ccb C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
File created C:\Windows\f767cbe C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1520 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762c6d.exe
PID 1520 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762c6d.exe
PID 1520 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762c6d.exe
PID 1520 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762c6d.exe
PID 2368 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\system32\taskhost.exe
PID 2368 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\system32\Dwm.exe
PID 2368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\system32\DllHost.exe
PID 2368 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\system32\rundll32.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1520 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762e22.exe
PID 1520 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762e22.exe
PID 1520 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762e22.exe
PID 1520 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762e22.exe
PID 1520 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 1520 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 1520 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 1520 wrote to memory of 2228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 2368 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\system32\taskhost.exe
PID 2368 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\system32\Dwm.exe
PID 2368 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Windows\Explorer.EXE
PID 2368 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Users\Admin\AppData\Local\Temp\f762e22.exe
PID 2368 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Users\Admin\AppData\Local\Temp\f762e22.exe
PID 2368 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 2368 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\f762c6d.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 2228 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe C:\Windows\system32\taskhost.exe
PID 2228 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe C:\Windows\system32\Dwm.exe
PID 2228 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762c6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4087b2959336541849b505ff74668721581b2516338e6dd1e3d0936cfefc24c1_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4087b2959336541849b505ff74668721581b2516338e6dd1e3d0936cfefc24c1_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f762c6d.exe

C:\Users\Admin\AppData\Local\Temp\f762c6d.exe

C:\Users\Admin\AppData\Local\Temp\f762e22.exe

C:\Users\Admin\AppData\Local\Temp\f762e22.exe

C:\Users\Admin\AppData\Local\Temp\f764846.exe

C:\Users\Admin\AppData\Local\Temp\f764846.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f762c6d.exe

MD5 ca49bf7be69d4915d3139b313dcf018b
SHA1 5876798d5490c767599fc929175176c58fcbf901
SHA256 68a7c4367fdc8197405c81acd50ff6e3375e3f2bc36c107228ca342bfb933349
SHA512 adc272f1559a038c3d1bbbe2af2842ff717368ff3f7a72766f472bc6846a269ac5ea2a55dff2c2de31781a87d745fc6b8483ba6fe586956c0efa598e221c0737

memory/2368-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1520-9-0x0000000000240000-0x0000000000252000-memory.dmp

memory/1520-8-0x0000000000240000-0x0000000000252000-memory.dmp

memory/1520-4-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2368-16-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-18-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-14-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-17-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-23-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/1104-29-0x0000000001FF0000-0x0000000001FF2000-memory.dmp

memory/1520-38-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2368-21-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-49-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/1520-56-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2488-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1520-60-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1520-59-0x0000000000730000-0x0000000000742000-memory.dmp

memory/2368-58-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/2368-22-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-47-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/1520-46-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2368-20-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/1520-37-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2368-19-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-15-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-63-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-62-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-64-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-66-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-65-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-68-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-69-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2228-82-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1520-80-0x0000000000750000-0x0000000000762000-memory.dmp

memory/2368-83-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-86-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2368-88-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2228-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2228-103-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2368-105-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2228-108-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2488-107-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2368-106-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2488-102-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2488-97-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2368-126-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/2368-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2368-150-0x00000000006C0000-0x000000000177A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 8208ea041e75dec33a227c4a1284a124
SHA1 40db66aa9db580f13fcc58d2f40d24b81421bc21
SHA256 6a876a2d1fc1a43fc1d8227fd5a6640452317737444f30182738acff083b87bd
SHA512 f02cb16b19f60245375cab9b22720fced4641280bce6ad32150d60e5c81bb7b8643356f9ddab84f0909b209ee151c7e1e80fd673ac5bab60a205c0939d0afb8b

memory/2488-178-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2228-166-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2228-206-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2228-205-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 07:25

Reported

2024-06-25 07:27

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5738e2 C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 4248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2712 wrote to memory of 4248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2712 wrote to memory of 4248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 1428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe
PID 4248 wrote to memory of 1428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe
PID 4248 wrote to memory of 1428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe
PID 1428 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\fontdrvhost.exe
PID 1428 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\fontdrvhost.exe
PID 1428 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\dwm.exe
PID 1428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\sihost.exe
PID 1428 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\svchost.exe
PID 1428 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\taskhostw.exe
PID 1428 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\Explorer.EXE
PID 1428 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\svchost.exe
PID 1428 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\DllHost.exe
PID 1428 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1428 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\System32\RuntimeBroker.exe
PID 1428 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1428 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\System32\RuntimeBroker.exe
PID 1428 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1428 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\System32\RuntimeBroker.exe
PID 1428 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1428 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1428 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\rundll32.exe
PID 1428 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\SysWOW64\rundll32.exe
PID 1428 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 4368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5739ad.exe
PID 4248 wrote to memory of 4368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5739ad.exe
PID 4248 wrote to memory of 4368 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5739ad.exe
PID 4248 wrote to memory of 2028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57597a.exe
PID 4248 wrote to memory of 2028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57597a.exe
PID 4248 wrote to memory of 2028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57597a.exe
PID 4248 wrote to memory of 3236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57598a.exe
PID 4248 wrote to memory of 3236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57598a.exe
PID 4248 wrote to memory of 3236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57598a.exe
PID 1428 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\fontdrvhost.exe
PID 1428 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\fontdrvhost.exe
PID 1428 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\dwm.exe
PID 1428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\sihost.exe
PID 1428 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\svchost.exe
PID 1428 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\taskhostw.exe
PID 1428 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\Explorer.EXE
PID 1428 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\svchost.exe
PID 1428 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\DllHost.exe
PID 1428 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1428 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\System32\RuntimeBroker.exe
PID 1428 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1428 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\System32\RuntimeBroker.exe
PID 1428 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1428 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\System32\RuntimeBroker.exe
PID 1428 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1428 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Users\Admin\AppData\Local\Temp\e5739ad.exe
PID 1428 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Users\Admin\AppData\Local\Temp\e5739ad.exe
PID 1428 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\System32\RuntimeBroker.exe
PID 1428 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Windows\System32\RuntimeBroker.exe
PID 1428 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Users\Admin\AppData\Local\Temp\e57597a.exe
PID 1428 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Users\Admin\AppData\Local\Temp\e57597a.exe
PID 1428 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Users\Admin\AppData\Local\Temp\e57598a.exe
PID 1428 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe C:\Users\Admin\AppData\Local\Temp\e57598a.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4087b2959336541849b505ff74668721581b2516338e6dd1e3d0936cfefc24c1_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4087b2959336541849b505ff74668721581b2516338e6dd1e3d0936cfefc24c1_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e573885.exe

C:\Users\Admin\AppData\Local\Temp\e573885.exe

C:\Users\Admin\AppData\Local\Temp\e5739ad.exe

C:\Users\Admin\AppData\Local\Temp\e5739ad.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57597a.exe

C:\Users\Admin\AppData\Local\Temp\e57597a.exe

C:\Users\Admin\AppData\Local\Temp\e57598a.exe

C:\Users\Admin\AppData\Local\Temp\e57598a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4248-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e573885.exe

MD5 ca49bf7be69d4915d3139b313dcf018b
SHA1 5876798d5490c767599fc929175176c58fcbf901
SHA256 68a7c4367fdc8197405c81acd50ff6e3375e3f2bc36c107228ca342bfb933349
SHA512 adc272f1559a038c3d1bbbe2af2842ff717368ff3f7a72766f472bc6846a269ac5ea2a55dff2c2de31781a87d745fc6b8483ba6fe586956c0efa598e221c0737

memory/1428-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1428-8-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-10-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-12-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-20-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-29-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-30-0x0000000000880000-0x000000000193A000-memory.dmp

memory/4248-28-0x0000000000F20000-0x0000000000F22000-memory.dmp

memory/1428-27-0x0000000000670000-0x0000000000672000-memory.dmp

memory/4368-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1428-25-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-23-0x0000000000670000-0x0000000000672000-memory.dmp

memory/1428-11-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-9-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-17-0x0000000001B80000-0x0000000001B81000-memory.dmp

memory/4248-15-0x0000000004340000-0x0000000004341000-memory.dmp

memory/4248-14-0x0000000000F20000-0x0000000000F22000-memory.dmp

memory/4248-13-0x0000000000F20000-0x0000000000F22000-memory.dmp

memory/1428-21-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-37-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-36-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-38-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-39-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-40-0x0000000000880000-0x000000000193A000-memory.dmp

memory/2028-48-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3236-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1428-55-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-56-0x0000000000880000-0x000000000193A000-memory.dmp

memory/4368-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4368-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2028-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2028-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3236-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3236-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4368-66-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3236-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2028-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1428-70-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-71-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-73-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-75-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-76-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-78-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-82-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-83-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-84-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-85-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-86-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-92-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-93-0x0000000000880000-0x000000000193A000-memory.dmp

memory/1428-102-0x0000000000670000-0x0000000000672000-memory.dmp

memory/1428-112-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4368-116-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2028-120-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3236-124-0x0000000000400000-0x0000000000412000-memory.dmp