Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 08:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ba747519b1bfdc6aa7c4fb9bf7222ebd0c23ea19b3ce392d4c638e1d4e1f023.dll
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
General
-
Target
9ba747519b1bfdc6aa7c4fb9bf7222ebd0c23ea19b3ce392d4c638e1d4e1f023.dll
-
Size
120KB
-
MD5
a658c126edb566d99545aa49ee5b7939
-
SHA1
15558004f16df732f9f1c2ffa5a2894730251e3f
-
SHA256
9ba747519b1bfdc6aa7c4fb9bf7222ebd0c23ea19b3ce392d4c638e1d4e1f023
-
SHA512
e9804dec891b85205d4e256827d8510752ae1388b2d95b1c2662a8c8fa65ec92bdfe2ef9723ab112daf55d9937af2c44e1b27762ae80b15d773e1c3445bbb0df
-
SSDEEP
1536:QFdLbDDfA7qphEXlelnJ8kr+1U5ILn534mW4FE0ut5xO:QfDfACEVwnJlr+y5yp47cEjtz
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f763e58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f763e58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f765a21.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f765a21.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f765a21.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f765a21.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f765a21.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 22 IoCs
resource yara_rule behavioral1/memory/2708-10-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-14-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-15-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-18-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-22-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-27-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-49-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-51-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-56-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-61-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-62-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-63-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-64-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-80-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-81-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-82-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-84-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-86-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-105-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2708-143-0x0000000000690000-0x000000000174A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2112-151-0x0000000000900000-0x00000000019BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2112-185-0x0000000000900000-0x00000000019BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 27 IoCs
resource yara_rule behavioral1/memory/2708-11-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2708-10-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-14-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-15-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-18-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-22-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-27-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2836-48-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2708-49-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-51-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-56-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-61-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-62-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-63-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-64-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2112-78-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2708-80-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-81-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-82-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-84-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-86-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-105-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2708-143-0x0000000000690000-0x000000000174A000-memory.dmp UPX behavioral1/memory/2836-147-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2112-151-0x0000000000900000-0x00000000019BA000-memory.dmp UPX behavioral1/memory/2112-185-0x0000000000900000-0x00000000019BA000-memory.dmp UPX behavioral1/memory/2112-186-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2708 f763e58.exe 2836 f7649cc.exe 2112 f765a21.exe -
Loads dropped DLL 6 IoCs
pid Process 2336 rundll32.exe 2336 rundll32.exe 2336 rundll32.exe 2336 rundll32.exe 2336 rundll32.exe 2336 rundll32.exe -
resource yara_rule behavioral1/memory/2708-10-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-14-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-15-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-18-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-22-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-27-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-49-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-51-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-56-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-61-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-62-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-63-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-64-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-80-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-81-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-82-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-84-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-86-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-105-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2708-143-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2112-151-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2112-185-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f765a21.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763e58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f765a21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763e58.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f765a21.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: f763e58.exe File opened (read-only) \??\M: f763e58.exe File opened (read-only) \??\O: f763e58.exe File opened (read-only) \??\E: f763e58.exe File opened (read-only) \??\H: f763e58.exe File opened (read-only) \??\I: f763e58.exe File opened (read-only) \??\K: f763e58.exe File opened (read-only) \??\G: f763e58.exe File opened (read-only) \??\J: f763e58.exe File opened (read-only) \??\N: f763e58.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f763f51 f763e58.exe File opened for modification C:\Windows\SYSTEM.INI f763e58.exe File created C:\Windows\f769f7a f765a21.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2708 f763e58.exe 2708 f763e58.exe 2112 f765a21.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2708 f763e58.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe Token: SeDebugPrivilege 2112 f765a21.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2336 2148 rundll32.exe 28 PID 2148 wrote to memory of 2336 2148 rundll32.exe 28 PID 2148 wrote to memory of 2336 2148 rundll32.exe 28 PID 2148 wrote to memory of 2336 2148 rundll32.exe 28 PID 2148 wrote to memory of 2336 2148 rundll32.exe 28 PID 2148 wrote to memory of 2336 2148 rundll32.exe 28 PID 2148 wrote to memory of 2336 2148 rundll32.exe 28 PID 2336 wrote to memory of 2708 2336 rundll32.exe 29 PID 2336 wrote to memory of 2708 2336 rundll32.exe 29 PID 2336 wrote to memory of 2708 2336 rundll32.exe 29 PID 2336 wrote to memory of 2708 2336 rundll32.exe 29 PID 2708 wrote to memory of 1120 2708 f763e58.exe 19 PID 2708 wrote to memory of 1188 2708 f763e58.exe 20 PID 2708 wrote to memory of 1252 2708 f763e58.exe 21 PID 2708 wrote to memory of 1216 2708 f763e58.exe 23 PID 2708 wrote to memory of 2148 2708 f763e58.exe 27 PID 2708 wrote to memory of 2336 2708 f763e58.exe 28 PID 2708 wrote to memory of 2336 2708 f763e58.exe 28 PID 2336 wrote to memory of 2836 2336 rundll32.exe 30 PID 2336 wrote to memory of 2836 2336 rundll32.exe 30 PID 2336 wrote to memory of 2836 2336 rundll32.exe 30 PID 2336 wrote to memory of 2836 2336 rundll32.exe 30 PID 2336 wrote to memory of 2112 2336 rundll32.exe 31 PID 2336 wrote to memory of 2112 2336 rundll32.exe 31 PID 2336 wrote to memory of 2112 2336 rundll32.exe 31 PID 2336 wrote to memory of 2112 2336 rundll32.exe 31 PID 2708 wrote to memory of 1120 2708 f763e58.exe 19 PID 2708 wrote to memory of 1188 2708 f763e58.exe 20 PID 2708 wrote to memory of 1252 2708 f763e58.exe 21 PID 2708 wrote to memory of 2836 2708 f763e58.exe 30 PID 2708 wrote to memory of 2836 2708 f763e58.exe 30 PID 2708 wrote to memory of 2112 2708 f763e58.exe 31 PID 2708 wrote to memory of 2112 2708 f763e58.exe 31 PID 2112 wrote to memory of 1120 2112 f765a21.exe 19 PID 2112 wrote to memory of 1188 2112 f765a21.exe 20 PID 2112 wrote to memory of 1252 2112 f765a21.exe 21 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f765a21.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1188
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1252
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ba747519b1bfdc6aa7c4fb9bf7222ebd0c23ea19b3ce392d4c638e1d4e1f023.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ba747519b1bfdc6aa7c4fb9bf7222ebd0c23ea19b3ce392d4c638e1d4e1f023.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\f763e58.exeC:\Users\Admin\AppData\Local\Temp\f763e58.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\f7649cc.exeC:\Users\Admin\AppData\Local\Temp\f7649cc.exe4⤵
- Executes dropped EXE
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\f765a21.exeC:\Users\Admin\AppData\Local\Temp\f765a21.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1216
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD58c3b9e6868a00c7666e549f1f85d6106
SHA10203ebb4c7bfcd2491a1e73d2692de3636a8c120
SHA25611c1f7a107979cfe8e24a33c8eeb281656a2f615e4d4d480f05d81e95d7b51ae
SHA512dd27c341e3c8ac33e65d420e6feaee651bfe6b145ce1d4abe035f201879b24a97593903e3082f685f3a15b38d0a212f04119214e3c97cb93e1375a29af0d4fb8
-
Filesize
97KB
MD547cfdb963ab522973d05a7b09e07dfbf
SHA1d4492681fbebe742d22dcee9e65ff8b84bf461d4
SHA256ab4011c02b7de1e5c13191d4a88217a6f43e79d3549d87c9aec3996600a92340
SHA512a57c407de329d7005a2a93e5c4c90d33befedc9b1176121c40412cb6a4e22d77e60119c674c1b9c68c4aabfc9bb33715fec9a16a15b0d87ddeb4213a0313eb71