Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2024 20:26
Static task
static1
Behavioral task
behavioral1
Sample
6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac.dll
Resource
win7-20240221-en
General
-
Target
6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac.dll
-
Size
120KB
-
MD5
36eae6416ac6cb365c05bc7a22484539
-
SHA1
2146d672184a2c013d19028a1a88c4f341bad40e
-
SHA256
6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac
-
SHA512
07c91fb844cc81a6ccfd45723f4e2b38cd79db80aa06fcaa12573772b64c995e31d9ea863b8aa82269b4dce9fb9348a24492b8989174811e8e764acc5dcdb3f9
-
SSDEEP
3072:RFEkfFmQpZykF2lqAXu+0bloQmzkQC5BZlHW3eyH:RC48Qpgm2lTP0b2QtPHy
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
e575c39.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575c39.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575c39.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575c39.exe -
Processes:
e575c39.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575c39.exe -
Processes:
e575c39.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575c39.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 21 IoCs
Processes:
resource yara_rule behavioral2/memory/3924-6-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-8-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-9-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-18-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-29-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-10-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-30-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-31-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-32-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-33-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-35-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-36-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-37-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-38-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-56-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-57-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-59-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-62-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-68-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-70-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3924-74-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 25 IoCs
Processes:
resource yara_rule behavioral2/memory/3924-6-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-8-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-9-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-18-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-29-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-10-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-30-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-31-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-32-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-33-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-35-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-36-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-37-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-38-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4672-47-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3924-56-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-57-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-59-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-62-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-68-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-70-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-74-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/3924-94-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1928-95-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4672-99-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
e575c39.exee575ff2.exee5787fc.exepid process 3924 e575c39.exe 1928 e575ff2.exe 4672 e5787fc.exe -
Processes:
resource yara_rule behavioral2/memory/3924-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-18-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-29-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-30-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-31-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-32-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-33-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-35-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-56-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-57-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-59-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-62-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-68-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-70-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3924-74-0x0000000000780000-0x000000000183A000-memory.dmp upx -
Processes:
e575c39.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575c39.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575c39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575c39.exe -
Processes:
e575c39.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575c39.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e575c39.exedescription ioc process File opened (read-only) \??\E: e575c39.exe File opened (read-only) \??\G: e575c39.exe File opened (read-only) \??\H: e575c39.exe File opened (read-only) \??\I: e575c39.exe File opened (read-only) \??\J: e575c39.exe File opened (read-only) \??\K: e575c39.exe -
Drops file in Windows directory 2 IoCs
Processes:
e575c39.exedescription ioc process File created C:\Windows\e575da1 e575c39.exe File opened for modification C:\Windows\SYSTEM.INI e575c39.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e575c39.exepid process 3924 e575c39.exe 3924 e575c39.exe 3924 e575c39.exe 3924 e575c39.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e575c39.exedescription pid process Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe Token: SeDebugPrivilege 3924 e575c39.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
rundll32.exerundll32.exee575c39.exedescription pid process target process PID 3172 wrote to memory of 3116 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 3116 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 3116 3172 rundll32.exe rundll32.exe PID 3116 wrote to memory of 3924 3116 rundll32.exe e575c39.exe PID 3116 wrote to memory of 3924 3116 rundll32.exe e575c39.exe PID 3116 wrote to memory of 3924 3116 rundll32.exe e575c39.exe PID 3924 wrote to memory of 796 3924 e575c39.exe fontdrvhost.exe PID 3924 wrote to memory of 804 3924 e575c39.exe fontdrvhost.exe PID 3924 wrote to memory of 336 3924 e575c39.exe dwm.exe PID 3924 wrote to memory of 2524 3924 e575c39.exe sihost.exe PID 3924 wrote to memory of 2568 3924 e575c39.exe svchost.exe PID 3924 wrote to memory of 2812 3924 e575c39.exe taskhostw.exe PID 3924 wrote to memory of 3408 3924 e575c39.exe Explorer.EXE PID 3924 wrote to memory of 3540 3924 e575c39.exe svchost.exe PID 3924 wrote to memory of 3764 3924 e575c39.exe DllHost.exe PID 3924 wrote to memory of 3864 3924 e575c39.exe StartMenuExperienceHost.exe PID 3924 wrote to memory of 3976 3924 e575c39.exe RuntimeBroker.exe PID 3924 wrote to memory of 4056 3924 e575c39.exe SearchApp.exe PID 3924 wrote to memory of 4136 3924 e575c39.exe RuntimeBroker.exe PID 3924 wrote to memory of 4836 3924 e575c39.exe TextInputHost.exe PID 3924 wrote to memory of 1844 3924 e575c39.exe RuntimeBroker.exe PID 3924 wrote to memory of 2488 3924 e575c39.exe backgroundTaskHost.exe PID 3924 wrote to memory of 3172 3924 e575c39.exe rundll32.exe PID 3924 wrote to memory of 3116 3924 e575c39.exe rundll32.exe PID 3924 wrote to memory of 3116 3924 e575c39.exe rundll32.exe PID 3116 wrote to memory of 1928 3116 rundll32.exe e575ff2.exe PID 3116 wrote to memory of 1928 3116 rundll32.exe e575ff2.exe PID 3116 wrote to memory of 1928 3116 rundll32.exe e575ff2.exe PID 3924 wrote to memory of 412 3924 e575c39.exe BackgroundTaskHost.exe PID 3116 wrote to memory of 4672 3116 rundll32.exe e5787fc.exe PID 3116 wrote to memory of 4672 3116 rundll32.exe e5787fc.exe PID 3116 wrote to memory of 4672 3116 rundll32.exe e5787fc.exe PID 3924 wrote to memory of 796 3924 e575c39.exe fontdrvhost.exe PID 3924 wrote to memory of 804 3924 e575c39.exe fontdrvhost.exe PID 3924 wrote to memory of 336 3924 e575c39.exe dwm.exe PID 3924 wrote to memory of 2524 3924 e575c39.exe sihost.exe PID 3924 wrote to memory of 2568 3924 e575c39.exe svchost.exe PID 3924 wrote to memory of 2812 3924 e575c39.exe taskhostw.exe PID 3924 wrote to memory of 3408 3924 e575c39.exe Explorer.EXE PID 3924 wrote to memory of 3540 3924 e575c39.exe svchost.exe PID 3924 wrote to memory of 3764 3924 e575c39.exe DllHost.exe PID 3924 wrote to memory of 3864 3924 e575c39.exe StartMenuExperienceHost.exe PID 3924 wrote to memory of 3976 3924 e575c39.exe RuntimeBroker.exe PID 3924 wrote to memory of 4056 3924 e575c39.exe SearchApp.exe PID 3924 wrote to memory of 4136 3924 e575c39.exe RuntimeBroker.exe PID 3924 wrote to memory of 4836 3924 e575c39.exe TextInputHost.exe PID 3924 wrote to memory of 1844 3924 e575c39.exe RuntimeBroker.exe PID 3924 wrote to memory of 2488 3924 e575c39.exe backgroundTaskHost.exe PID 3924 wrote to memory of 3172 3924 e575c39.exe rundll32.exe PID 3924 wrote to memory of 1928 3924 e575c39.exe e575ff2.exe PID 3924 wrote to memory of 1928 3924 e575c39.exe e575ff2.exe PID 3924 wrote to memory of 4028 3924 e575c39.exe RuntimeBroker.exe PID 3924 wrote to memory of 4672 3924 e575c39.exe e5787fc.exe PID 3924 wrote to memory of 4672 3924 e575c39.exe e5787fc.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e575c39.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575c39.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e575c39.exeC:\Users\Admin\AppData\Local\Temp\e575c39.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575ff2.exeC:\Users\Admin\AppData\Local\Temp\e575ff2.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5787fc.exeC:\Users\Admin\AppData\Local\Temp\e5787fc.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575c39.exeFilesize
97KB
MD531e569cda6fbc584573f924788810d7a
SHA1a6097df8abc417bf3a1b55722cdb5b79cd50e508
SHA25667eddb6ad3e12fda050ae63c1adba55432034d47c639628252217674068babe5
SHA5126fc2f8f9699364180711120f2b439a7678f979b7cf33bdbbac29ff9368778be2ff095d429b8bee00ec290d408f8e395ae66d14b9cb0d043f846b134cb5e5af47
-
memory/1928-91-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1928-95-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1928-54-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1928-49-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3116-15-0x0000000004420000-0x0000000004422000-memory.dmpFilesize
8KB
-
memory/3116-11-0x0000000004420000-0x0000000004422000-memory.dmpFilesize
8KB
-
memory/3116-13-0x0000000004550000-0x0000000004551000-memory.dmpFilesize
4KB
-
memory/3116-45-0x0000000004420000-0x0000000004422000-memory.dmpFilesize
8KB
-
memory/3116-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3116-12-0x0000000004420000-0x0000000004422000-memory.dmpFilesize
8KB
-
memory/3924-36-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-8-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-10-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-18-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-30-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-31-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-32-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-33-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-35-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-28-0x0000000001A30000-0x0000000001A32000-memory.dmpFilesize
8KB
-
memory/3924-37-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-38-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3924-20-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/3924-9-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-29-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-6-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-94-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3924-84-0x0000000001A30000-0x0000000001A32000-memory.dmpFilesize
8KB
-
memory/3924-56-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-57-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-59-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-62-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-68-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-70-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3924-74-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4672-53-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4672-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4672-51-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4672-47-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4672-96-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4672-99-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB