Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 03:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed4639d11e94e1e5933123e72eda02f90dd170c24bec6357e5091a9b3023f022.dll
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
General
-
Target
ed4639d11e94e1e5933123e72eda02f90dd170c24bec6357e5091a9b3023f022.dll
-
Size
120KB
-
MD5
1aa36431d4095ee82e897e958eb09cbe
-
SHA1
c441807396920bcf3f7eb56632c98e3c3984d57d
-
SHA256
ed4639d11e94e1e5933123e72eda02f90dd170c24bec6357e5091a9b3023f022
-
SHA512
43a5ff841e1f6eb889489cab22272d2b100e8a20108dbafab06158ef8fab72a45bbd64da941bf6b13f94f67113303f4a0bac79d5b42b86f0b0b64f433198c90d
-
SSDEEP
3072:N7g5I9+IY85PCN1n0l8OfElzsjojNM9VLFDMGD:lge9ilT0l9fEeUjNIVL2
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f767475.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f767475.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7659a4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767475.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7659a4.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
resource yara_rule behavioral1/memory/2248-13-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-15-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-16-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-19-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-22-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-25-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-30-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-38-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-53-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-57-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-60-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-63-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-64-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-76-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-80-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-82-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-83-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-84-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-89-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-99-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-108-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2248-138-0x00000000006D0000-0x000000000178A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2968-142-0x0000000000A80000-0x0000000001B3A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2968-156-0x0000000000A80000-0x0000000001B3A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 29 IoCs
resource yara_rule behavioral1/memory/2248-11-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2248-13-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-15-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-16-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-19-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-22-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-25-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-30-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-38-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2840-55-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2248-53-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-57-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-60-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-63-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-64-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2968-79-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2248-76-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-80-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-82-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-83-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-84-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-89-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-99-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-108-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2248-137-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2248-138-0x00000000006D0000-0x000000000178A000-memory.dmp UPX behavioral1/memory/2968-142-0x0000000000A80000-0x0000000001B3A000-memory.dmp UPX behavioral1/memory/2968-155-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2968-156-0x0000000000A80000-0x0000000001B3A000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2248 f7659a4.exe 2840 f7662d8.exe 2968 f767475.exe -
Loads dropped DLL 6 IoCs
pid Process 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe -
resource yara_rule behavioral1/memory/2248-13-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-15-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-16-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-19-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-22-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-25-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-30-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-38-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-53-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-57-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-60-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-63-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-64-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-76-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-80-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-82-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-83-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-84-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-89-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-99-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-108-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2248-138-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2968-142-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx behavioral1/memory/2968-156-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7659a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7659a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767475.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767475.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767475.exe -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: f7659a4.exe File opened (read-only) \??\E: f7659a4.exe File opened (read-only) \??\G: f7659a4.exe File opened (read-only) \??\H: f7659a4.exe File opened (read-only) \??\I: f7659a4.exe File opened (read-only) \??\J: f7659a4.exe File opened (read-only) \??\K: f7659a4.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f7659a4.exe File created C:\Windows\f76c284 f767475.exe File created C:\Windows\f765b78 f7659a4.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2248 f7659a4.exe 2248 f7659a4.exe 2968 f767475.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2248 f7659a4.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe Token: SeDebugPrivilege 2968 f767475.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2120 2056 rundll32.exe 28 PID 2056 wrote to memory of 2120 2056 rundll32.exe 28 PID 2056 wrote to memory of 2120 2056 rundll32.exe 28 PID 2056 wrote to memory of 2120 2056 rundll32.exe 28 PID 2056 wrote to memory of 2120 2056 rundll32.exe 28 PID 2056 wrote to memory of 2120 2056 rundll32.exe 28 PID 2056 wrote to memory of 2120 2056 rundll32.exe 28 PID 2120 wrote to memory of 2248 2120 rundll32.exe 29 PID 2120 wrote to memory of 2248 2120 rundll32.exe 29 PID 2120 wrote to memory of 2248 2120 rundll32.exe 29 PID 2120 wrote to memory of 2248 2120 rundll32.exe 29 PID 2248 wrote to memory of 1128 2248 f7659a4.exe 19 PID 2248 wrote to memory of 1212 2248 f7659a4.exe 20 PID 2248 wrote to memory of 1256 2248 f7659a4.exe 21 PID 2248 wrote to memory of 2036 2248 f7659a4.exe 23 PID 2248 wrote to memory of 2056 2248 f7659a4.exe 27 PID 2248 wrote to memory of 2120 2248 f7659a4.exe 28 PID 2248 wrote to memory of 2120 2248 f7659a4.exe 28 PID 2120 wrote to memory of 2840 2120 rundll32.exe 30 PID 2120 wrote to memory of 2840 2120 rundll32.exe 30 PID 2120 wrote to memory of 2840 2120 rundll32.exe 30 PID 2120 wrote to memory of 2840 2120 rundll32.exe 30 PID 2120 wrote to memory of 2968 2120 rundll32.exe 31 PID 2120 wrote to memory of 2968 2120 rundll32.exe 31 PID 2120 wrote to memory of 2968 2120 rundll32.exe 31 PID 2120 wrote to memory of 2968 2120 rundll32.exe 31 PID 2248 wrote to memory of 1128 2248 f7659a4.exe 19 PID 2248 wrote to memory of 1212 2248 f7659a4.exe 20 PID 2248 wrote to memory of 1256 2248 f7659a4.exe 21 PID 2248 wrote to memory of 2840 2248 f7659a4.exe 30 PID 2248 wrote to memory of 2840 2248 f7659a4.exe 30 PID 2248 wrote to memory of 2968 2248 f7659a4.exe 31 PID 2248 wrote to memory of 2968 2248 f7659a4.exe 31 PID 2968 wrote to memory of 1128 2968 f767475.exe 19 PID 2968 wrote to memory of 1212 2968 f767475.exe 20 PID 2968 wrote to memory of 1256 2968 f767475.exe 21 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7659a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767475.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1212
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed4639d11e94e1e5933123e72eda02f90dd170c24bec6357e5091a9b3023f022.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed4639d11e94e1e5933123e72eda02f90dd170c24bec6357e5091a9b3023f022.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\f7659a4.exeC:\Users\Admin\AppData\Local\Temp\f7659a4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\f7662d8.exeC:\Users\Admin\AppData\Local\Temp\f7662d8.exe4⤵
- Executes dropped EXE
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\f767475.exeC:\Users\Admin\AppData\Local\Temp\f767475.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2968
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2036
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5e0d336f7dd8567019460ead7c771f1ef
SHA1c9a596a35246c195ad446bee603de028413546ff
SHA25645e67832eefd93cf69d7f7c10060d2d9eb4583de5722807732824d97c29acbc2
SHA5125239ea9ad133cb296802e6e57941220c8cbd0ea48ca4ed6e350a922da0c9cd59eaf08480ff95ae31f512b08122c7fec75fb2fbb7add975a9d9f10128bb9adff5
-
Filesize
97KB
MD53afed58391d4fea850133a93c70996e5
SHA1839b3cd416e9b15d73fb1edf79f3eb72216f26bb
SHA256a337fdb93bf8c46679eda8f566c716b69a1cc855d0fcc6c58fe5333d6f48bf5d
SHA51250f1b27cda4e35f4ad9c535aa7b79e51ed3c0d9c43907051ea79ec734004bbba7e8b7e7a7500ee19b0fd7f2947d2d6e1d65141b4bc5752c0c443dae8068f39a4