Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 20:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
192cc3439a33ba7992518cf85a8e439bbf566bdaf083d7528a67af9c65cdb998.dll
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
General
-
Target
192cc3439a33ba7992518cf85a8e439bbf566bdaf083d7528a67af9c65cdb998.dll
-
Size
120KB
-
MD5
6152086b775886cba266927a0e32753b
-
SHA1
a1aa3a18a77b34805e73ab6af695618ae6f4781c
-
SHA256
192cc3439a33ba7992518cf85a8e439bbf566bdaf083d7528a67af9c65cdb998
-
SHA512
a7af34073df9cc030c56cd6de9361043b71bed08580095be4ff31330a43f8d1258fb13cf2164633ef30bdf58009ccd0ca2fcbc1e846551b44d170d52b96e489e
-
SSDEEP
1536:SUGCrOixYxh1t8wl682LdtX6Y4JQiSRYCno9NBoxx8QqrL7OaFvIc87c2:/GCt61+wsz3iQiSRJno9s8J/TvIc8
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576949.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576949.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573be0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573be0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576949.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576949.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 29 IoCs
resource yara_rule behavioral2/memory/948-6-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-8-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-10-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-12-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-32-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-26-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-11-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-36-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-25-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-33-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-37-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-38-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-39-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-40-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-41-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-47-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-61-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-62-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-63-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-66-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-67-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-69-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-72-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-73-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-75-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-76-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/948-79-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3032-117-0x0000000000790000-0x000000000184A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3032-161-0x0000000000790000-0x000000000184A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 35 IoCs
resource yara_rule behavioral2/memory/948-6-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-8-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-10-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-12-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/888-35-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/948-32-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-26-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-11-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-36-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-25-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-33-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-37-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-38-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-39-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-40-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-41-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-47-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/1416-60-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/948-61-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-62-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-63-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-66-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-67-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-69-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-72-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-73-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-75-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-76-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-79-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/948-96-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/888-100-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3032-117-0x0000000000790000-0x000000000184A000-memory.dmp UPX behavioral2/memory/3032-156-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3032-161-0x0000000000790000-0x000000000184A000-memory.dmp UPX behavioral2/memory/1416-160-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 948 e573be0.exe 888 e573cca.exe 3032 e576949.exe 1416 e576959.exe -
resource yara_rule behavioral2/memory/948-6-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-8-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-10-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-12-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-32-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-26-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-11-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-36-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-25-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-33-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-37-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-38-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-39-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-40-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-41-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-47-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-61-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-62-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-63-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-66-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-67-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-69-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-72-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-73-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-75-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-76-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/948-79-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3032-117-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3032-161-0x0000000000790000-0x000000000184A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576949.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573be0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576949.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576949.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573be0.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e573be0.exe File opened (read-only) \??\J: e576949.exe File opened (read-only) \??\G: e573be0.exe File opened (read-only) \??\L: e573be0.exe File opened (read-only) \??\M: e573be0.exe File opened (read-only) \??\I: e576949.exe File opened (read-only) \??\E: e573be0.exe File opened (read-only) \??\K: e573be0.exe File opened (read-only) \??\O: e573be0.exe File opened (read-only) \??\H: e573be0.exe File opened (read-only) \??\N: e573be0.exe File opened (read-only) \??\E: e576949.exe File opened (read-only) \??\G: e576949.exe File opened (read-only) \??\H: e576949.exe File opened (read-only) \??\I: e573be0.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e573be0.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573be0.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573be0.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e573c2e e573be0.exe File opened for modification C:\Windows\SYSTEM.INI e573be0.exe File created C:\Windows\e5790b7 e576949.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 948 e573be0.exe 948 e573be0.exe 948 e573be0.exe 948 e573be0.exe 3032 e576949.exe 3032 e576949.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe Token: SeDebugPrivilege 948 e573be0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4132 wrote to memory of 3420 4132 rundll32.exe 86 PID 4132 wrote to memory of 3420 4132 rundll32.exe 86 PID 4132 wrote to memory of 3420 4132 rundll32.exe 86 PID 3420 wrote to memory of 948 3420 rundll32.exe 87 PID 3420 wrote to memory of 948 3420 rundll32.exe 87 PID 3420 wrote to memory of 948 3420 rundll32.exe 87 PID 948 wrote to memory of 788 948 e573be0.exe 9 PID 948 wrote to memory of 792 948 e573be0.exe 10 PID 948 wrote to memory of 60 948 e573be0.exe 13 PID 948 wrote to memory of 3120 948 e573be0.exe 51 PID 948 wrote to memory of 3184 948 e573be0.exe 52 PID 948 wrote to memory of 3212 948 e573be0.exe 53 PID 948 wrote to memory of 3456 948 e573be0.exe 56 PID 948 wrote to memory of 3600 948 e573be0.exe 57 PID 948 wrote to memory of 3768 948 e573be0.exe 58 PID 948 wrote to memory of 3876 948 e573be0.exe 59 PID 948 wrote to memory of 3936 948 e573be0.exe 60 PID 948 wrote to memory of 4036 948 e573be0.exe 61 PID 948 wrote to memory of 2936 948 e573be0.exe 62 PID 948 wrote to memory of 900 948 e573be0.exe 75 PID 948 wrote to memory of 4316 948 e573be0.exe 76 PID 948 wrote to memory of 3884 948 e573be0.exe 83 PID 948 wrote to memory of 4756 948 e573be0.exe 84 PID 948 wrote to memory of 4132 948 e573be0.exe 85 PID 948 wrote to memory of 3420 948 e573be0.exe 86 PID 948 wrote to memory of 3420 948 e573be0.exe 86 PID 3420 wrote to memory of 888 3420 rundll32.exe 88 PID 3420 wrote to memory of 888 3420 rundll32.exe 88 PID 3420 wrote to memory of 888 3420 rundll32.exe 88 PID 948 wrote to memory of 788 948 e573be0.exe 9 PID 948 wrote to memory of 792 948 e573be0.exe 10 PID 948 wrote to memory of 60 948 e573be0.exe 13 PID 948 wrote to memory of 3120 948 e573be0.exe 51 PID 948 wrote to memory of 3184 948 e573be0.exe 52 PID 948 wrote to memory of 3212 948 e573be0.exe 53 PID 948 wrote to memory of 3456 948 e573be0.exe 56 PID 948 wrote to memory of 3600 948 e573be0.exe 57 PID 948 wrote to memory of 3768 948 e573be0.exe 58 PID 948 wrote to memory of 3876 948 e573be0.exe 59 PID 948 wrote to memory of 3936 948 e573be0.exe 60 PID 948 wrote to memory of 4036 948 e573be0.exe 61 PID 948 wrote to memory of 2936 948 e573be0.exe 62 PID 948 wrote to memory of 900 948 e573be0.exe 75 PID 948 wrote to memory of 4316 948 e573be0.exe 76 PID 948 wrote to memory of 3884 948 e573be0.exe 83 PID 948 wrote to memory of 4756 948 e573be0.exe 84 PID 948 wrote to memory of 4132 948 e573be0.exe 85 PID 948 wrote to memory of 888 948 e573be0.exe 88 PID 948 wrote to memory of 888 948 e573be0.exe 88 PID 948 wrote to memory of 2564 948 e573be0.exe 90 PID 948 wrote to memory of 4072 948 e573be0.exe 91 PID 948 wrote to memory of 4416 948 e573be0.exe 92 PID 3420 wrote to memory of 3032 3420 rundll32.exe 98 PID 3420 wrote to memory of 3032 3420 rundll32.exe 98 PID 3420 wrote to memory of 3032 3420 rundll32.exe 98 PID 3420 wrote to memory of 1416 3420 rundll32.exe 99 PID 3420 wrote to memory of 1416 3420 rundll32.exe 99 PID 3420 wrote to memory of 1416 3420 rundll32.exe 99 PID 3032 wrote to memory of 788 3032 e576949.exe 9 PID 3032 wrote to memory of 792 3032 e576949.exe 10 PID 3032 wrote to memory of 60 3032 e576949.exe 13 PID 3032 wrote to memory of 3120 3032 e576949.exe 51 PID 3032 wrote to memory of 3184 3032 e576949.exe 52 PID 3032 wrote to memory of 3212 3032 e576949.exe 53 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573be0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576949.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3184
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3212
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\192cc3439a33ba7992518cf85a8e439bbf566bdaf083d7528a67af9c65cdb998.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\192cc3439a33ba7992518cf85a8e439bbf566bdaf083d7528a67af9c65cdb998.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\e573be0.exeC:\Users\Admin\AppData\Local\Temp\e573be0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\e573cca.exeC:\Users\Admin\AppData\Local\Temp\e573cca.exe4⤵
- Executes dropped EXE
PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\e576949.exeC:\Users\Admin\AppData\Local\Temp\e576949.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\e576959.exeC:\Users\Admin\AppData\Local\Temp\e576959.exe4⤵
- Executes dropped EXE
PID:1416
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2936
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:900
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4316
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3884
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4756
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2564
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4416
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57b8824b160df136b399b500681fddac6
SHA1bd6cdf7d31592f1c8e2532303d7b5ec6ff03b6b5
SHA25668e48e626914158fdf62148619a4f718ea1037edf0f23c00e280398e8765b769
SHA512ebb772920b7e8cc8a50f9e36f06e18dfbdb1a0387787b3d09ac4c77635e81c1cb2911d9d60adea04be5601297608c4bb11949ae7b97977b7a554ebb261f060e0
-
Filesize
257B
MD5f1c205f5d42cbe331f8b3d6932bcb8a3
SHA11f82375f7931529987b34763f774ffb5c1d7f5cf
SHA256ccdc6a7380b5faf00661043336e31d15fcab63afa9d3e8066201adff80451515
SHA5124d231616240a26e82fb4bf001f0a840f9167c4b3555fe006e4accb838e2cf2093c2eba47eee2f47a8b84783ec3519b1a069f532589ea910abe2a3d337757af48