Analysis
-
max time kernel
110s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 02:15
Static task
static1
Behavioral task
behavioral1
Sample
b4cd8e3fbbd1a33ba39fa93d52b22777fca5f16213ec99015dba9c02ee75f36e.dll
Resource
win7-20240508-en
General
-
Target
b4cd8e3fbbd1a33ba39fa93d52b22777fca5f16213ec99015dba9c02ee75f36e.dll
-
Size
120KB
-
MD5
0c2f844693c809e025bc11d1b353508c
-
SHA1
c6e200af1dbee09767f6c12c307c204725e5ce43
-
SHA256
b4cd8e3fbbd1a33ba39fa93d52b22777fca5f16213ec99015dba9c02ee75f36e
-
SHA512
478dee54de7d3852538a31ecb6f36a657ab8b535ee392b9bcd810ac93120a0ee247510dc64545d26533f87ef7e54d284513a88866d092dfb97442f4f95a07ef4
-
SSDEEP
3072:iwOWJGM4JznqPUcnUDEeNoLM078NMQXLmm959n66:8WyNsUYUTYMu8NMKI6
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e579e82.exee576438.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579e82.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579e82.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576438.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576438.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576438.exe -
Processes:
e576438.exee579e82.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e82.exe -
Processes:
e576438.exee579e82.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576438.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 28 IoCs
Processes:
resource yara_rule behavioral2/memory/3384-6-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-9-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-10-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-11-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-17-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-33-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-28-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-35-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-24-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-8-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-37-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-36-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-38-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-39-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-44-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-45-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-47-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-48-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-62-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-63-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-70-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-72-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-76-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3384-74-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/316-106-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/316-107-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/316-115-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/316-160-0x0000000000760000-0x000000000181A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 34 IoCs
Processes:
resource yara_rule behavioral2/memory/3384-6-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-9-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-10-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-11-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/892-34-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3384-17-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-33-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-28-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-35-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-24-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-8-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-37-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-36-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-38-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-39-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-44-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-45-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-47-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-48-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/316-54-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3384-62-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-63-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-70-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-72-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-76-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-74-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/3384-99-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/892-86-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/316-106-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/316-107-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/316-115-0x0000000000760000-0x000000000181A000-memory.dmp UPX behavioral2/memory/1640-159-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/316-156-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/316-160-0x0000000000760000-0x000000000181A000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
Processes:
e576438.exee5765ce.exee579e82.exee579eb1.exepid process 3384 e576438.exe 892 e5765ce.exe 316 e579e82.exe 1640 e579eb1.exe -
Processes:
resource yara_rule behavioral2/memory/3384-6-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-17-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-33-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-28-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-35-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-24-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-8-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-39-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-44-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-45-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-47-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-48-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-62-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-63-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-70-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-72-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-76-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3384-74-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/316-106-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/316-107-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/316-115-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/316-160-0x0000000000760000-0x000000000181A000-memory.dmp upx -
Processes:
e579e82.exee576438.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576438.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579e82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576438.exe -
Processes:
e576438.exee579e82.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e82.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e576438.exee579e82.exedescription ioc process File opened (read-only) \??\I: e576438.exe File opened (read-only) \??\L: e576438.exe File opened (read-only) \??\E: e579e82.exe File opened (read-only) \??\I: e579e82.exe File opened (read-only) \??\K: e576438.exe File opened (read-only) \??\G: e579e82.exe File opened (read-only) \??\H: e579e82.exe File opened (read-only) \??\J: e579e82.exe File opened (read-only) \??\E: e576438.exe File opened (read-only) \??\G: e576438.exe File opened (read-only) \??\H: e576438.exe File opened (read-only) \??\J: e576438.exe -
Drops file in Windows directory 3 IoCs
Processes:
e576438.exee579e82.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI e576438.exe File created C:\Windows\e57c5f0 e579e82.exe File created C:\Windows\e5764a5 e576438.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e576438.exee579e82.exepid process 3384 e576438.exe 3384 e576438.exe 3384 e576438.exe 3384 e576438.exe 316 e579e82.exe 316 e579e82.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e576438.exedescription pid process Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe Token: SeDebugPrivilege 3384 e576438.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee576438.exee579e82.exedescription pid process target process PID 5012 wrote to memory of 2864 5012 rundll32.exe rundll32.exe PID 5012 wrote to memory of 2864 5012 rundll32.exe rundll32.exe PID 5012 wrote to memory of 2864 5012 rundll32.exe rundll32.exe PID 2864 wrote to memory of 3384 2864 rundll32.exe e576438.exe PID 2864 wrote to memory of 3384 2864 rundll32.exe e576438.exe PID 2864 wrote to memory of 3384 2864 rundll32.exe e576438.exe PID 3384 wrote to memory of 760 3384 e576438.exe fontdrvhost.exe PID 3384 wrote to memory of 768 3384 e576438.exe fontdrvhost.exe PID 3384 wrote to memory of 1012 3384 e576438.exe dwm.exe PID 3384 wrote to memory of 2760 3384 e576438.exe sihost.exe PID 3384 wrote to memory of 2856 3384 e576438.exe svchost.exe PID 3384 wrote to memory of 3068 3384 e576438.exe taskhostw.exe PID 3384 wrote to memory of 3412 3384 e576438.exe Explorer.EXE PID 3384 wrote to memory of 3532 3384 e576438.exe svchost.exe PID 3384 wrote to memory of 3724 3384 e576438.exe DllHost.exe PID 3384 wrote to memory of 3812 3384 e576438.exe StartMenuExperienceHost.exe PID 3384 wrote to memory of 3876 3384 e576438.exe RuntimeBroker.exe PID 3384 wrote to memory of 3964 3384 e576438.exe SearchApp.exe PID 3384 wrote to memory of 2364 3384 e576438.exe RuntimeBroker.exe PID 3384 wrote to memory of 4332 3384 e576438.exe RuntimeBroker.exe PID 3384 wrote to memory of 4920 3384 e576438.exe TextInputHost.exe PID 3384 wrote to memory of 4304 3384 e576438.exe backgroundTaskHost.exe PID 3384 wrote to memory of 3460 3384 e576438.exe backgroundTaskHost.exe PID 3384 wrote to memory of 5012 3384 e576438.exe rundll32.exe PID 3384 wrote to memory of 2864 3384 e576438.exe rundll32.exe PID 3384 wrote to memory of 2864 3384 e576438.exe rundll32.exe PID 2864 wrote to memory of 892 2864 rundll32.exe e5765ce.exe PID 2864 wrote to memory of 892 2864 rundll32.exe e5765ce.exe PID 2864 wrote to memory of 892 2864 rundll32.exe e5765ce.exe PID 3384 wrote to memory of 760 3384 e576438.exe fontdrvhost.exe PID 3384 wrote to memory of 768 3384 e576438.exe fontdrvhost.exe PID 3384 wrote to memory of 1012 3384 e576438.exe dwm.exe PID 3384 wrote to memory of 2760 3384 e576438.exe sihost.exe PID 3384 wrote to memory of 2856 3384 e576438.exe svchost.exe PID 3384 wrote to memory of 3068 3384 e576438.exe taskhostw.exe PID 3384 wrote to memory of 3412 3384 e576438.exe Explorer.EXE PID 3384 wrote to memory of 3532 3384 e576438.exe svchost.exe PID 3384 wrote to memory of 3724 3384 e576438.exe DllHost.exe PID 3384 wrote to memory of 3812 3384 e576438.exe StartMenuExperienceHost.exe PID 3384 wrote to memory of 3876 3384 e576438.exe RuntimeBroker.exe PID 3384 wrote to memory of 3964 3384 e576438.exe SearchApp.exe PID 3384 wrote to memory of 2364 3384 e576438.exe RuntimeBroker.exe PID 3384 wrote to memory of 4332 3384 e576438.exe RuntimeBroker.exe PID 3384 wrote to memory of 4920 3384 e576438.exe TextInputHost.exe PID 3384 wrote to memory of 4304 3384 e576438.exe backgroundTaskHost.exe PID 3384 wrote to memory of 3460 3384 e576438.exe backgroundTaskHost.exe PID 3384 wrote to memory of 5012 3384 e576438.exe rundll32.exe PID 3384 wrote to memory of 892 3384 e576438.exe e5765ce.exe PID 3384 wrote to memory of 892 3384 e576438.exe e5765ce.exe PID 2864 wrote to memory of 316 2864 rundll32.exe e579e82.exe PID 2864 wrote to memory of 316 2864 rundll32.exe e579e82.exe PID 2864 wrote to memory of 316 2864 rundll32.exe e579e82.exe PID 2864 wrote to memory of 1640 2864 rundll32.exe e579eb1.exe PID 2864 wrote to memory of 1640 2864 rundll32.exe e579eb1.exe PID 2864 wrote to memory of 1640 2864 rundll32.exe e579eb1.exe PID 316 wrote to memory of 760 316 e579e82.exe fontdrvhost.exe PID 316 wrote to memory of 768 316 e579e82.exe fontdrvhost.exe PID 316 wrote to memory of 1012 316 e579e82.exe dwm.exe PID 316 wrote to memory of 2760 316 e579e82.exe sihost.exe PID 316 wrote to memory of 2856 316 e579e82.exe svchost.exe PID 316 wrote to memory of 3068 316 e579e82.exe taskhostw.exe PID 316 wrote to memory of 3412 316 e579e82.exe Explorer.EXE PID 316 wrote to memory of 3532 316 e579e82.exe svchost.exe PID 316 wrote to memory of 3724 316 e579e82.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e576438.exee579e82.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576438.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e82.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2856
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3068
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cd8e3fbbd1a33ba39fa93d52b22777fca5f16213ec99015dba9c02ee75f36e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cd8e3fbbd1a33ba39fa93d52b22777fca5f16213ec99015dba9c02ee75f36e.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\e576438.exeC:\Users\Admin\AppData\Local\Temp\e576438.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\e5765ce.exeC:\Users\Admin\AppData\Local\Temp\e5765ce.exe4⤵
- Executes dropped EXE
PID:892 -
C:\Users\Admin\AppData\Local\Temp\e579e82.exeC:\Users\Admin\AppData\Local\Temp\e579e82.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:316 -
C:\Users\Admin\AppData\Local\Temp\e579eb1.exeC:\Users\Admin\AppData\Local\Temp\e579eb1.exe4⤵
- Executes dropped EXE
PID:1640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3532
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3964
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4332
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4920
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4304
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3460
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2832
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e576438.exeFilesize
97KB
MD5b124090d1d22691f606c29561a56ec49
SHA1c745392a14fe656fd916ba3483809328374e83d6
SHA256ef5c7baa0db3143cbdba6cfaed5f6a525a6cf713fb96a995eb503796963a4a88
SHA5124f6c387ac7bcdec4821d0b61880ce925563c6e766f4859eadeb230441654d40571a19d6b4648d074cc2c8bff5c881d236973fd9540788e752db7e1c0276e3988
-
C:\Windows\SYSTEM.INIFilesize
256B
MD5f5721605f35efe20e23b4476787fed25
SHA1e66db8e3ce85bea26fb4aa37d4c7bcd891e3359f
SHA256afb430466735d902c076a0cbf156ac9957f703fbfaf9c1c233fc0f09d8a27533
SHA512355e63c05e55d1d4338ac0416fa311edd2f580b2981cd6f5bd28c11a467aa733ddc54714c20f438a6dc11d29fb6e3fc724dc3b0c0473ec5014080f4af2c10775
-
memory/316-160-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/316-156-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/316-54-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/316-115-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/316-107-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/316-106-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/892-86-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/892-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/892-43-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/892-41-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/892-42-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1640-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1640-159-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2864-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2864-27-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/2864-26-0x0000000004020000-0x0000000004021000-memory.dmpFilesize
4KB
-
memory/2864-20-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/2864-18-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/3384-38-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-63-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-36-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-8-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-39-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-23-0x0000000003E70000-0x0000000003E71000-memory.dmpFilesize
4KB
-
memory/3384-24-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-29-0x0000000001B30000-0x0000000001B32000-memory.dmpFilesize
8KB
-
memory/3384-44-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-45-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-47-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-48-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-35-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-30-0x0000000001B30000-0x0000000001B32000-memory.dmpFilesize
8KB
-
memory/3384-62-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-37-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-70-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-72-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-76-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-74-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-99-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3384-28-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-92-0x0000000001B30000-0x0000000001B32000-memory.dmpFilesize
8KB
-
memory/3384-33-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-17-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-11-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-10-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-9-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-6-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/3384-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB