Analysis
-
max time kernel
113s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
05e18159486bf037d3b28317a7268710.exe.bin.dll
Resource
win7-20240508-en
General
-
Target
05e18159486bf037d3b28317a7268710.exe.bin.dll
-
Size
120KB
-
MD5
05e18159486bf037d3b28317a7268710
-
SHA1
cb1c43d6296177f8aa04defaf68ba8a9e879ecd8
-
SHA256
b23e8b82fc82399c8aa50a86f8f592fa689ad3841dcc80a49b01e35bb3caea79
-
SHA512
3f3582a794efbffc755960fbe1e925b12d5f90222843b4fca756c724db9bbb727cff549499dc49f06d98caa7274c52a1a8785ae860d0edac55fd70c32e4114bf
-
SSDEEP
3072:fNd7a82lh8+YYZ813i2vZjs9eRjcL12ik:ff7wX8+YYZ8oyjcQjc0ik
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e577f03.exee5756ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577f03.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577f03.exe -
Processes:
e5756ab.exee577f03.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577f03.exe -
Processes:
e5756ab.exee577f03.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577f03.exe -
Executes dropped EXE 3 IoCs
Processes:
e5756ab.exee5758af.exee577f03.exepid process 2864 e5756ab.exe 4320 e5758af.exe 4476 e577f03.exe -
Processes:
resource yara_rule behavioral2/memory/2864-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-12-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-27-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-19-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-28-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-18-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-40-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-39-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-41-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-59-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-60-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-61-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-63-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-64-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-66-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-67-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-70-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-73-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2864-76-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4476-109-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/4476-147-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Processes:
e5756ab.exee577f03.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5756ab.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5756ab.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577f03.exe -
Processes:
e5756ab.exee577f03.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577f03.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e577f03.exee5756ab.exedescription ioc process File opened (read-only) \??\E: e577f03.exe File opened (read-only) \??\H: e577f03.exe File opened (read-only) \??\J: e577f03.exe File opened (read-only) \??\E: e5756ab.exe File opened (read-only) \??\N: e5756ab.exe File opened (read-only) \??\I: e577f03.exe File opened (read-only) \??\M: e5756ab.exe File opened (read-only) \??\G: e577f03.exe File opened (read-only) \??\G: e5756ab.exe File opened (read-only) \??\H: e5756ab.exe File opened (read-only) \??\I: e5756ab.exe File opened (read-only) \??\J: e5756ab.exe File opened (read-only) \??\K: e5756ab.exe File opened (read-only) \??\L: e5756ab.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e5756ab.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e5756ab.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5756ab.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5756ab.exe -
Drops file in Windows directory 3 IoCs
Processes:
e5756ab.exee577f03.exedescription ioc process File created C:\Windows\e575738 e5756ab.exe File opened for modification C:\Windows\SYSTEM.INI e5756ab.exe File created C:\Windows\e57a817 e577f03.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e5756ab.exee577f03.exepid process 2864 e5756ab.exe 2864 e5756ab.exe 2864 e5756ab.exe 2864 e5756ab.exe 4476 e577f03.exe 4476 e577f03.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e5756ab.exedescription pid process Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe Token: SeDebugPrivilege 2864 e5756ab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee5756ab.exee577f03.exedescription pid process target process PID 184 wrote to memory of 4076 184 rundll32.exe rundll32.exe PID 184 wrote to memory of 4076 184 rundll32.exe rundll32.exe PID 184 wrote to memory of 4076 184 rundll32.exe rundll32.exe PID 4076 wrote to memory of 2864 4076 rundll32.exe e5756ab.exe PID 4076 wrote to memory of 2864 4076 rundll32.exe e5756ab.exe PID 4076 wrote to memory of 2864 4076 rundll32.exe e5756ab.exe PID 2864 wrote to memory of 792 2864 e5756ab.exe fontdrvhost.exe PID 2864 wrote to memory of 796 2864 e5756ab.exe fontdrvhost.exe PID 2864 wrote to memory of 316 2864 e5756ab.exe dwm.exe PID 2864 wrote to memory of 2660 2864 e5756ab.exe sihost.exe PID 2864 wrote to memory of 2672 2864 e5756ab.exe svchost.exe PID 2864 wrote to memory of 2884 2864 e5756ab.exe taskhostw.exe PID 2864 wrote to memory of 3480 2864 e5756ab.exe Explorer.EXE PID 2864 wrote to memory of 3600 2864 e5756ab.exe svchost.exe PID 2864 wrote to memory of 3780 2864 e5756ab.exe DllHost.exe PID 2864 wrote to memory of 3876 2864 e5756ab.exe StartMenuExperienceHost.exe PID 2864 wrote to memory of 3944 2864 e5756ab.exe RuntimeBroker.exe PID 2864 wrote to memory of 4024 2864 e5756ab.exe SearchApp.exe PID 2864 wrote to memory of 4060 2864 e5756ab.exe RuntimeBroker.exe PID 2864 wrote to memory of 4436 2864 e5756ab.exe RuntimeBroker.exe PID 2864 wrote to memory of 1224 2864 e5756ab.exe TextInputHost.exe PID 2864 wrote to memory of 1108 2864 e5756ab.exe backgroundTaskHost.exe PID 2864 wrote to memory of 2736 2864 e5756ab.exe backgroundTaskHost.exe PID 2864 wrote to memory of 184 2864 e5756ab.exe rundll32.exe PID 2864 wrote to memory of 4076 2864 e5756ab.exe rundll32.exe PID 2864 wrote to memory of 4076 2864 e5756ab.exe rundll32.exe PID 4076 wrote to memory of 4320 4076 rundll32.exe e5758af.exe PID 4076 wrote to memory of 4320 4076 rundll32.exe e5758af.exe PID 4076 wrote to memory of 4320 4076 rundll32.exe e5758af.exe PID 4076 wrote to memory of 4476 4076 rundll32.exe e577f03.exe PID 4076 wrote to memory of 4476 4076 rundll32.exe e577f03.exe PID 4076 wrote to memory of 4476 4076 rundll32.exe e577f03.exe PID 2864 wrote to memory of 792 2864 e5756ab.exe fontdrvhost.exe PID 2864 wrote to memory of 796 2864 e5756ab.exe fontdrvhost.exe PID 2864 wrote to memory of 316 2864 e5756ab.exe dwm.exe PID 2864 wrote to memory of 2660 2864 e5756ab.exe sihost.exe PID 2864 wrote to memory of 2672 2864 e5756ab.exe svchost.exe PID 2864 wrote to memory of 2884 2864 e5756ab.exe taskhostw.exe PID 2864 wrote to memory of 3480 2864 e5756ab.exe Explorer.EXE PID 2864 wrote to memory of 3600 2864 e5756ab.exe svchost.exe PID 2864 wrote to memory of 3780 2864 e5756ab.exe DllHost.exe PID 2864 wrote to memory of 3876 2864 e5756ab.exe StartMenuExperienceHost.exe PID 2864 wrote to memory of 3944 2864 e5756ab.exe RuntimeBroker.exe PID 2864 wrote to memory of 4024 2864 e5756ab.exe SearchApp.exe PID 2864 wrote to memory of 4060 2864 e5756ab.exe RuntimeBroker.exe PID 2864 wrote to memory of 4436 2864 e5756ab.exe RuntimeBroker.exe PID 2864 wrote to memory of 1224 2864 e5756ab.exe TextInputHost.exe PID 2864 wrote to memory of 1108 2864 e5756ab.exe backgroundTaskHost.exe PID 2864 wrote to memory of 2736 2864 e5756ab.exe backgroundTaskHost.exe PID 2864 wrote to memory of 4320 2864 e5756ab.exe e5758af.exe PID 2864 wrote to memory of 4320 2864 e5756ab.exe e5758af.exe PID 2864 wrote to memory of 1764 2864 e5756ab.exe BackgroundTaskHost.exe PID 2864 wrote to memory of 4476 2864 e5756ab.exe e577f03.exe PID 2864 wrote to memory of 4476 2864 e5756ab.exe e577f03.exe PID 2864 wrote to memory of 4600 2864 e5756ab.exe RuntimeBroker.exe PID 4476 wrote to memory of 792 4476 e577f03.exe fontdrvhost.exe PID 4476 wrote to memory of 796 4476 e577f03.exe fontdrvhost.exe PID 4476 wrote to memory of 316 4476 e577f03.exe dwm.exe PID 4476 wrote to memory of 2660 4476 e577f03.exe sihost.exe PID 4476 wrote to memory of 2672 4476 e577f03.exe svchost.exe PID 4476 wrote to memory of 2884 4476 e577f03.exe taskhostw.exe PID 4476 wrote to memory of 3480 4476 e577f03.exe Explorer.EXE PID 4476 wrote to memory of 3600 4476 e577f03.exe svchost.exe PID 4476 wrote to memory of 3780 4476 e577f03.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e577f03.exee5756ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577f03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5756ab.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2884
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05e18159486bf037d3b28317a7268710.exe.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05e18159486bf037d3b28317a7268710.exe.bin.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\e5756ab.exeC:\Users\Admin\AppData\Local\Temp\e5756ab.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\e5758af.exeC:\Users\Admin\AppData\Local\Temp\e5758af.exe4⤵
- Executes dropped EXE
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\e577f03.exeC:\Users\Admin\AppData\Local\Temp\e577f03.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4436
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1224
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1108
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2736
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:1764
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4600
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2436
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5756ab.exeFilesize
97KB
MD50aa2c82fda03fdae944a9b6eab306a78
SHA1c113097a99dd0380b13c1d965023476c04bd2b73
SHA256b4ccf355dcd28edb30d8ccdafc8b9beb3b5af12069333442574020520900786f
SHA512b33338d009eb93538756cccfa07f99e62c493d3275bf5a7a27be2999f7eddcd09de510287d7660b7acab09ccd4468f34ebb70145923dcc9afc7c7eafa2b63716
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5c2eda38187ac0417dcc3e58747e0d96b
SHA1dfd7e1d88247d559b7a744a19a439355836236f2
SHA25632aec2c4fe11e9b00ad022174b8f137cbbd522cfab635d2b7ca6182d59fa2e22
SHA51261e6d8e0a797a5c1cd56105f62fbdc7a375fe89d1e6356293339846b2b4658531666aae35f3aae321f6b4b09e7bfa7cc1b2be9fd6c1daf21d27319ef8281336e
-
memory/2864-39-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-76-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-10-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-12-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-11-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-27-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-19-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-28-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-36-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-34-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2864-31-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2864-18-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-23-0x0000000001A00000-0x0000000001A01000-memory.dmpFilesize
4KB
-
memory/2864-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2864-6-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-41-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-93-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2864-82-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2864-9-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-37-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-38-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-40-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-73-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-8-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-60-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-70-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-67-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-66-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-64-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-63-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-61-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2864-59-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4076-24-0x0000000004070000-0x0000000004072000-memory.dmpFilesize
8KB
-
memory/4076-30-0x0000000004100000-0x0000000004101000-memory.dmpFilesize
4KB
-
memory/4076-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4076-20-0x0000000004070000-0x0000000004072000-memory.dmpFilesize
8KB
-
memory/4076-29-0x0000000004070000-0x0000000004072000-memory.dmpFilesize
8KB
-
memory/4320-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4320-52-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4320-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4320-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4320-97-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4476-54-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4476-47-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4476-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4476-109-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/4476-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4476-147-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB