Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 20:10
Static task
static1
Behavioral task
behavioral1
Sample
0119edc4123b1b68c8c4a0c04e5468e95377ad200c594160a2c6abd3814c0299.dll
Resource
win7-20231129-en
General
-
Target
0119edc4123b1b68c8c4a0c04e5468e95377ad200c594160a2c6abd3814c0299.dll
-
Size
120KB
-
MD5
e22aa94b66415e28ab49b2f6c74a84a0
-
SHA1
0aa66de62267175fd2420de595ec57126a244120
-
SHA256
0119edc4123b1b68c8c4a0c04e5468e95377ad200c594160a2c6abd3814c0299
-
SHA512
e05385d82a243e3ad850613e72a9c6f307000186b2946ff95b12e70a9763294db6a89671b98bfd9badb4ae75295ce09fa18115782545c117dad52027475c8228
-
SSDEEP
1536:doCVj26w8QBel86/YxjMCkpdupT3+M3qSMzJARCn0lE4nKJCWqYUvOiaQx4NigQK:doUQU++YxjGwZuJARuK/nKJYYUd74rb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e5752b4.exee577995.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577995.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577995.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577995.exe -
Processes:
e5752b4.exee577995.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577995.exe -
Processes:
e5752b4.exee577995.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577995.exe -
Executes dropped EXE 3 IoCs
Processes:
e5752b4.exee575469.exee577995.exepid process 1488 e5752b4.exe 2052 e575469.exe 2812 e577995.exe -
Processes:
resource yara_rule behavioral2/memory/1488-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-14-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-15-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-29-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-30-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-32-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-41-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-43-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-60-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-61-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-63-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-69-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-70-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-71-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-72-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-74-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-76-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1488-77-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2812-111-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/2812-147-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Processes:
e5752b4.exee577995.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5752b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577995.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577995.exe -
Processes:
e5752b4.exee577995.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577995.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e5752b4.exee577995.exedescription ioc process File opened (read-only) \??\O: e5752b4.exe File opened (read-only) \??\G: e577995.exe File opened (read-only) \??\H: e5752b4.exe File opened (read-only) \??\K: e5752b4.exe File opened (read-only) \??\L: e5752b4.exe File opened (read-only) \??\I: e5752b4.exe File opened (read-only) \??\E: e577995.exe File opened (read-only) \??\H: e577995.exe File opened (read-only) \??\I: e577995.exe File opened (read-only) \??\G: e5752b4.exe File opened (read-only) \??\J: e5752b4.exe File opened (read-only) \??\N: e5752b4.exe File opened (read-only) \??\E: e5752b4.exe File opened (read-only) \??\M: e5752b4.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e5752b4.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e5752b4.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5752b4.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5752b4.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5752b4.exe -
Drops file in Windows directory 3 IoCs
Processes:
e5752b4.exee577995.exedescription ioc process File created C:\Windows\e5752f2 e5752b4.exe File opened for modification C:\Windows\SYSTEM.INI e5752b4.exe File created C:\Windows\e57a3c2 e577995.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e5752b4.exee577995.exepid process 1488 e5752b4.exe 1488 e5752b4.exe 1488 e5752b4.exe 1488 e5752b4.exe 2812 e577995.exe 2812 e577995.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e5752b4.exedescription pid process Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe Token: SeDebugPrivilege 1488 e5752b4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee5752b4.exee577995.exedescription pid process target process PID 3848 wrote to memory of 4516 3848 rundll32.exe rundll32.exe PID 3848 wrote to memory of 4516 3848 rundll32.exe rundll32.exe PID 3848 wrote to memory of 4516 3848 rundll32.exe rundll32.exe PID 4516 wrote to memory of 1488 4516 rundll32.exe e5752b4.exe PID 4516 wrote to memory of 1488 4516 rundll32.exe e5752b4.exe PID 4516 wrote to memory of 1488 4516 rundll32.exe e5752b4.exe PID 1488 wrote to memory of 808 1488 e5752b4.exe fontdrvhost.exe PID 1488 wrote to memory of 816 1488 e5752b4.exe fontdrvhost.exe PID 1488 wrote to memory of 316 1488 e5752b4.exe dwm.exe PID 1488 wrote to memory of 2836 1488 e5752b4.exe sihost.exe PID 1488 wrote to memory of 2972 1488 e5752b4.exe svchost.exe PID 1488 wrote to memory of 736 1488 e5752b4.exe taskhostw.exe PID 1488 wrote to memory of 3416 1488 e5752b4.exe Explorer.EXE PID 1488 wrote to memory of 3560 1488 e5752b4.exe svchost.exe PID 1488 wrote to memory of 3752 1488 e5752b4.exe DllHost.exe PID 1488 wrote to memory of 3852 1488 e5752b4.exe StartMenuExperienceHost.exe PID 1488 wrote to memory of 3916 1488 e5752b4.exe RuntimeBroker.exe PID 1488 wrote to memory of 3996 1488 e5752b4.exe SearchApp.exe PID 1488 wrote to memory of 4284 1488 e5752b4.exe RuntimeBroker.exe PID 1488 wrote to memory of 2348 1488 e5752b4.exe TextInputHost.exe PID 1488 wrote to memory of 4396 1488 e5752b4.exe backgroundTaskHost.exe PID 1488 wrote to memory of 3848 1488 e5752b4.exe rundll32.exe PID 1488 wrote to memory of 4516 1488 e5752b4.exe rundll32.exe PID 1488 wrote to memory of 4516 1488 e5752b4.exe rundll32.exe PID 4516 wrote to memory of 2052 4516 rundll32.exe e575469.exe PID 4516 wrote to memory of 2052 4516 rundll32.exe e575469.exe PID 4516 wrote to memory of 2052 4516 rundll32.exe e575469.exe PID 4516 wrote to memory of 2812 4516 rundll32.exe e577995.exe PID 4516 wrote to memory of 2812 4516 rundll32.exe e577995.exe PID 4516 wrote to memory of 2812 4516 rundll32.exe e577995.exe PID 1488 wrote to memory of 808 1488 e5752b4.exe fontdrvhost.exe PID 1488 wrote to memory of 816 1488 e5752b4.exe fontdrvhost.exe PID 1488 wrote to memory of 316 1488 e5752b4.exe dwm.exe PID 1488 wrote to memory of 2836 1488 e5752b4.exe sihost.exe PID 1488 wrote to memory of 2972 1488 e5752b4.exe svchost.exe PID 1488 wrote to memory of 736 1488 e5752b4.exe taskhostw.exe PID 1488 wrote to memory of 3416 1488 e5752b4.exe Explorer.EXE PID 1488 wrote to memory of 3560 1488 e5752b4.exe svchost.exe PID 1488 wrote to memory of 3752 1488 e5752b4.exe DllHost.exe PID 1488 wrote to memory of 3852 1488 e5752b4.exe StartMenuExperienceHost.exe PID 1488 wrote to memory of 3916 1488 e5752b4.exe RuntimeBroker.exe PID 1488 wrote to memory of 3996 1488 e5752b4.exe SearchApp.exe PID 1488 wrote to memory of 4284 1488 e5752b4.exe RuntimeBroker.exe PID 1488 wrote to memory of 2348 1488 e5752b4.exe TextInputHost.exe PID 1488 wrote to memory of 4396 1488 e5752b4.exe backgroundTaskHost.exe PID 1488 wrote to memory of 2052 1488 e5752b4.exe e575469.exe PID 1488 wrote to memory of 2052 1488 e5752b4.exe e575469.exe PID 1488 wrote to memory of 2812 1488 e5752b4.exe e577995.exe PID 1488 wrote to memory of 2812 1488 e5752b4.exe e577995.exe PID 2812 wrote to memory of 808 2812 e577995.exe fontdrvhost.exe PID 2812 wrote to memory of 816 2812 e577995.exe fontdrvhost.exe PID 2812 wrote to memory of 316 2812 e577995.exe dwm.exe PID 2812 wrote to memory of 2836 2812 e577995.exe sihost.exe PID 2812 wrote to memory of 2972 2812 e577995.exe svchost.exe PID 2812 wrote to memory of 736 2812 e577995.exe taskhostw.exe PID 2812 wrote to memory of 3416 2812 e577995.exe Explorer.EXE PID 2812 wrote to memory of 3560 2812 e577995.exe svchost.exe PID 2812 wrote to memory of 3752 2812 e577995.exe DllHost.exe PID 2812 wrote to memory of 3852 2812 e577995.exe StartMenuExperienceHost.exe PID 2812 wrote to memory of 3916 2812 e577995.exe RuntimeBroker.exe PID 2812 wrote to memory of 3996 2812 e577995.exe SearchApp.exe PID 2812 wrote to memory of 4284 2812 e577995.exe RuntimeBroker.exe PID 2812 wrote to memory of 2348 2812 e577995.exe TextInputHost.exe PID 2812 wrote to memory of 4396 2812 e577995.exe backgroundTaskHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e5752b4.exee577995.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5752b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577995.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0119edc4123b1b68c8c4a0c04e5468e95377ad200c594160a2c6abd3814c0299.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0119edc4123b1b68c8c4a0c04e5468e95377ad200c594160a2c6abd3814c0299.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5752b4.exeC:\Users\Admin\AppData\Local\Temp\e5752b4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575469.exeC:\Users\Admin\AppData\Local\Temp\e575469.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e577995.exeC:\Users\Admin\AppData\Local\Temp\e577995.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5752b4.exeFilesize
97KB
MD50868f90eca2af1776005dc0e60ab3f51
SHA13eb3f0a291e8b905db63087429aa31f7b381732b
SHA256d012e4abb20435587cb4c63883b705b7533eeca7911d03583c673d63e3c740e7
SHA5126d4a90884e24fb7c2af1cca18baac556633d7c4425e7276439f714bd113a4edd9a9376d4bfb245f83ae887da716d497fe80160a453cfeeb9092db5bf61f8de69
-
C:\Windows\SYSTEM.INIFilesize
256B
MD59ecb7820e05fe7f10a2f1bb83c5bdc86
SHA19020b8cd06bf3d3430aa9ced71dd3b5bda30a1aa
SHA25654050cb562ffbc093687c1636c491e20f78e60cd72bc4d372337f30f1315dde9
SHA512f3ad61104265d5f757ba326c9f75e42c5774b4f94eed3ccc1e5950c1c8b242e18d2ec7e033f6e02eca8fdf1f68b78f7d1b7c9a91f9abbb671729a0cc7e8ff5f9
-
memory/1488-43-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-76-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-14-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-11-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-15-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-29-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1488-32-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-33-0x00000000004B0000-0x00000000004B2000-memory.dmpFilesize
8KB
-
memory/1488-12-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-19-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1488-31-0x00000000004B0000-0x00000000004B2000-memory.dmpFilesize
8KB
-
memory/1488-9-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-10-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-95-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1488-85-0x00000000004B0000-0x00000000004B2000-memory.dmpFilesize
8KB
-
memory/1488-77-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-63-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-6-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-37-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-38-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-39-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-41-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-40-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-74-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-30-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-72-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-71-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-70-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-69-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-66-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-65-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-60-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-61-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/2052-36-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2052-99-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2052-53-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2052-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2052-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2812-111-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/2812-147-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/2812-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2812-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2812-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2812-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2812-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4516-16-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/4516-20-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/4516-27-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/4516-28-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4516-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB