Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
d43c86d213f307f16cb5e4afbaa1e07a9be28b9ed9928c2b138451d8fbb633b2.dll
Resource
win7-20240215-en
General
-
Target
d43c86d213f307f16cb5e4afbaa1e07a9be28b9ed9928c2b138451d8fbb633b2.dll
-
Size
120KB
-
MD5
ffe35c6d119e92cd68c23822c9946719
-
SHA1
af96c01b71939b730098ad56f1d577ec7cead147
-
SHA256
d43c86d213f307f16cb5e4afbaa1e07a9be28b9ed9928c2b138451d8fbb633b2
-
SHA512
b51be176bda92f54000680b162352f5e98015012c93b97aa8d575ecb6081eea0ed25a04ffd7af18dbf7e899755f586f55f4da6fc9e1a71a81c21184f96a5890f
-
SSDEEP
1536:zAjzcxM7bx9s2CBO/hLQkd4rI3o2qtxXEs0jWs8YC+NSE8jsgcjr57dVYg:zk57bx22CBOVQYEITGCwYpSE8jqjr9d
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57544a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57544a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578220.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578220.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578220.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578220.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578220.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 28 IoCs
resource yara_rule behavioral2/memory/2012-6-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-12-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-10-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-8-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-9-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-18-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-19-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-27-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-35-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-11-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-34-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-36-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-37-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-38-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-39-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-40-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-46-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-55-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-56-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-57-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-60-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-62-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-63-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-66-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-68-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2012-69-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5064-109-0x0000000000740000-0x00000000017FA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5064-145-0x0000000000740000-0x00000000017FA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 33 IoCs
resource yara_rule behavioral2/memory/2012-6-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-12-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-10-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-8-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-9-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-18-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-19-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-27-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/368-33-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2012-35-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-11-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-34-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-36-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-37-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-38-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-39-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-40-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/5064-54-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2012-46-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-55-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-56-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-57-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-60-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-62-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-63-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-66-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-68-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-69-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2012-88-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/368-92-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/5064-109-0x0000000000740000-0x00000000017FA000-memory.dmp UPX behavioral2/memory/5064-145-0x0000000000740000-0x00000000017FA000-memory.dmp UPX behavioral2/memory/5064-146-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2012 e57544a.exe 368 e5755b1.exe 5064 e578220.exe -
resource yara_rule behavioral2/memory/2012-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-12-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-18-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-19-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-27-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-46-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-55-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-56-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-57-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-60-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-62-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-63-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-66-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-68-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2012-69-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/5064-109-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/5064-145-0x0000000000740000-0x00000000017FA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578220.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57544a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578220.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57544a.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e57544a.exe File opened (read-only) \??\N: e57544a.exe File opened (read-only) \??\G: e578220.exe File opened (read-only) \??\H: e578220.exe File opened (read-only) \??\I: e578220.exe File opened (read-only) \??\J: e57544a.exe File opened (read-only) \??\L: e57544a.exe File opened (read-only) \??\E: e57544a.exe File opened (read-only) \??\I: e57544a.exe File opened (read-only) \??\M: e57544a.exe File opened (read-only) \??\J: e578220.exe File opened (read-only) \??\H: e57544a.exe File opened (read-only) \??\E: e578220.exe File opened (read-only) \??\G: e57544a.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57544a.exe File created C:\Windows\e57a96f e578220.exe File created C:\Windows\e5754a8 e57544a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2012 e57544a.exe 2012 e57544a.exe 2012 e57544a.exe 2012 e57544a.exe 5064 e578220.exe 5064 e578220.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe Token: SeDebugPrivilege 2012 e57544a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3620 wrote to memory of 1856 3620 rundll32.exe 84 PID 3620 wrote to memory of 1856 3620 rundll32.exe 84 PID 3620 wrote to memory of 1856 3620 rundll32.exe 84 PID 1856 wrote to memory of 2012 1856 rundll32.exe 85 PID 1856 wrote to memory of 2012 1856 rundll32.exe 85 PID 1856 wrote to memory of 2012 1856 rundll32.exe 85 PID 2012 wrote to memory of 784 2012 e57544a.exe 9 PID 2012 wrote to memory of 792 2012 e57544a.exe 10 PID 2012 wrote to memory of 1012 2012 e57544a.exe 13 PID 2012 wrote to memory of 2500 2012 e57544a.exe 42 PID 2012 wrote to memory of 2528 2012 e57544a.exe 43 PID 2012 wrote to memory of 2716 2012 e57544a.exe 46 PID 2012 wrote to memory of 3480 2012 e57544a.exe 56 PID 2012 wrote to memory of 3656 2012 e57544a.exe 57 PID 2012 wrote to memory of 3848 2012 e57544a.exe 58 PID 2012 wrote to memory of 3968 2012 e57544a.exe 59 PID 2012 wrote to memory of 4036 2012 e57544a.exe 60 PID 2012 wrote to memory of 1200 2012 e57544a.exe 61 PID 2012 wrote to memory of 4004 2012 e57544a.exe 62 PID 2012 wrote to memory of 404 2012 e57544a.exe 64 PID 2012 wrote to memory of 4576 2012 e57544a.exe 74 PID 2012 wrote to memory of 912 2012 e57544a.exe 81 PID 2012 wrote to memory of 3620 2012 e57544a.exe 82 PID 2012 wrote to memory of 3100 2012 e57544a.exe 83 PID 2012 wrote to memory of 1856 2012 e57544a.exe 84 PID 2012 wrote to memory of 1856 2012 e57544a.exe 84 PID 1856 wrote to memory of 368 1856 rundll32.exe 86 PID 1856 wrote to memory of 368 1856 rundll32.exe 86 PID 1856 wrote to memory of 368 1856 rundll32.exe 86 PID 2012 wrote to memory of 784 2012 e57544a.exe 9 PID 2012 wrote to memory of 792 2012 e57544a.exe 10 PID 2012 wrote to memory of 1012 2012 e57544a.exe 13 PID 2012 wrote to memory of 2500 2012 e57544a.exe 42 PID 2012 wrote to memory of 2528 2012 e57544a.exe 43 PID 2012 wrote to memory of 2716 2012 e57544a.exe 46 PID 2012 wrote to memory of 3480 2012 e57544a.exe 56 PID 2012 wrote to memory of 3656 2012 e57544a.exe 57 PID 2012 wrote to memory of 3848 2012 e57544a.exe 58 PID 2012 wrote to memory of 3968 2012 e57544a.exe 59 PID 2012 wrote to memory of 4036 2012 e57544a.exe 60 PID 2012 wrote to memory of 1200 2012 e57544a.exe 61 PID 2012 wrote to memory of 4004 2012 e57544a.exe 62 PID 2012 wrote to memory of 404 2012 e57544a.exe 64 PID 2012 wrote to memory of 4576 2012 e57544a.exe 74 PID 2012 wrote to memory of 912 2012 e57544a.exe 81 PID 2012 wrote to memory of 3620 2012 e57544a.exe 82 PID 2012 wrote to memory of 3100 2012 e57544a.exe 83 PID 2012 wrote to memory of 368 2012 e57544a.exe 86 PID 2012 wrote to memory of 368 2012 e57544a.exe 86 PID 2012 wrote to memory of 1576 2012 e57544a.exe 88 PID 2012 wrote to memory of 4616 2012 e57544a.exe 89 PID 1856 wrote to memory of 5064 1856 rundll32.exe 91 PID 1856 wrote to memory of 5064 1856 rundll32.exe 91 PID 1856 wrote to memory of 5064 1856 rundll32.exe 91 PID 5064 wrote to memory of 784 5064 e578220.exe 9 PID 5064 wrote to memory of 792 5064 e578220.exe 10 PID 5064 wrote to memory of 1012 5064 e578220.exe 13 PID 5064 wrote to memory of 2500 5064 e578220.exe 42 PID 5064 wrote to memory of 2528 5064 e578220.exe 43 PID 5064 wrote to memory of 2716 5064 e578220.exe 46 PID 5064 wrote to memory of 3480 5064 e578220.exe 56 PID 5064 wrote to memory of 3656 5064 e578220.exe 57 PID 5064 wrote to memory of 3848 5064 e578220.exe 58 PID 5064 wrote to memory of 3968 5064 e578220.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57544a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578220.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2528
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2716
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d43c86d213f307f16cb5e4afbaa1e07a9be28b9ed9928c2b138451d8fbb633b2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d43c86d213f307f16cb5e4afbaa1e07a9be28b9ed9928c2b138451d8fbb633b2.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\e57544a.exeC:\Users\Admin\AppData\Local\Temp\e57544a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\e5755b1.exeC:\Users\Admin\AppData\Local\Temp\e5755b1.exe4⤵
- Executes dropped EXE
PID:368
-
-
C:\Users\Admin\AppData\Local\Temp\e578220.exeC:\Users\Admin\AppData\Local\Temp\e578220.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5064
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3656
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4036
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1200
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:404
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4576
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:912
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3100
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4616
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58356dedd10e9fa71584c068b821a7dfb
SHA1ca50b8f1be014d09b1b6dc3241007214d4874c1b
SHA25698c5d8445d92cd54871f68156a980666cc70fff9ec333d82e8aa037a68437afd
SHA512bb74e5e3de29b555a40cbf2befc06a49e6b4583c3ba2a8e27ec4d0f384a76a92a7ee83b3939fef9bbc00c0b81b08f11ae697a3a82a403cac146ced2deba41831
-
Filesize
257B
MD54e6ecfcf65248f19423d6edd0868b075
SHA1ad0017c5268a02872c833cbd0472cd102e72e2a5
SHA25645b9e09053274425a7923a8543f71e8aad0f5f1e4d53d67c957f0c2d66819738
SHA512c5a85a106db943bf0b441eb669327b1c68f0085ca3d2be3f580425f7a593e723baff19c0a25b731ab757c24c5dfaad87c1f84a838c343a6242a07fa6a2a24288