Analysis
-
max time kernel
130s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b.dll
Resource
win7-20231129-en
General
-
Target
7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b.dll
-
Size
120KB
-
MD5
423ebc006b6fcd8ec3b6a1fe5a167618
-
SHA1
29e7e3dbdebf3f23a6cc2c7ff29c7677e8d2a6ec
-
SHA256
7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b
-
SHA512
9af7eb5354967a7e4aeb7ce2f89c5670ef1be06f52a50c46474abf0fed6e3a5a0b332bd88e5973b6a7c30c7311bcfb2ba3a90ccfb14250e13431646200f5334f
-
SSDEEP
3072:Qh26F5ZpdPl0r4KDylytxN9UyIBI/RR0+ITIIL46TG:j6FPlW6yH/JITIIL46TG
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e57320c.exee572fe9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57320c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57320c.exe -
Processes:
e572fe9.exee57320c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57320c.exe -
Processes:
e572fe9.exee57320c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572fe9.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 35 IoCs
Processes:
resource yara_rule behavioral2/memory/4056-6-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-10-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-8-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-13-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-9-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-19-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-20-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-18-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-22-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-11-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-21-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-36-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-37-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-38-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-39-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-40-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-42-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-43-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-52-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-54-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-55-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-57-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-67-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-70-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-72-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-73-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-74-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-76-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-77-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-81-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-82-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-84-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4056-87-0x0000000000780000-0x000000000183A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1016-116-0x0000000000B40000-0x0000000001BFA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1016-134-0x0000000000B40000-0x0000000001BFA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 39 IoCs
Processes:
resource yara_rule behavioral2/memory/4056-6-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-10-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-8-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-13-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-9-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-19-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-20-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-18-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-22-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/1016-35-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4056-11-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-21-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-36-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-37-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-38-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-39-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-40-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-42-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-43-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-52-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-54-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-55-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-57-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-67-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-70-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-72-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-73-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-74-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-76-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-77-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-81-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-82-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-84-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-87-0x0000000000780000-0x000000000183A000-memory.dmp UPX behavioral2/memory/4056-104-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1016-116-0x0000000000B40000-0x0000000001BFA000-memory.dmp UPX behavioral2/memory/1016-135-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1016-134-0x0000000000B40000-0x0000000001BFA000-memory.dmp UPX behavioral2/memory/5448-139-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
e572fe9.exee57320c.exee574b9f.exepid process 4056 e572fe9.exe 1016 e57320c.exe 5448 e574b9f.exe -
Processes:
resource yara_rule behavioral2/memory/4056-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-13-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-19-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-20-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-18-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-22-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-21-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-39-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-40-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-42-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-43-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-52-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-54-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-55-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-57-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-67-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-70-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-72-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-73-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-74-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-76-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-77-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-81-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-82-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-84-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4056-87-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1016-116-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/1016-134-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Processes:
e572fe9.exee57320c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57320c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57320c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57320c.exe -
Processes:
e572fe9.exee57320c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57320c.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e572fe9.exedescription ioc process File opened (read-only) \??\T: e572fe9.exe File opened (read-only) \??\G: e572fe9.exe File opened (read-only) \??\K: e572fe9.exe File opened (read-only) \??\M: e572fe9.exe File opened (read-only) \??\J: e572fe9.exe File opened (read-only) \??\N: e572fe9.exe File opened (read-only) \??\O: e572fe9.exe File opened (read-only) \??\P: e572fe9.exe File opened (read-only) \??\S: e572fe9.exe File opened (read-only) \??\H: e572fe9.exe File opened (read-only) \??\I: e572fe9.exe File opened (read-only) \??\L: e572fe9.exe File opened (read-only) \??\E: e572fe9.exe File opened (read-only) \??\Q: e572fe9.exe File opened (read-only) \??\R: e572fe9.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e572fe9.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e572fe9.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e572fe9.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e572fe9.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e572fe9.exe -
Drops file in Windows directory 3 IoCs
Processes:
e572fe9.exee57320c.exedescription ioc process File created C:\Windows\e573047 e572fe9.exe File opened for modification C:\Windows\SYSTEM.INI e572fe9.exe File created C:\Windows\e5780b9 e57320c.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e572fe9.exee57320c.exepid process 4056 e572fe9.exe 4056 e572fe9.exe 4056 e572fe9.exe 4056 e572fe9.exe 1016 e57320c.exe 1016 e57320c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e572fe9.exedescription pid process Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe Token: SeDebugPrivilege 4056 e572fe9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee572fe9.exee57320c.exedescription pid process target process PID 4456 wrote to memory of 2072 4456 rundll32.exe rundll32.exe PID 4456 wrote to memory of 2072 4456 rundll32.exe rundll32.exe PID 4456 wrote to memory of 2072 4456 rundll32.exe rundll32.exe PID 2072 wrote to memory of 4056 2072 rundll32.exe e572fe9.exe PID 2072 wrote to memory of 4056 2072 rundll32.exe e572fe9.exe PID 2072 wrote to memory of 4056 2072 rundll32.exe e572fe9.exe PID 4056 wrote to memory of 764 4056 e572fe9.exe fontdrvhost.exe PID 4056 wrote to memory of 772 4056 e572fe9.exe fontdrvhost.exe PID 4056 wrote to memory of 380 4056 e572fe9.exe dwm.exe PID 4056 wrote to memory of 2668 4056 e572fe9.exe sihost.exe PID 4056 wrote to memory of 2704 4056 e572fe9.exe svchost.exe PID 4056 wrote to memory of 2776 4056 e572fe9.exe taskhostw.exe PID 4056 wrote to memory of 3500 4056 e572fe9.exe Explorer.EXE PID 4056 wrote to memory of 3708 4056 e572fe9.exe svchost.exe PID 4056 wrote to memory of 3892 4056 e572fe9.exe DllHost.exe PID 4056 wrote to memory of 3984 4056 e572fe9.exe StartMenuExperienceHost.exe PID 4056 wrote to memory of 4060 4056 e572fe9.exe RuntimeBroker.exe PID 4056 wrote to memory of 680 4056 e572fe9.exe SearchApp.exe PID 4056 wrote to memory of 4112 4056 e572fe9.exe RuntimeBroker.exe PID 4056 wrote to memory of 4036 4056 e572fe9.exe TextInputHost.exe PID 4056 wrote to memory of 2044 4056 e572fe9.exe RuntimeBroker.exe PID 4056 wrote to memory of 744 4056 e572fe9.exe backgroundTaskHost.exe PID 4056 wrote to memory of 4160 4056 e572fe9.exe backgroundTaskHost.exe PID 4056 wrote to memory of 4456 4056 e572fe9.exe rundll32.exe PID 4056 wrote to memory of 2072 4056 e572fe9.exe rundll32.exe PID 4056 wrote to memory of 2072 4056 e572fe9.exe rundll32.exe PID 2072 wrote to memory of 1016 2072 rundll32.exe e57320c.exe PID 2072 wrote to memory of 1016 2072 rundll32.exe e57320c.exe PID 2072 wrote to memory of 1016 2072 rundll32.exe e57320c.exe PID 2072 wrote to memory of 5448 2072 rundll32.exe e574b9f.exe PID 2072 wrote to memory of 5448 2072 rundll32.exe e574b9f.exe PID 2072 wrote to memory of 5448 2072 rundll32.exe e574b9f.exe PID 4056 wrote to memory of 764 4056 e572fe9.exe fontdrvhost.exe PID 4056 wrote to memory of 772 4056 e572fe9.exe fontdrvhost.exe PID 4056 wrote to memory of 380 4056 e572fe9.exe dwm.exe PID 4056 wrote to memory of 2668 4056 e572fe9.exe sihost.exe PID 4056 wrote to memory of 2704 4056 e572fe9.exe svchost.exe PID 4056 wrote to memory of 2776 4056 e572fe9.exe taskhostw.exe PID 4056 wrote to memory of 3500 4056 e572fe9.exe Explorer.EXE PID 4056 wrote to memory of 3708 4056 e572fe9.exe svchost.exe PID 4056 wrote to memory of 3892 4056 e572fe9.exe DllHost.exe PID 4056 wrote to memory of 3984 4056 e572fe9.exe StartMenuExperienceHost.exe PID 4056 wrote to memory of 4060 4056 e572fe9.exe RuntimeBroker.exe PID 4056 wrote to memory of 680 4056 e572fe9.exe SearchApp.exe PID 4056 wrote to memory of 4112 4056 e572fe9.exe RuntimeBroker.exe PID 4056 wrote to memory of 4036 4056 e572fe9.exe TextInputHost.exe PID 4056 wrote to memory of 2044 4056 e572fe9.exe RuntimeBroker.exe PID 4056 wrote to memory of 744 4056 e572fe9.exe backgroundTaskHost.exe PID 4056 wrote to memory of 1016 4056 e572fe9.exe e57320c.exe PID 4056 wrote to memory of 1016 4056 e572fe9.exe e57320c.exe PID 4056 wrote to memory of 5424 4056 e572fe9.exe RuntimeBroker.exe PID 4056 wrote to memory of 4004 4056 e572fe9.exe RuntimeBroker.exe PID 4056 wrote to memory of 5448 4056 e572fe9.exe e574b9f.exe PID 4056 wrote to memory of 5448 4056 e572fe9.exe e574b9f.exe PID 1016 wrote to memory of 764 1016 e57320c.exe fontdrvhost.exe PID 1016 wrote to memory of 772 1016 e57320c.exe fontdrvhost.exe PID 1016 wrote to memory of 380 1016 e57320c.exe dwm.exe PID 1016 wrote to memory of 2668 1016 e57320c.exe sihost.exe PID 1016 wrote to memory of 2704 1016 e57320c.exe svchost.exe PID 1016 wrote to memory of 2776 1016 e57320c.exe taskhostw.exe PID 1016 wrote to memory of 3500 1016 e57320c.exe Explorer.EXE PID 1016 wrote to memory of 3708 1016 e57320c.exe svchost.exe PID 1016 wrote to memory of 3892 1016 e57320c.exe DllHost.exe PID 1016 wrote to memory of 3984 1016 e57320c.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e572fe9.exee57320c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e572fe9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57320c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e572fe9.exeC:\Users\Admin\AppData\Local\Temp\e572fe9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57320c.exeC:\Users\Admin\AppData\Local\Temp\e57320c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574b9f.exeC:\Users\Admin\AppData\Local\Temp\e574b9f.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e572fe9.exeFilesize
97KB
MD56d157d3f29f89e01b8ebc4e807d62fe3
SHA1586f4133526571093752da546591ad3ad3549c14
SHA256e9bb058b32ffd69c92eed95c89f0fa9cb87c962df8932bfd858942b3f50a673b
SHA5124185cccbe7d7c170b273aa3c3b69beebfd083d0cf1a6c402bebf5d714cc18a053d8deeb2f2ac091bbc1adcd70f51c869e0c54ff37f8ee925403870992c91aea0
-
C:\Windows\SYSTEM.INIFilesize
257B
MD59738de99cbde1b53e9524d5a1512d86e
SHA1167059080f9911648a04558708b2bb973dddea4a
SHA2560aaebd66926f8c877d2fb6ab2c697ee968c025fb6f5c19561c4f839b44f13275
SHA51292d5538fe5d31ca2a03f74cd5d27b42a95f3fda093f4d6f9c723d4e877f8c076ed7634dd54a583473ded5547ef4532126c49ab2a77c3d5f867cc1c0e9e7df1cf
-
memory/1016-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1016-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1016-116-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/1016-134-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/1016-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1016-60-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1016-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2072-29-0x0000000004110000-0x0000000004112000-memory.dmpFilesize
8KB
-
memory/2072-49-0x0000000004110000-0x0000000004112000-memory.dmpFilesize
8KB
-
memory/2072-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2072-23-0x0000000004110000-0x0000000004112000-memory.dmpFilesize
8KB
-
memory/2072-24-0x00000000041A0000-0x00000000041A1000-memory.dmpFilesize
4KB
-
memory/2072-25-0x0000000004110000-0x0000000004112000-memory.dmpFilesize
8KB
-
memory/4056-42-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-76-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-34-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/4056-22-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-31-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/4056-11-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-21-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-36-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-37-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-38-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-39-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-40-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-18-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-43-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-20-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4056-52-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-54-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-55-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-57-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-19-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-6-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-10-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-9-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-13-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-8-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-67-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-70-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-72-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-73-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-74-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-27-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/4056-77-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-81-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-82-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-84-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-92-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/4056-87-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/4056-104-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5448-62-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5448-66-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5448-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5448-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5448-139-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB