Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 05:25
Static task
static1
Behavioral task
behavioral1
Sample
fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486.dll
Resource
win7-20231129-en
General
-
Target
fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486.dll
-
Size
120KB
-
MD5
acab380414bf5d74b689cf9f6923f518
-
SHA1
207b5953dbfa696a3d887d1523c302a060eed848
-
SHA256
fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486
-
SHA512
40481bfe647131feb647b423d328ca6445a48195a935ba65e80dd48a3401821923003a485ddaa321cd8ac3c692f0ddccbaef179a29ffdc94e6f04a4b0d44641a
-
SSDEEP
1536:TP5I1kkXSUS4Ojou4n+OTCtaP0qGQItjeZmzmtKMqT7VW0PJqI2o0Wlwjsx8bvz/:TP52JGB7aP/Itavt2dWSJRr0dwiL/
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
e57e6b6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e6b6.exe -
Processes:
e57e6b6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e6b6.exe -
Processes:
e57e6b6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e6b6.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
Processes:
resource yara_rule behavioral2/memory/3808-6-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-8-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-10-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-24-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-11-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-9-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-29-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-31-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-32-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-33-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-34-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-36-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-35-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-37-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-38-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-56-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-57-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-59-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-60-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-62-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-64-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-65-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-69-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3808-70-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 26 IoCs
Processes:
resource yara_rule behavioral2/memory/3808-6-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-8-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-10-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-24-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-11-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-9-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-29-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-31-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-32-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-33-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-34-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-36-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-35-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-37-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-38-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-56-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-57-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-59-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-60-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-62-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-64-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-65-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-69-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-70-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3808-88-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4908-92-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
e57e6b6.exee57e82d.exee581085.exepid process 3808 e57e6b6.exe 4908 e57e82d.exe 4972 e581085.exe -
Processes:
resource yara_rule behavioral2/memory/3808-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-24-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-29-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-31-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-32-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-56-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-57-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-59-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-60-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-62-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-64-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-65-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-69-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3808-70-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
Processes:
e57e6b6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e6b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e6b6.exe -
Processes:
e57e6b6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e6b6.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e57e6b6.exedescription ioc process File opened (read-only) \??\H: e57e6b6.exe File opened (read-only) \??\I: e57e6b6.exe File opened (read-only) \??\J: e57e6b6.exe File opened (read-only) \??\L: e57e6b6.exe File opened (read-only) \??\E: e57e6b6.exe File opened (read-only) \??\K: e57e6b6.exe File opened (read-only) \??\M: e57e6b6.exe File opened (read-only) \??\N: e57e6b6.exe File opened (read-only) \??\G: e57e6b6.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e57e6b6.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e57e6b6.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57e6b6.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57e6b6.exe -
Drops file in Windows directory 2 IoCs
Processes:
e57e6b6.exedescription ioc process File created C:\Windows\e57e753 e57e6b6.exe File opened for modification C:\Windows\SYSTEM.INI e57e6b6.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4188 4972 WerFault.exe e581085.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e57e6b6.exepid process 3808 e57e6b6.exe 3808 e57e6b6.exe 3808 e57e6b6.exe 3808 e57e6b6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e57e6b6.exedescription pid process Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe Token: SeDebugPrivilege 3808 e57e6b6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee57e6b6.exedescription pid process target process PID 2868 wrote to memory of 3972 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 3972 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 3972 2868 rundll32.exe rundll32.exe PID 3972 wrote to memory of 3808 3972 rundll32.exe e57e6b6.exe PID 3972 wrote to memory of 3808 3972 rundll32.exe e57e6b6.exe PID 3972 wrote to memory of 3808 3972 rundll32.exe e57e6b6.exe PID 3808 wrote to memory of 780 3808 e57e6b6.exe fontdrvhost.exe PID 3808 wrote to memory of 788 3808 e57e6b6.exe fontdrvhost.exe PID 3808 wrote to memory of 316 3808 e57e6b6.exe dwm.exe PID 3808 wrote to memory of 2532 3808 e57e6b6.exe sihost.exe PID 3808 wrote to memory of 2564 3808 e57e6b6.exe svchost.exe PID 3808 wrote to memory of 2812 3808 e57e6b6.exe taskhostw.exe PID 3808 wrote to memory of 3448 3808 e57e6b6.exe Explorer.EXE PID 3808 wrote to memory of 3576 3808 e57e6b6.exe svchost.exe PID 3808 wrote to memory of 3744 3808 e57e6b6.exe DllHost.exe PID 3808 wrote to memory of 3840 3808 e57e6b6.exe StartMenuExperienceHost.exe PID 3808 wrote to memory of 3908 3808 e57e6b6.exe RuntimeBroker.exe PID 3808 wrote to memory of 3992 3808 e57e6b6.exe SearchApp.exe PID 3808 wrote to memory of 432 3808 e57e6b6.exe RuntimeBroker.exe PID 3808 wrote to memory of 2456 3808 e57e6b6.exe TextInputHost.exe PID 3808 wrote to memory of 4396 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 4468 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 3352 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 2392 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 3208 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 2920 3808 e57e6b6.exe RuntimeBroker.exe PID 3808 wrote to memory of 3144 3808 e57e6b6.exe RuntimeBroker.exe PID 3808 wrote to memory of 3520 3808 e57e6b6.exe backgroundTaskHost.exe PID 3808 wrote to memory of 3360 3808 e57e6b6.exe backgroundTaskHost.exe PID 3808 wrote to memory of 2868 3808 e57e6b6.exe rundll32.exe PID 3808 wrote to memory of 3972 3808 e57e6b6.exe rundll32.exe PID 3808 wrote to memory of 3972 3808 e57e6b6.exe rundll32.exe PID 3972 wrote to memory of 4908 3972 rundll32.exe e57e82d.exe PID 3972 wrote to memory of 4908 3972 rundll32.exe e57e82d.exe PID 3972 wrote to memory of 4908 3972 rundll32.exe e57e82d.exe PID 3972 wrote to memory of 4972 3972 rundll32.exe e581085.exe PID 3972 wrote to memory of 4972 3972 rundll32.exe e581085.exe PID 3972 wrote to memory of 4972 3972 rundll32.exe e581085.exe PID 3808 wrote to memory of 780 3808 e57e6b6.exe fontdrvhost.exe PID 3808 wrote to memory of 788 3808 e57e6b6.exe fontdrvhost.exe PID 3808 wrote to memory of 316 3808 e57e6b6.exe dwm.exe PID 3808 wrote to memory of 2532 3808 e57e6b6.exe sihost.exe PID 3808 wrote to memory of 2564 3808 e57e6b6.exe svchost.exe PID 3808 wrote to memory of 2812 3808 e57e6b6.exe taskhostw.exe PID 3808 wrote to memory of 3448 3808 e57e6b6.exe Explorer.EXE PID 3808 wrote to memory of 3576 3808 e57e6b6.exe svchost.exe PID 3808 wrote to memory of 3744 3808 e57e6b6.exe DllHost.exe PID 3808 wrote to memory of 3840 3808 e57e6b6.exe StartMenuExperienceHost.exe PID 3808 wrote to memory of 3908 3808 e57e6b6.exe RuntimeBroker.exe PID 3808 wrote to memory of 3992 3808 e57e6b6.exe SearchApp.exe PID 3808 wrote to memory of 432 3808 e57e6b6.exe RuntimeBroker.exe PID 3808 wrote to memory of 2456 3808 e57e6b6.exe TextInputHost.exe PID 3808 wrote to memory of 4396 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 4468 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 3352 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 2392 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 3208 3808 e57e6b6.exe msedge.exe PID 3808 wrote to memory of 2920 3808 e57e6b6.exe RuntimeBroker.exe PID 3808 wrote to memory of 3144 3808 e57e6b6.exe RuntimeBroker.exe PID 3808 wrote to memory of 3520 3808 e57e6b6.exe backgroundTaskHost.exe PID 3808 wrote to memory of 3360 3808 e57e6b6.exe backgroundTaskHost.exe PID 3808 wrote to memory of 2868 3808 e57e6b6.exe rundll32.exe PID 3808 wrote to memory of 4908 3808 e57e6b6.exe e57e82d.exe PID 3808 wrote to memory of 4908 3808 e57e6b6.exe e57e82d.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e57e6b6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e6b6.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2564
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2812
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\e57e6b6.exeC:\Users\Admin\AppData\Local\Temp\e57e6b6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3808
-
-
C:\Users\Admin\AppData\Local\Temp\e57e82d.exeC:\Users\Admin\AppData\Local\Temp\e57e82d.exe4⤵
- Executes dropped EXE
PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\e581085.exeC:\Users\Admin\AppData\Local\Temp\e581085.exe4⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 845⤵
- Program crash
PID:4188
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:432
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffcb30dceb8,0x7ffcb30dcec4,0x7ffcb30dced02⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:22⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:32⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2464,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:82⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1320,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:82⤵PID:2460
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3144
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3520
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3360
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4972 -ip 49721⤵PID:3544
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD54b102c7efb181e6fc185900d396d9f04
SHA1803b9e9cbccfe73d7c04bf463e08d66b9420b8c6
SHA256d518af8f5b20b8555a31ab68f0f06be7c977bf9a4b08cc50b73227c6b0cbd38b
SHA5123a1e349f6a0554a4570516c33c86981b55e97b9c2d4d961f26e78542e97f05956225aa7d3d9c8a255f1432fd66eebe8b64bf3697aebe9b39bfcb5f7fbf578682