Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 03:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56.dll
Resource
win7-20240611-en
windows7-x64
17 signatures
150 seconds
General
-
Target
c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56.dll
-
Size
120KB
-
MD5
1c9200bd3df601e374f8b51e2210155a
-
SHA1
274996d657d66f4920827c7afb30e19217176303
-
SHA256
c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56
-
SHA512
a74b54ed04d0981fe014af46de6fe9f24520fc54077a618fd6d1e638b7ee418e92c938c662d538ebc95d4b86baee97ff16f9d999ce1d9d6933213338bba1ce50
-
SSDEEP
3072:Ctni6LzJJ/mxAoY5k1pMfDTdZqQVkZU5/E:CRTt2AoYi1pQ5ZqQ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57378b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57378b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57378b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5758bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5758bf.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 29 IoCs
resource yara_rule behavioral2/memory/2072-6-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-9-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-8-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-18-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-17-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-10-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-11-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-27-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-33-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-26-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-35-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-37-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-36-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-38-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-39-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-40-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-50-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-59-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-60-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-62-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-63-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-65-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-67-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-69-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-72-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-73-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2072-75-0x00000000007D0000-0x000000000188A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3784-110-0x0000000000B30000-0x0000000001BEA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3784-144-0x0000000000B30000-0x0000000001BEA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 34 IoCs
resource yara_rule behavioral2/memory/2072-6-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-9-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-8-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-18-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-17-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-10-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-11-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-27-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/1264-34-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2072-33-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-26-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-35-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-37-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-36-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-38-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-39-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-40-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/3784-49-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2072-50-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-59-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-60-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-62-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-63-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-65-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-67-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-69-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-72-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-73-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-75-0x00000000007D0000-0x000000000188A000-memory.dmp UPX behavioral2/memory/2072-94-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1264-98-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3784-110-0x0000000000B30000-0x0000000001BEA000-memory.dmp UPX behavioral2/memory/3784-144-0x0000000000B30000-0x0000000001BEA000-memory.dmp UPX behavioral2/memory/3784-145-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2072 e57378b.exe 1264 e57395f.exe 3784 e5758bf.exe -
resource yara_rule behavioral2/memory/2072-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-18-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-17-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-27-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-33-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-26-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-35-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-50-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-59-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-60-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-62-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-63-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-65-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-67-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-69-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-72-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-73-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2072-75-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/3784-110-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/3784-144-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5758bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5758bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5758bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57378b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5758bf.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57378b.exe File opened (read-only) \??\G: e5758bf.exe File opened (read-only) \??\H: e5758bf.exe File opened (read-only) \??\E: e57378b.exe File opened (read-only) \??\G: e57378b.exe File opened (read-only) \??\J: e57378b.exe File opened (read-only) \??\N: e57378b.exe File opened (read-only) \??\E: e5758bf.exe File opened (read-only) \??\I: e57378b.exe File opened (read-only) \??\K: e57378b.exe File opened (read-only) \??\M: e57378b.exe File opened (read-only) \??\O: e57378b.exe File opened (read-only) \??\L: e57378b.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57378b.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57378b.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57378b.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5737f8 e57378b.exe File opened for modification C:\Windows\SYSTEM.INI e57378b.exe File created C:\Windows\e5788e7 e5758bf.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2072 e57378b.exe 2072 e57378b.exe 2072 e57378b.exe 2072 e57378b.exe 3784 e5758bf.exe 3784 e5758bf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe Token: SeDebugPrivilege 2072 e57378b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3104 wrote to memory of 624 3104 rundll32.exe 81 PID 3104 wrote to memory of 624 3104 rundll32.exe 81 PID 3104 wrote to memory of 624 3104 rundll32.exe 81 PID 624 wrote to memory of 2072 624 rundll32.exe 82 PID 624 wrote to memory of 2072 624 rundll32.exe 82 PID 624 wrote to memory of 2072 624 rundll32.exe 82 PID 2072 wrote to memory of 772 2072 e57378b.exe 8 PID 2072 wrote to memory of 780 2072 e57378b.exe 9 PID 2072 wrote to memory of 60 2072 e57378b.exe 13 PID 2072 wrote to memory of 2528 2072 e57378b.exe 42 PID 2072 wrote to memory of 2548 2072 e57378b.exe 43 PID 2072 wrote to memory of 2636 2072 e57378b.exe 44 PID 2072 wrote to memory of 3360 2072 e57378b.exe 55 PID 2072 wrote to memory of 3676 2072 e57378b.exe 57 PID 2072 wrote to memory of 3844 2072 e57378b.exe 58 PID 2072 wrote to memory of 3940 2072 e57378b.exe 59 PID 2072 wrote to memory of 4000 2072 e57378b.exe 60 PID 2072 wrote to memory of 1020 2072 e57378b.exe 61 PID 2072 wrote to memory of 3880 2072 e57378b.exe 62 PID 2072 wrote to memory of 4564 2072 e57378b.exe 64 PID 2072 wrote to memory of 4216 2072 e57378b.exe 74 PID 2072 wrote to memory of 5092 2072 e57378b.exe 78 PID 2072 wrote to memory of 2252 2072 e57378b.exe 79 PID 2072 wrote to memory of 3104 2072 e57378b.exe 80 PID 2072 wrote to memory of 624 2072 e57378b.exe 81 PID 2072 wrote to memory of 624 2072 e57378b.exe 81 PID 624 wrote to memory of 1264 624 rundll32.exe 83 PID 624 wrote to memory of 1264 624 rundll32.exe 83 PID 624 wrote to memory of 1264 624 rundll32.exe 83 PID 624 wrote to memory of 3784 624 rundll32.exe 88 PID 624 wrote to memory of 3784 624 rundll32.exe 88 PID 624 wrote to memory of 3784 624 rundll32.exe 88 PID 2072 wrote to memory of 772 2072 e57378b.exe 8 PID 2072 wrote to memory of 780 2072 e57378b.exe 9 PID 2072 wrote to memory of 60 2072 e57378b.exe 13 PID 2072 wrote to memory of 2528 2072 e57378b.exe 42 PID 2072 wrote to memory of 2548 2072 e57378b.exe 43 PID 2072 wrote to memory of 2636 2072 e57378b.exe 44 PID 2072 wrote to memory of 3360 2072 e57378b.exe 55 PID 2072 wrote to memory of 3676 2072 e57378b.exe 57 PID 2072 wrote to memory of 3844 2072 e57378b.exe 58 PID 2072 wrote to memory of 3940 2072 e57378b.exe 59 PID 2072 wrote to memory of 4000 2072 e57378b.exe 60 PID 2072 wrote to memory of 1020 2072 e57378b.exe 61 PID 2072 wrote to memory of 3880 2072 e57378b.exe 62 PID 2072 wrote to memory of 4564 2072 e57378b.exe 64 PID 2072 wrote to memory of 4216 2072 e57378b.exe 74 PID 2072 wrote to memory of 5092 2072 e57378b.exe 78 PID 2072 wrote to memory of 1264 2072 e57378b.exe 83 PID 2072 wrote to memory of 1264 2072 e57378b.exe 83 PID 2072 wrote to memory of 5036 2072 e57378b.exe 85 PID 2072 wrote to memory of 4612 2072 e57378b.exe 86 PID 2072 wrote to memory of 3784 2072 e57378b.exe 88 PID 2072 wrote to memory of 3784 2072 e57378b.exe 88 PID 2072 wrote to memory of 3344 2072 e57378b.exe 89 PID 3784 wrote to memory of 772 3784 e5758bf.exe 8 PID 3784 wrote to memory of 780 3784 e5758bf.exe 9 PID 3784 wrote to memory of 60 3784 e5758bf.exe 13 PID 3784 wrote to memory of 2528 3784 e5758bf.exe 42 PID 3784 wrote to memory of 2548 3784 e5758bf.exe 43 PID 3784 wrote to memory of 2636 3784 e5758bf.exe 44 PID 3784 wrote to memory of 3360 3784 e5758bf.exe 55 PID 3784 wrote to memory of 3676 3784 e5758bf.exe 57 PID 3784 wrote to memory of 3844 3784 e5758bf.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57378b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5758bf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2548
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2636
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3360
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c20a928da031aba8f6b10f7cd62f86eb3f70e479cb37223dc8108eb5a24d7e56.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\e57378b.exeC:\Users\Admin\AppData\Local\Temp\e57378b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\e57395f.exeC:\Users\Admin\AppData\Local\Temp\e57395f.exe4⤵
- Executes dropped EXE
PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\e5758bf.exeC:\Users\Admin\AppData\Local\Temp\e5758bf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3784
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3676
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3880
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4564
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4216
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:5092
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2252
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4612
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3344
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD591b209ae3f0359ed8c212721fe1eeab6
SHA13484d9ba2b828db836ddb16050a9d8f3da2f16d1
SHA2568143d8a2c9eaa4ff0a087063c870299d5a80e3a3c205946bec9fcf3f20c1b2d6
SHA512761b801ee9c6ae489e0106bb1489f119613fedfae6093ef7ed61cf0126fbb29903cd79a06b64bebec029c574ba08df9eeeaf4373446f88e97d7fafac51cfce30
-
Filesize
257B
MD519fe628fb4c274bdbb4637ff1b5ade2f
SHA13c5db1e7cbf3ddfcfcf55a379ed9431af96f2fb9
SHA2567d7d806707452dd11e5114abbfaecc91d16104972e129ed750ba11acb093a389
SHA512f24aae21503beea42bc2d38febfe2eea496a3229db0f49309b01158a7eb028bf7e7765df515357d10d436f0d26d2076c16fdab15e476a3fb7814a82f08499b71