Analysis
-
max time kernel
42s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/06/2024, 01:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b87593e859e3b4485dcaf6501f7c9bb8b4ee2e0bb178687c2aab13e574da58ee.dll
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
General
-
Target
b87593e859e3b4485dcaf6501f7c9bb8b4ee2e0bb178687c2aab13e574da58ee.dll
-
Size
120KB
-
MD5
c3c1e0336aa60561ac46a8ba7fed198f
-
SHA1
ae00cd7d696d1793fc83a10d0e47c1be618828db
-
SHA256
b87593e859e3b4485dcaf6501f7c9bb8b4ee2e0bb178687c2aab13e574da58ee
-
SHA512
3df257fb4976b2c7473684b7dc6074b9774933ed106b736340931a64f87e9202e61c53705442066f242aa1185d608ebe659c16a9f9bc32923983e6ebc01ff2b3
-
SSDEEP
1536:jrnrP/Sw4KR16cvkQGkn5fLCcSZd8wWIIGjFDegk8d6Rxcm9DboNNDyqELaluuO+:H+DKR71EcSZdzIunk8Wxd9nucelut
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576561.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576561.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5749bb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576561.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576561.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 33 IoCs
resource yara_rule behavioral2/memory/5044-6-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-9-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-18-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-17-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-19-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-20-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-11-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-10-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-21-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-22-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-37-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-38-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-39-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-40-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-41-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-43-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-44-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-54-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-55-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-56-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-58-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-59-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-72-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-73-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-74-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-75-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-76-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-80-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-81-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-88-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/5044-89-0x0000000000800000-0x00000000018BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2892-124-0x0000000000B20000-0x0000000001BDA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2892-154-0x0000000000B20000-0x0000000001BDA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 38 IoCs
resource yara_rule behavioral2/memory/5044-5-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/5044-6-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-9-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-18-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-17-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-19-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-20-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-11-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-10-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/1232-36-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/5044-21-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-22-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-37-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-38-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-39-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-40-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-41-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-43-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-44-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-54-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-55-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-56-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-58-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-59-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-72-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-73-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-74-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-75-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-76-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-80-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-81-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-88-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-89-0x0000000000800000-0x00000000018BA000-memory.dmp UPX behavioral2/memory/5044-108-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1232-112-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2892-124-0x0000000000B20000-0x0000000001BDA000-memory.dmp UPX behavioral2/memory/2892-155-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2892-154-0x0000000000B20000-0x0000000001BDA000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 5044 e5749bb.exe 1232 e574c5b.exe 2892 e576561.exe -
resource yara_rule behavioral2/memory/5044-6-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-9-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-18-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-17-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-19-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-20-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-11-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-10-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-21-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-22-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-37-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-38-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-39-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-40-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-41-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-43-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-44-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-54-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-55-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-56-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-58-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-59-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-72-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-73-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-74-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-75-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-76-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-80-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-81-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-88-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5044-89-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2892-124-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/2892-154-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5749bb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576561.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5749bb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576561.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e5749bb.exe File opened (read-only) \??\P: e5749bb.exe File opened (read-only) \??\Q: e5749bb.exe File opened (read-only) \??\S: e5749bb.exe File opened (read-only) \??\H: e5749bb.exe File opened (read-only) \??\J: e5749bb.exe File opened (read-only) \??\M: e5749bb.exe File opened (read-only) \??\E: e576561.exe File opened (read-only) \??\E: e5749bb.exe File opened (read-only) \??\G: e5749bb.exe File opened (read-only) \??\L: e5749bb.exe File opened (read-only) \??\O: e5749bb.exe File opened (read-only) \??\R: e5749bb.exe File opened (read-only) \??\I: e5749bb.exe File opened (read-only) \??\N: e5749bb.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e5749bb.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5749bb.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5749bb.exe File opened for modification C:\Program Files\7-Zip\7z.exe e5749bb.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e574a09 e5749bb.exe File opened for modification C:\Windows\SYSTEM.INI e5749bb.exe File created C:\Windows\e579d2a e576561.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5044 e5749bb.exe 5044 e5749bb.exe 5044 e5749bb.exe 5044 e5749bb.exe 2892 e576561.exe 2892 e576561.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe Token: SeDebugPrivilege 5044 e5749bb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2248 2824 rundll32.exe 83 PID 2824 wrote to memory of 2248 2824 rundll32.exe 83 PID 2824 wrote to memory of 2248 2824 rundll32.exe 83 PID 2248 wrote to memory of 5044 2248 rundll32.exe 84 PID 2248 wrote to memory of 5044 2248 rundll32.exe 84 PID 2248 wrote to memory of 5044 2248 rundll32.exe 84 PID 5044 wrote to memory of 776 5044 e5749bb.exe 8 PID 5044 wrote to memory of 784 5044 e5749bb.exe 9 PID 5044 wrote to memory of 316 5044 e5749bb.exe 13 PID 5044 wrote to memory of 2928 5044 e5749bb.exe 49 PID 5044 wrote to memory of 2972 5044 e5749bb.exe 50 PID 5044 wrote to memory of 2744 5044 e5749bb.exe 52 PID 5044 wrote to memory of 3372 5044 e5749bb.exe 56 PID 5044 wrote to memory of 3524 5044 e5749bb.exe 57 PID 5044 wrote to memory of 3744 5044 e5749bb.exe 58 PID 5044 wrote to memory of 3840 5044 e5749bb.exe 59 PID 5044 wrote to memory of 3900 5044 e5749bb.exe 60 PID 5044 wrote to memory of 3988 5044 e5749bb.exe 61 PID 5044 wrote to memory of 4092 5044 e5749bb.exe 62 PID 5044 wrote to memory of 3028 5044 e5749bb.exe 74 PID 5044 wrote to memory of 2732 5044 e5749bb.exe 75 PID 5044 wrote to memory of 3860 5044 e5749bb.exe 76 PID 5044 wrote to memory of 2148 5044 e5749bb.exe 81 PID 5044 wrote to memory of 2824 5044 e5749bb.exe 82 PID 5044 wrote to memory of 2248 5044 e5749bb.exe 83 PID 5044 wrote to memory of 2248 5044 e5749bb.exe 83 PID 2248 wrote to memory of 1232 2248 rundll32.exe 85 PID 2248 wrote to memory of 1232 2248 rundll32.exe 85 PID 2248 wrote to memory of 1232 2248 rundll32.exe 85 PID 2248 wrote to memory of 2892 2248 rundll32.exe 88 PID 2248 wrote to memory of 2892 2248 rundll32.exe 88 PID 2248 wrote to memory of 2892 2248 rundll32.exe 88 PID 5044 wrote to memory of 776 5044 e5749bb.exe 8 PID 5044 wrote to memory of 784 5044 e5749bb.exe 9 PID 5044 wrote to memory of 316 5044 e5749bb.exe 13 PID 5044 wrote to memory of 2928 5044 e5749bb.exe 49 PID 5044 wrote to memory of 2972 5044 e5749bb.exe 50 PID 5044 wrote to memory of 2744 5044 e5749bb.exe 52 PID 5044 wrote to memory of 3372 5044 e5749bb.exe 56 PID 5044 wrote to memory of 3524 5044 e5749bb.exe 57 PID 5044 wrote to memory of 3744 5044 e5749bb.exe 58 PID 5044 wrote to memory of 3840 5044 e5749bb.exe 59 PID 5044 wrote to memory of 3900 5044 e5749bb.exe 60 PID 5044 wrote to memory of 3988 5044 e5749bb.exe 61 PID 5044 wrote to memory of 4092 5044 e5749bb.exe 62 PID 5044 wrote to memory of 3028 5044 e5749bb.exe 74 PID 5044 wrote to memory of 2732 5044 e5749bb.exe 75 PID 5044 wrote to memory of 3860 5044 e5749bb.exe 76 PID 5044 wrote to memory of 1232 5044 e5749bb.exe 85 PID 5044 wrote to memory of 1232 5044 e5749bb.exe 85 PID 5044 wrote to memory of 4672 5044 e5749bb.exe 87 PID 5044 wrote to memory of 2892 5044 e5749bb.exe 88 PID 5044 wrote to memory of 2892 5044 e5749bb.exe 88 PID 2892 wrote to memory of 776 2892 e576561.exe 8 PID 2892 wrote to memory of 784 2892 e576561.exe 9 PID 2892 wrote to memory of 316 2892 e576561.exe 13 PID 2892 wrote to memory of 2928 2892 e576561.exe 49 PID 2892 wrote to memory of 2972 2892 e576561.exe 50 PID 2892 wrote to memory of 2744 2892 e576561.exe 52 PID 2892 wrote to memory of 3372 2892 e576561.exe 56 PID 2892 wrote to memory of 3524 2892 e576561.exe 57 PID 2892 wrote to memory of 3744 2892 e576561.exe 58 PID 2892 wrote to memory of 3840 2892 e576561.exe 59 PID 2892 wrote to memory of 3900 2892 e576561.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576561.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5749bb.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2972
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2744
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3372
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b87593e859e3b4485dcaf6501f7c9bb8b4ee2e0bb178687c2aab13e574da58ee.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b87593e859e3b4485dcaf6501f7c9bb8b4ee2e0bb178687c2aab13e574da58ee.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\e5749bb.exeC:\Users\Admin\AppData\Local\Temp\e5749bb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\e574c5b.exeC:\Users\Admin\AppData\Local\Temp\e574c5b.exe4⤵
- Executes dropped EXE
PID:1232
-
-
C:\Users\Admin\AppData\Local\Temp\e576561.exeC:\Users\Admin\AppData\Local\Temp\e576561.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2892
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3524
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4092
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2732
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3860
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2148
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4672
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD53a196cc7c82a247b50759758c8d8c977
SHA1a4e908d85f89a021deccd278f72d13a4bb8d8b05
SHA256f6893a4b04169cb00a633dc2f9730280958e0042a0a80818dbfa6708ab14ffa1
SHA51201542586a7d5588849bb07bdf705b3709fc87681b284ff3130859677cfcd5b9fff37b5b4394002f21bf257aab2d0432e0d93afea41bf7cd5cf6bffa77a0aed9b
-
Filesize
257B
MD558b17a733c40f12c8bc6ae3f9c800861
SHA18d227b480dcb0cbfe168461419603dcf6bcccbce
SHA256959ff7abeb1fa324509b3848b1b9281371b23f3007eaf36da93acb24e27afca6
SHA512e61f41dbcd06634cdfaa9c35e8da28899e4754e95000939d62890a1ff874a47aaf9dd598651036d0ac0ee64dcc3ae245df07072dbbc41180ca065f9a8a777fdd