Analysis
-
max time kernel
52s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 19:55
Static task
static1
Behavioral task
behavioral1
Sample
30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134.dll
Resource
win7-20240611-en
General
-
Target
30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134.dll
-
Size
120KB
-
MD5
c57cc1c788cd19fbe0370452be81fc90
-
SHA1
056df98b108c420f0fb1465a64d98f1f2e10090d
-
SHA256
30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134
-
SHA512
d9e81149aee6e191813393e9da59c6302fca109979991a0e8909c32dfe202b55ff63bfc0e171b2e268eb45ef2b0c971c1eee7d3a5ba67fda89a31a258b29da9d
-
SSDEEP
3072:+2/Jn/VnEW74W6qxqrgKPBBW7gsxGqoW3PCIt:+o1/BE3W6qQPUim/7t
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e5780c9.exee575294.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575294.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575294.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5780c9.exe -
Processes:
e5780c9.exee575294.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575294.exe -
Processes:
e575294.exee5780c9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5780c9.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 26 IoCs
Processes:
resource yara_rule behavioral2/memory/4816-6-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-8-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-10-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-26-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-33-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-25-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-12-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-11-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-9-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-34-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-35-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-36-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-37-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-38-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-39-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-54-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-55-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-57-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-58-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-60-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-61-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-64-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-66-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4816-70-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3836-103-0x0000000000790000-0x000000000184A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3836-147-0x0000000000790000-0x000000000184A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 30 IoCs
Processes:
resource yara_rule behavioral2/memory/4816-5-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4816-6-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-8-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-10-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-26-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-33-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-25-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-12-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-11-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-9-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-34-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-35-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-36-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-37-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-38-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-39-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-54-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-55-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-57-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-58-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-60-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-61-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-64-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-66-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-70-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4816-87-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3336-91-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3836-103-0x0000000000790000-0x000000000184A000-memory.dmp UPX behavioral2/memory/3836-146-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3836-147-0x0000000000790000-0x000000000184A000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
e575294.exee57536f.exee5780c9.exepid process 4816 e575294.exe 3336 e57536f.exe 3836 e5780c9.exe -
Processes:
resource yara_rule behavioral2/memory/4816-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-26-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-33-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-25-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-34-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-54-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-55-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-57-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-58-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-60-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-61-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-64-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4816-70-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3836-103-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3836-147-0x0000000000790000-0x000000000184A000-memory.dmp upx -
Processes:
e575294.exee5780c9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575294.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5780c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5780c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5780c9.exe -
Processes:
e575294.exee5780c9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5780c9.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e575294.exee5780c9.exedescription ioc process File opened (read-only) \??\N: e575294.exe File opened (read-only) \??\E: e5780c9.exe File opened (read-only) \??\H: e5780c9.exe File opened (read-only) \??\I: e575294.exe File opened (read-only) \??\M: e575294.exe File opened (read-only) \??\J: e5780c9.exe File opened (read-only) \??\G: e575294.exe File opened (read-only) \??\J: e575294.exe File opened (read-only) \??\L: e575294.exe File opened (read-only) \??\I: e5780c9.exe File opened (read-only) \??\E: e575294.exe File opened (read-only) \??\K: e575294.exe File opened (read-only) \??\H: e575294.exe File opened (read-only) \??\G: e5780c9.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e575294.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e575294.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e575294.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e575294.exe -
Drops file in Windows directory 3 IoCs
Processes:
e575294.exee5780c9.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI e575294.exe File created C:\Windows\e57a836 e5780c9.exe File created C:\Windows\e5752d3 e575294.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e575294.exee5780c9.exepid process 4816 e575294.exe 4816 e575294.exe 4816 e575294.exe 4816 e575294.exe 3836 e5780c9.exe 3836 e5780c9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e575294.exedescription pid process Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe Token: SeDebugPrivilege 4816 e575294.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
rundll32.exerundll32.exee575294.exee5780c9.exedescription pid process target process PID 5104 wrote to memory of 3148 5104 rundll32.exe rundll32.exe PID 5104 wrote to memory of 3148 5104 rundll32.exe rundll32.exe PID 5104 wrote to memory of 3148 5104 rundll32.exe rundll32.exe PID 3148 wrote to memory of 4816 3148 rundll32.exe e575294.exe PID 3148 wrote to memory of 4816 3148 rundll32.exe e575294.exe PID 3148 wrote to memory of 4816 3148 rundll32.exe e575294.exe PID 4816 wrote to memory of 808 4816 e575294.exe fontdrvhost.exe PID 4816 wrote to memory of 816 4816 e575294.exe fontdrvhost.exe PID 4816 wrote to memory of 316 4816 e575294.exe dwm.exe PID 4816 wrote to memory of 2836 4816 e575294.exe sihost.exe PID 4816 wrote to memory of 2972 4816 e575294.exe svchost.exe PID 4816 wrote to memory of 736 4816 e575294.exe taskhostw.exe PID 4816 wrote to memory of 3416 4816 e575294.exe Explorer.EXE PID 4816 wrote to memory of 3560 4816 e575294.exe svchost.exe PID 4816 wrote to memory of 3752 4816 e575294.exe DllHost.exe PID 4816 wrote to memory of 3852 4816 e575294.exe StartMenuExperienceHost.exe PID 4816 wrote to memory of 3916 4816 e575294.exe RuntimeBroker.exe PID 4816 wrote to memory of 3996 4816 e575294.exe SearchApp.exe PID 4816 wrote to memory of 4284 4816 e575294.exe RuntimeBroker.exe PID 4816 wrote to memory of 2348 4816 e575294.exe TextInputHost.exe PID 4816 wrote to memory of 5104 4816 e575294.exe rundll32.exe PID 4816 wrote to memory of 3148 4816 e575294.exe rundll32.exe PID 4816 wrote to memory of 3148 4816 e575294.exe rundll32.exe PID 3148 wrote to memory of 3336 3148 rundll32.exe e57536f.exe PID 3148 wrote to memory of 3336 3148 rundll32.exe e57536f.exe PID 3148 wrote to memory of 3336 3148 rundll32.exe e57536f.exe PID 4816 wrote to memory of 808 4816 e575294.exe fontdrvhost.exe PID 4816 wrote to memory of 816 4816 e575294.exe fontdrvhost.exe PID 4816 wrote to memory of 316 4816 e575294.exe dwm.exe PID 4816 wrote to memory of 2836 4816 e575294.exe sihost.exe PID 4816 wrote to memory of 2972 4816 e575294.exe svchost.exe PID 4816 wrote to memory of 736 4816 e575294.exe taskhostw.exe PID 4816 wrote to memory of 3416 4816 e575294.exe Explorer.EXE PID 4816 wrote to memory of 3560 4816 e575294.exe svchost.exe PID 4816 wrote to memory of 3752 4816 e575294.exe DllHost.exe PID 4816 wrote to memory of 3852 4816 e575294.exe StartMenuExperienceHost.exe PID 4816 wrote to memory of 3916 4816 e575294.exe RuntimeBroker.exe PID 4816 wrote to memory of 3996 4816 e575294.exe SearchApp.exe PID 4816 wrote to memory of 4284 4816 e575294.exe RuntimeBroker.exe PID 4816 wrote to memory of 2348 4816 e575294.exe TextInputHost.exe PID 4816 wrote to memory of 5104 4816 e575294.exe rundll32.exe PID 4816 wrote to memory of 3336 4816 e575294.exe e57536f.exe PID 4816 wrote to memory of 3336 4816 e575294.exe e57536f.exe PID 3148 wrote to memory of 3836 3148 rundll32.exe e5780c9.exe PID 3148 wrote to memory of 3836 3148 rundll32.exe e5780c9.exe PID 3148 wrote to memory of 3836 3148 rundll32.exe e5780c9.exe PID 3836 wrote to memory of 808 3836 e5780c9.exe fontdrvhost.exe PID 3836 wrote to memory of 816 3836 e5780c9.exe fontdrvhost.exe PID 3836 wrote to memory of 316 3836 e5780c9.exe dwm.exe PID 3836 wrote to memory of 2836 3836 e5780c9.exe sihost.exe PID 3836 wrote to memory of 2972 3836 e5780c9.exe svchost.exe PID 3836 wrote to memory of 736 3836 e5780c9.exe taskhostw.exe PID 3836 wrote to memory of 3416 3836 e5780c9.exe Explorer.EXE PID 3836 wrote to memory of 3560 3836 e5780c9.exe svchost.exe PID 3836 wrote to memory of 3752 3836 e5780c9.exe DllHost.exe PID 3836 wrote to memory of 3852 3836 e5780c9.exe StartMenuExperienceHost.exe PID 3836 wrote to memory of 3916 3836 e5780c9.exe RuntimeBroker.exe PID 3836 wrote to memory of 3996 3836 e5780c9.exe SearchApp.exe PID 3836 wrote to memory of 4284 3836 e5780c9.exe RuntimeBroker.exe PID 3836 wrote to memory of 2348 3836 e5780c9.exe TextInputHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e575294.exee5780c9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5780c9.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2972
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:736
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\e575294.exeC:\Users\Admin\AppData\Local\Temp\e575294.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4816
-
-
C:\Users\Admin\AppData\Local\Temp\e57536f.exeC:\Users\Admin\AppData\Local\Temp\e57536f.exe4⤵
- Executes dropped EXE
PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\e5780c9.exeC:\Users\Admin\AppData\Local\Temp\e5780c9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3836
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4284
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2348
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5bee317ce3f6683067aef3736de474d94
SHA1ed9fb70af7261295f443055047cfb51b646c6aeb
SHA2569f9d8b9e8c70b0e5d9ac21f09232ca7fb1bf668cef97c8fd8ad1460042788ce4
SHA512fe40b179725c7a446b1c6d6ee215e018976e65827a16b17367f663f296b0a1ffdc81a0aec768b83e43273ecdc4abc4e00a0107d40351f1cdddb0dfe991a276af
-
Filesize
257B
MD5a9f2d46b43c44d9146b4935c55cf0dd8
SHA1fc2a0838ab306ae560074d6ef20810ed439f211e
SHA2562cd4c308205f6dcdd72f9e0f9bf6a46b74f5e4dd02b16dd79442bdf59aef032d
SHA5129c5aafb6a0781be496c307c615bd8508aa60f7e8fda7154129c07499c163b56353b395fe4ddc01445b13f15e0ef6e315232040c4b93b76abf1c08c9089b4f3cf