Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 20:56
Static task
static1
Behavioral task
behavioral1
Sample
4ae1afe042640512b3d9ecaf2258f9b8cb8f78c67b45768f2b815a2fe5817537.dll
Resource
win7-20240611-en
General
-
Target
4ae1afe042640512b3d9ecaf2258f9b8cb8f78c67b45768f2b815a2fe5817537.dll
-
Size
120KB
-
MD5
50aa194695c17f6d00d5155995d3a8bc
-
SHA1
139cbc666fbbe59d1b6812e96027443ed70fd342
-
SHA256
4ae1afe042640512b3d9ecaf2258f9b8cb8f78c67b45768f2b815a2fe5817537
-
SHA512
f396fcb50208bbc35eef5e3e7508a8a04adc3d7729c95b1aa49591ffa2e604d36bddef6c03103ae475ccded98c90cc0909c745db44f0b23ee6a54ac925ade5d3
-
SSDEEP
1536:INzrLIWCCf7i8RmOZvwD2fLuLHdcovjnCoPkQ1cgd/y3HZfOtlo:INPLtPfG++MoPkOpy3stl
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e575563.exee573577.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575563.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573577.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573577.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575563.exe -
Processes:
e573577.exee575563.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575563.exe -
Processes:
e573577.exee575563.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575563.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 32 IoCs
Processes:
resource yara_rule behavioral2/memory/4400-6-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-11-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-8-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-12-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-32-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-20-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-13-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-19-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-10-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-9-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-35-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-36-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-37-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-38-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-39-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-40-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-44-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-51-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-52-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-62-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-63-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-65-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-67-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-69-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-71-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-73-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-75-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-77-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-78-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4400-91-0x00000000007A0000-0x000000000185A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3432-109-0x0000000000B30000-0x0000000001BEA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3432-148-0x0000000000B30000-0x0000000001BEA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 37 IoCs
Processes:
resource yara_rule behavioral2/memory/4400-6-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-11-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-8-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-12-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/1608-34-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4400-32-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-20-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-13-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-19-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-10-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-9-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-35-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-36-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-37-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-38-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-39-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-40-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-44-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/3432-50-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4400-51-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-52-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-62-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-63-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-65-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-67-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-69-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-71-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-73-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-75-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-77-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-78-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-91-0x00000000007A0000-0x000000000185A000-memory.dmp UPX behavioral2/memory/4400-98-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1608-102-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3432-109-0x0000000000B30000-0x0000000001BEA000-memory.dmp UPX behavioral2/memory/3432-149-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3432-148-0x0000000000B30000-0x0000000001BEA000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
e573577.exee57371d.exee575563.exepid process 4400 e573577.exe 1608 e57371d.exe 3432 e575563.exe -
Processes:
resource yara_rule behavioral2/memory/4400-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-32-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-20-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-19-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-44-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-51-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-52-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-62-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-63-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-67-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-69-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-71-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-73-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-77-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-78-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4400-91-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3432-109-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/3432-148-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Processes:
e575563.exee573577.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575563.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575563.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575563.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575563.exe -
Processes:
e573577.exee575563.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575563.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573577.exee575563.exedescription ioc process File opened (read-only) \??\G: e573577.exe File opened (read-only) \??\G: e575563.exe File opened (read-only) \??\J: e573577.exe File opened (read-only) \??\N: e573577.exe File opened (read-only) \??\H: e575563.exe File opened (read-only) \??\L: e573577.exe File opened (read-only) \??\P: e573577.exe File opened (read-only) \??\E: e575563.exe File opened (read-only) \??\E: e573577.exe File opened (read-only) \??\H: e573577.exe File opened (read-only) \??\K: e573577.exe File opened (read-only) \??\Q: e573577.exe File opened (read-only) \??\I: e573577.exe File opened (read-only) \??\M: e573577.exe File opened (read-only) \??\O: e573577.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e573577.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e573577.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573577.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573577.exe -
Drops file in Windows directory 3 IoCs
Processes:
e573577.exee575563.exedescription ioc process File created C:\Windows\e5735b6 e573577.exe File opened for modification C:\Windows\SYSTEM.INI e573577.exe File created C:\Windows\e5786d3 e575563.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e573577.exee575563.exepid process 4400 e573577.exe 4400 e573577.exe 4400 e573577.exe 4400 e573577.exe 3432 e575563.exe 3432 e575563.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573577.exedescription pid process Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe Token: SeDebugPrivilege 4400 e573577.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee573577.exee575563.exedescription pid process target process PID 3232 wrote to memory of 4064 3232 rundll32.exe rundll32.exe PID 3232 wrote to memory of 4064 3232 rundll32.exe rundll32.exe PID 3232 wrote to memory of 4064 3232 rundll32.exe rundll32.exe PID 4064 wrote to memory of 4400 4064 rundll32.exe e573577.exe PID 4064 wrote to memory of 4400 4064 rundll32.exe e573577.exe PID 4064 wrote to memory of 4400 4064 rundll32.exe e573577.exe PID 4400 wrote to memory of 804 4400 e573577.exe fontdrvhost.exe PID 4400 wrote to memory of 800 4400 e573577.exe fontdrvhost.exe PID 4400 wrote to memory of 376 4400 e573577.exe dwm.exe PID 4400 wrote to memory of 2148 4400 e573577.exe sihost.exe PID 4400 wrote to memory of 796 4400 e573577.exe svchost.exe PID 4400 wrote to memory of 3096 4400 e573577.exe taskhostw.exe PID 4400 wrote to memory of 3420 4400 e573577.exe Explorer.EXE PID 4400 wrote to memory of 3528 4400 e573577.exe svchost.exe PID 4400 wrote to memory of 3752 4400 e573577.exe DllHost.exe PID 4400 wrote to memory of 3840 4400 e573577.exe StartMenuExperienceHost.exe PID 4400 wrote to memory of 3932 4400 e573577.exe RuntimeBroker.exe PID 4400 wrote to memory of 4016 4400 e573577.exe SearchApp.exe PID 4400 wrote to memory of 3728 4400 e573577.exe RuntimeBroker.exe PID 4400 wrote to memory of 3116 4400 e573577.exe TextInputHost.exe PID 4400 wrote to memory of 1148 4400 e573577.exe RuntimeBroker.exe PID 4400 wrote to memory of 2808 4400 e573577.exe backgroundTaskHost.exe PID 4400 wrote to memory of 4364 4400 e573577.exe backgroundTaskHost.exe PID 4400 wrote to memory of 3232 4400 e573577.exe rundll32.exe PID 4400 wrote to memory of 4064 4400 e573577.exe rundll32.exe PID 4400 wrote to memory of 4064 4400 e573577.exe rundll32.exe PID 4064 wrote to memory of 1608 4064 rundll32.exe e57371d.exe PID 4064 wrote to memory of 1608 4064 rundll32.exe e57371d.exe PID 4064 wrote to memory of 1608 4064 rundll32.exe e57371d.exe PID 4064 wrote to memory of 3432 4064 rundll32.exe e575563.exe PID 4064 wrote to memory of 3432 4064 rundll32.exe e575563.exe PID 4064 wrote to memory of 3432 4064 rundll32.exe e575563.exe PID 4400 wrote to memory of 804 4400 e573577.exe fontdrvhost.exe PID 4400 wrote to memory of 800 4400 e573577.exe fontdrvhost.exe PID 4400 wrote to memory of 376 4400 e573577.exe dwm.exe PID 4400 wrote to memory of 2148 4400 e573577.exe sihost.exe PID 4400 wrote to memory of 796 4400 e573577.exe svchost.exe PID 4400 wrote to memory of 3096 4400 e573577.exe taskhostw.exe PID 4400 wrote to memory of 3420 4400 e573577.exe Explorer.EXE PID 4400 wrote to memory of 3528 4400 e573577.exe svchost.exe PID 4400 wrote to memory of 3752 4400 e573577.exe DllHost.exe PID 4400 wrote to memory of 3840 4400 e573577.exe StartMenuExperienceHost.exe PID 4400 wrote to memory of 3932 4400 e573577.exe RuntimeBroker.exe PID 4400 wrote to memory of 4016 4400 e573577.exe SearchApp.exe PID 4400 wrote to memory of 3728 4400 e573577.exe RuntimeBroker.exe PID 4400 wrote to memory of 3116 4400 e573577.exe TextInputHost.exe PID 4400 wrote to memory of 1148 4400 e573577.exe RuntimeBroker.exe PID 4400 wrote to memory of 2808 4400 e573577.exe backgroundTaskHost.exe PID 4400 wrote to memory of 4364 4400 e573577.exe backgroundTaskHost.exe PID 4400 wrote to memory of 1608 4400 e573577.exe e57371d.exe PID 4400 wrote to memory of 1608 4400 e573577.exe e57371d.exe PID 4400 wrote to memory of 1140 4400 e573577.exe RuntimeBroker.exe PID 4400 wrote to memory of 4004 4400 e573577.exe RuntimeBroker.exe PID 4400 wrote to memory of 3432 4400 e573577.exe e575563.exe PID 4400 wrote to memory of 3432 4400 e573577.exe e575563.exe PID 3432 wrote to memory of 804 3432 e575563.exe fontdrvhost.exe PID 3432 wrote to memory of 800 3432 e575563.exe fontdrvhost.exe PID 3432 wrote to memory of 376 3432 e575563.exe dwm.exe PID 3432 wrote to memory of 2148 3432 e575563.exe sihost.exe PID 3432 wrote to memory of 796 3432 e575563.exe svchost.exe PID 3432 wrote to memory of 3096 3432 e575563.exe taskhostw.exe PID 3432 wrote to memory of 3420 3432 e575563.exe Explorer.EXE PID 3432 wrote to memory of 3528 3432 e575563.exe svchost.exe PID 3432 wrote to memory of 3752 3432 e575563.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e573577.exee575563.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575563.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:796
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3096
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4ae1afe042640512b3d9ecaf2258f9b8cb8f78c67b45768f2b815a2fe5817537.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4ae1afe042640512b3d9ecaf2258f9b8cb8f78c67b45768f2b815a2fe5817537.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\e573577.exeC:\Users\Admin\AppData\Local\Temp\e573577.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4400
-
-
C:\Users\Admin\AppData\Local\Temp\e57371d.exeC:\Users\Admin\AppData\Local\Temp\e57371d.exe4⤵
- Executes dropped EXE
PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\e575563.exeC:\Users\Admin\AppData\Local\Temp\e575563.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3432
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3528
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3932
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3728
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1148
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2808
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD514811f295cd52993acfbd165c6f1d222
SHA126561270f8eac45240ee1822b8b129e0b71a4587
SHA2568d6075523096d02154bb5033a7bc86dbc8733c9e89ea0208d9413e858a464300
SHA51226dc4873b9f60781584e1912f93eb7158884e1fc3c06273191917ae97a78799ad8ce14621b1b993194abc49a032469434b0f757e02e692e87a6815ab1bb5b15a
-
Filesize
257B
MD5f08583504964897849864047c0dd9d41
SHA16df57b374d8249a8e7ae9690a715d9c833e747fb
SHA256f681a07d08ffd8f037215590a2f492dd2189a0779a42ce403ce0ec7b235558e0
SHA5126339e7cb114278a08657debbd7c4829a0759ab237392108b6e920f371071189f38d485fcb95b74b8db8679c4a4bb13d1a7e7c7fa0218df42fd676eac468d174a