Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 18:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239.dll
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
General
-
Target
03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239.dll
-
Size
120KB
-
MD5
8869c3123e84d249b133e4f48727d380
-
SHA1
187294fc1a829cb46ab7d9858e3891c4873f682b
-
SHA256
03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239
-
SHA512
a30a753a23a942b51afa0c3a45cc3d89cffd9c13c4ff10606082456e8339f512e4aea9f326bb0d07b25d5c23740e2baa443a772e11f6b08485daa66cbe1f07d5
-
SSDEEP
3072:DmQimvGDY+yKY6aZ0KxZalyiHPHk6ix4GwGl3D:SYGs+dY6adalyivHvIZ3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f764441.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f764441.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f764441.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f764441.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f764441.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
resource yara_rule behavioral1/memory/1520-13-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-16-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-18-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-21-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-15-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-22-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-20-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-19-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-17-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-23-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-62-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-63-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-64-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-65-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-66-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-81-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-98-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-99-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-100-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-104-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-103-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-106-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1520-137-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3004-141-0x0000000000930000-0x00000000019EA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3004-198-0x0000000000930000-0x00000000019EA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 30 IoCs
resource yara_rule behavioral1/memory/1520-11-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/1520-13-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-16-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-18-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-21-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-15-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-22-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-20-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-19-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-17-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-23-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/2452-61-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/1520-62-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-63-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-64-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-65-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-66-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-81-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-98-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-99-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-100-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-104-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-103-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-106-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1520-136-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/1520-137-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/3004-141-0x0000000000930000-0x00000000019EA000-memory.dmp UPX behavioral1/memory/2452-164-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/3004-197-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/3004-198-0x0000000000930000-0x00000000019EA000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 1520 f7619a8.exe 2452 f761d8f.exe 3004 f764441.exe -
Loads dropped DLL 6 IoCs
pid Process 2192 rundll32.exe 2192 rundll32.exe 2192 rundll32.exe 2192 rundll32.exe 2192 rundll32.exe 2192 rundll32.exe -
resource yara_rule behavioral1/memory/1520-13-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-16-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-18-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-21-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-15-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-22-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-20-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-19-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-17-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-23-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-62-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-63-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-64-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-65-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-66-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-81-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-98-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-99-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-100-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-104-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-103-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-106-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1520-137-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/3004-141-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/3004-198-0x0000000000930000-0x00000000019EA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7619a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f764441.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f764441.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7619a8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f764441.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f764441.exe File opened (read-only) \??\E: f7619a8.exe File opened (read-only) \??\H: f7619a8.exe File opened (read-only) \??\I: f7619a8.exe File opened (read-only) \??\E: f764441.exe File opened (read-only) \??\G: f7619a8.exe File opened (read-only) \??\J: f7619a8.exe File opened (read-only) \??\K: f7619a8.exe File opened (read-only) \??\M: f7619a8.exe File opened (read-only) \??\L: f7619a8.exe File opened (read-only) \??\N: f7619a8.exe File opened (read-only) \??\H: f764441.exe File opened (read-only) \??\J: f764441.exe File opened (read-only) \??\I: f764441.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f761a73 f7619a8.exe File opened for modification C:\Windows\SYSTEM.INI f7619a8.exe File created C:\Windows\f766bbe f764441.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1520 f7619a8.exe 1520 f7619a8.exe 3004 f764441.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 1520 f7619a8.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe Token: SeDebugPrivilege 3004 f764441.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2192 1632 rundll32.exe 28 PID 1632 wrote to memory of 2192 1632 rundll32.exe 28 PID 1632 wrote to memory of 2192 1632 rundll32.exe 28 PID 1632 wrote to memory of 2192 1632 rundll32.exe 28 PID 1632 wrote to memory of 2192 1632 rundll32.exe 28 PID 1632 wrote to memory of 2192 1632 rundll32.exe 28 PID 1632 wrote to memory of 2192 1632 rundll32.exe 28 PID 2192 wrote to memory of 1520 2192 rundll32.exe 29 PID 2192 wrote to memory of 1520 2192 rundll32.exe 29 PID 2192 wrote to memory of 1520 2192 rundll32.exe 29 PID 2192 wrote to memory of 1520 2192 rundll32.exe 29 PID 1520 wrote to memory of 1108 1520 f7619a8.exe 19 PID 1520 wrote to memory of 1168 1520 f7619a8.exe 20 PID 1520 wrote to memory of 1204 1520 f7619a8.exe 21 PID 1520 wrote to memory of 2384 1520 f7619a8.exe 23 PID 1520 wrote to memory of 1632 1520 f7619a8.exe 27 PID 1520 wrote to memory of 2192 1520 f7619a8.exe 28 PID 1520 wrote to memory of 2192 1520 f7619a8.exe 28 PID 2192 wrote to memory of 2452 2192 rundll32.exe 30 PID 2192 wrote to memory of 2452 2192 rundll32.exe 30 PID 2192 wrote to memory of 2452 2192 rundll32.exe 30 PID 2192 wrote to memory of 2452 2192 rundll32.exe 30 PID 2192 wrote to memory of 3004 2192 rundll32.exe 31 PID 2192 wrote to memory of 3004 2192 rundll32.exe 31 PID 2192 wrote to memory of 3004 2192 rundll32.exe 31 PID 2192 wrote to memory of 3004 2192 rundll32.exe 31 PID 1520 wrote to memory of 1108 1520 f7619a8.exe 19 PID 1520 wrote to memory of 1168 1520 f7619a8.exe 20 PID 1520 wrote to memory of 1204 1520 f7619a8.exe 21 PID 1520 wrote to memory of 2452 1520 f7619a8.exe 30 PID 1520 wrote to memory of 2452 1520 f7619a8.exe 30 PID 1520 wrote to memory of 3004 1520 f7619a8.exe 31 PID 1520 wrote to memory of 3004 1520 f7619a8.exe 31 PID 3004 wrote to memory of 1108 3004 f764441.exe 19 PID 3004 wrote to memory of 1168 3004 f764441.exe 20 PID 3004 wrote to memory of 1204 3004 f764441.exe 21 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f764441.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7619a8.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\f7619a8.exeC:\Users\Admin\AppData\Local\Temp\f7619a8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\f761d8f.exeC:\Users\Admin\AppData\Local\Temp\f761d8f.exe4⤵
- Executes dropped EXE
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\f764441.exeC:\Users\Admin\AppData\Local\Temp\f764441.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3004
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2384
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5136c16e38677377c77a577b83b2b7331
SHA11fdab0662dd260f298361d5004c2753b3a8a1914
SHA25639aff7ede2e68496ee625920babe81589a927280d4b7580c7adf9b1d2ecec3ef
SHA512af7aaf431aa06292bfe4f22b49efe0d2e8427aa206a2c9378527b103ada1ad62d756cb34850575a6369f4f8ad5752e4a704a3a80378b144376c5cc31d482c36a
-
Filesize
97KB
MD513d743fff676e5875cbb8fd864f13b2a
SHA1eda3d652b12d08a94e71c3544db7f4bdf893dee0
SHA25660b28b95453c976b7c8321d90c300757d6268355e4a1dc17d2800e84c7f24085
SHA5125fafd089f368d31e96489b8380c93af4c31afbbec6c6990dad543b6b7f8996985ea2043af2989c1f61d07792856de1e879ce33bb66d32f36a488329f00833c80