Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 18:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239.dll
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
General
-
Target
03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239.dll
-
Size
120KB
-
MD5
8869c3123e84d249b133e4f48727d380
-
SHA1
187294fc1a829cb46ab7d9858e3891c4873f682b
-
SHA256
03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239
-
SHA512
a30a753a23a942b51afa0c3a45cc3d89cffd9c13c4ff10606082456e8339f512e4aea9f326bb0d07b25d5c23740e2baa443a772e11f6b08485daa66cbe1f07d5
-
SSDEEP
3072:DmQimvGDY+yKY6aZ0KxZalyiHPHk6ix4GwGl3D:SYGs+dY6adalyivHvIZ3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ee67.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f50e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ee67.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 30 IoCs
resource yara_rule behavioral2/memory/1464-7-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-9-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-18-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-17-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-16-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-15-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-12-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-14-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-10-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-11-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-42-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-41-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-51-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-53-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-52-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-55-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-56-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-57-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-58-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-60-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-77-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-79-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-81-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-82-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-85-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-87-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-89-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1464-91-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2020-126-0x0000000000B40000-0x0000000001BFA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2020-147-0x0000000000B40000-0x0000000001BFA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 37 IoCs
resource yara_rule behavioral2/memory/1464-7-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-9-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-18-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-17-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4516-35-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2020-40-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1464-16-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-15-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-12-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-14-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-10-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-11-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1312-50-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1464-42-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-41-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-51-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-53-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-52-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-55-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-56-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-57-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-58-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-60-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-77-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-79-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-81-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-82-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-85-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-87-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-89-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/1464-109-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1464-91-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4516-113-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2020-126-0x0000000000B40000-0x0000000001BFA000-memory.dmp UPX behavioral2/memory/1312-146-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2020-148-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2020-147-0x0000000000B40000-0x0000000001BFA000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 1464 e57ee67.exe 4516 e57f424.exe 2020 e57f50e.exe 1312 e57fa9c.exe -
resource yara_rule behavioral2/memory/1464-7-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-18-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-17-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-16-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-15-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-12-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-14-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-42-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-41-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-51-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-53-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-52-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-55-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-56-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-57-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-58-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-60-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-77-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-79-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-81-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-82-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-85-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-87-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-89-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1464-91-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2020-126-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/2020-147-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ee67.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ee67.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f50e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ee67.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57ee67.exe File opened (read-only) \??\J: e57ee67.exe File opened (read-only) \??\K: e57ee67.exe File opened (read-only) \??\P: e57ee67.exe File opened (read-only) \??\Q: e57ee67.exe File opened (read-only) \??\G: e57ee67.exe File opened (read-only) \??\I: e57ee67.exe File opened (read-only) \??\L: e57ee67.exe File opened (read-only) \??\M: e57ee67.exe File opened (read-only) \??\N: e57ee67.exe File opened (read-only) \??\O: e57ee67.exe File opened (read-only) \??\E: e57ee67.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57f145 e57ee67.exe File opened for modification C:\Windows\SYSTEM.INI e57ee67.exe File created C:\Windows\e5844c4 e57f50e.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1464 e57ee67.exe 1464 e57ee67.exe 1464 e57ee67.exe 1464 e57ee67.exe 2020 e57f50e.exe 2020 e57f50e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe Token: SeDebugPrivilege 1464 e57ee67.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1780 wrote to memory of 1364 1780 rundll32.exe 91 PID 1780 wrote to memory of 1364 1780 rundll32.exe 91 PID 1780 wrote to memory of 1364 1780 rundll32.exe 91 PID 1364 wrote to memory of 1464 1364 rundll32.exe 92 PID 1364 wrote to memory of 1464 1364 rundll32.exe 92 PID 1364 wrote to memory of 1464 1364 rundll32.exe 92 PID 1464 wrote to memory of 800 1464 e57ee67.exe 9 PID 1464 wrote to memory of 808 1464 e57ee67.exe 10 PID 1464 wrote to memory of 64 1464 e57ee67.exe 13 PID 1464 wrote to memory of 2408 1464 e57ee67.exe 42 PID 1464 wrote to memory of 2440 1464 e57ee67.exe 43 PID 1464 wrote to memory of 2524 1464 e57ee67.exe 45 PID 1464 wrote to memory of 3348 1464 e57ee67.exe 57 PID 1464 wrote to memory of 3624 1464 e57ee67.exe 58 PID 1464 wrote to memory of 3864 1464 e57ee67.exe 59 PID 1464 wrote to memory of 3968 1464 e57ee67.exe 60 PID 1464 wrote to memory of 4072 1464 e57ee67.exe 61 PID 1464 wrote to memory of 784 1464 e57ee67.exe 62 PID 1464 wrote to memory of 4148 1464 e57ee67.exe 63 PID 1464 wrote to memory of 5056 1464 e57ee67.exe 65 PID 1464 wrote to memory of 1116 1464 e57ee67.exe 75 PID 1464 wrote to memory of 2984 1464 e57ee67.exe 77 PID 1464 wrote to memory of 3148 1464 e57ee67.exe 78 PID 1464 wrote to memory of 1616 1464 e57ee67.exe 79 PID 1464 wrote to memory of 728 1464 e57ee67.exe 80 PID 1464 wrote to memory of 496 1464 e57ee67.exe 81 PID 1464 wrote to memory of 1088 1464 e57ee67.exe 83 PID 1464 wrote to memory of 1384 1464 e57ee67.exe 84 PID 1464 wrote to memory of 1780 1464 e57ee67.exe 90 PID 1464 wrote to memory of 1364 1464 e57ee67.exe 91 PID 1464 wrote to memory of 1364 1464 e57ee67.exe 91 PID 1364 wrote to memory of 4516 1364 rundll32.exe 93 PID 1364 wrote to memory of 4516 1364 rundll32.exe 93 PID 1364 wrote to memory of 4516 1364 rundll32.exe 93 PID 1364 wrote to memory of 2020 1364 rundll32.exe 94 PID 1364 wrote to memory of 2020 1364 rundll32.exe 94 PID 1364 wrote to memory of 2020 1364 rundll32.exe 94 PID 1364 wrote to memory of 1312 1364 rundll32.exe 95 PID 1364 wrote to memory of 1312 1364 rundll32.exe 95 PID 1364 wrote to memory of 1312 1364 rundll32.exe 95 PID 1464 wrote to memory of 800 1464 e57ee67.exe 9 PID 1464 wrote to memory of 808 1464 e57ee67.exe 10 PID 1464 wrote to memory of 64 1464 e57ee67.exe 13 PID 1464 wrote to memory of 2408 1464 e57ee67.exe 42 PID 1464 wrote to memory of 2440 1464 e57ee67.exe 43 PID 1464 wrote to memory of 2524 1464 e57ee67.exe 45 PID 1464 wrote to memory of 3348 1464 e57ee67.exe 57 PID 1464 wrote to memory of 3624 1464 e57ee67.exe 58 PID 1464 wrote to memory of 3864 1464 e57ee67.exe 59 PID 1464 wrote to memory of 3968 1464 e57ee67.exe 60 PID 1464 wrote to memory of 4072 1464 e57ee67.exe 61 PID 1464 wrote to memory of 784 1464 e57ee67.exe 62 PID 1464 wrote to memory of 4148 1464 e57ee67.exe 63 PID 1464 wrote to memory of 5056 1464 e57ee67.exe 65 PID 1464 wrote to memory of 1116 1464 e57ee67.exe 75 PID 1464 wrote to memory of 2984 1464 e57ee67.exe 77 PID 1464 wrote to memory of 3148 1464 e57ee67.exe 78 PID 1464 wrote to memory of 1616 1464 e57ee67.exe 79 PID 1464 wrote to memory of 728 1464 e57ee67.exe 80 PID 1464 wrote to memory of 496 1464 e57ee67.exe 81 PID 1464 wrote to memory of 1088 1464 e57ee67.exe 83 PID 1464 wrote to memory of 1384 1464 e57ee67.exe 84 PID 1464 wrote to memory of 4516 1464 e57ee67.exe 93 PID 1464 wrote to memory of 4516 1464 e57ee67.exe 93 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ee67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f50e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2440
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2524
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3348
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03dfa7d5332d63c018391db2760d43b652db545e27443de90b63bb44cf7d3239.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\e57ee67.exeC:\Users\Admin\AppData\Local\Temp\e57ee67.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\e57f424.exeC:\Users\Admin\AppData\Local\Temp\e57f424.exe4⤵
- Executes dropped EXE
PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\e57f50e.exeC:\Users\Admin\AppData\Local\Temp\e57f50e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\e57fa9c.exeC:\Users\Admin\AppData\Local\Temp\e57fa9c.exe4⤵
- Executes dropped EXE
PID:1312
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5056
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:2984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffe83262e98,0x7ffe83262ea4,0x7ffe83262eb02⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2896 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:22⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2916 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:32⤵PID:728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3128 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:82⤵PID:496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5284 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:12⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5480 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:12⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2164 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:82⤵PID:3084
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD513d743fff676e5875cbb8fd864f13b2a
SHA1eda3d652b12d08a94e71c3544db7f4bdf893dee0
SHA25660b28b95453c976b7c8321d90c300757d6268355e4a1dc17d2800e84c7f24085
SHA5125fafd089f368d31e96489b8380c93af4c31afbbec6c6990dad543b6b7f8996985ea2043af2989c1f61d07792856de1e879ce33bb66d32f36a488329f00833c80
-
Filesize
257B
MD56cf7dca455a47e6ceb39b5dd724f3b45
SHA1b0f607ca01f2146c1897376a584c6b3ef79a682e
SHA256bea75480021b5477e51537974c450ec6a0e08d837fbe80fe3053be5d8d696337
SHA5121b0b9917d75f24e1f832b7a5fb23c6ebc0d17db79c647ed13962580d32d4188201365d6f898c37c272b80ab55cfe5f29cdbf695458c1efc6b8388ea5ab40bf40