Analysis
-
max time kernel
116s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/08/2024, 17:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e7e4f9b338f634e9818ab8ccb1a12e30N.dll
Resource
win7-20240705-en
windows7-x64
16 signatures
120 seconds
General
-
Target
e7e4f9b338f634e9818ab8ccb1a12e30N.dll
-
Size
120KB
-
MD5
e7e4f9b338f634e9818ab8ccb1a12e30
-
SHA1
e6e0402f372aca08e7fa6552c3e4bebad361f161
-
SHA256
5b2867a6400555f776c50def66004cf71857d35cb3b4d0371f20c2898ba6c68a
-
SHA512
6c4225af7beca3fccb3ec90a6d179836517c8c438c6bae977fb6069d86892b963247db279ef25d7cd32e9d483c3f8ca76d8a79dfcfbc892df3ba84ad44413635
-
SSDEEP
3072:pd34at33rkhErWdQXyTyEdQ5RDaO1PHPUzB:Doa17eEi5wlHPO
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a095.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a325.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a325.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a095.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a325.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a325.exe -
Executes dropped EXE 3 IoCs
pid Process 5092 e57a095.exe 4168 e57a325.exe 2108 e57bbfd.exe -
resource yara_rule behavioral2/memory/5092-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-16-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-22-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-14-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-15-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5092-53-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4168-78-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-77-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-75-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-85-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-84-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-76-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-72-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-71-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-70-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-68-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-73-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/4168-74-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a325.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a325.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a325.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a325.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57a095.exe File created C:\Windows\e57f1e2 e57a325.exe File created C:\Windows\e57a20c e57a095.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a095.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a325.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5092 e57a095.exe 5092 e57a095.exe 5092 e57a095.exe 5092 e57a095.exe 4168 e57a325.exe 4168 e57a325.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe Token: SeDebugPrivilege 5092 e57a095.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4072 wrote to memory of 3268 4072 rundll32.exe 84 PID 4072 wrote to memory of 3268 4072 rundll32.exe 84 PID 4072 wrote to memory of 3268 4072 rundll32.exe 84 PID 3268 wrote to memory of 5092 3268 rundll32.exe 85 PID 3268 wrote to memory of 5092 3268 rundll32.exe 85 PID 3268 wrote to memory of 5092 3268 rundll32.exe 85 PID 5092 wrote to memory of 788 5092 e57a095.exe 8 PID 5092 wrote to memory of 796 5092 e57a095.exe 9 PID 5092 wrote to memory of 380 5092 e57a095.exe 13 PID 5092 wrote to memory of 2552 5092 e57a095.exe 44 PID 5092 wrote to memory of 2616 5092 e57a095.exe 45 PID 5092 wrote to memory of 3064 5092 e57a095.exe 53 PID 5092 wrote to memory of 3492 5092 e57a095.exe 56 PID 5092 wrote to memory of 3680 5092 e57a095.exe 57 PID 5092 wrote to memory of 3852 5092 e57a095.exe 58 PID 5092 wrote to memory of 3944 5092 e57a095.exe 59 PID 5092 wrote to memory of 4008 5092 e57a095.exe 60 PID 5092 wrote to memory of 1064 5092 e57a095.exe 61 PID 5092 wrote to memory of 2340 5092 e57a095.exe 62 PID 5092 wrote to memory of 1048 5092 e57a095.exe 74 PID 5092 wrote to memory of 628 5092 e57a095.exe 76 PID 5092 wrote to memory of 3464 5092 e57a095.exe 81 PID 5092 wrote to memory of 4140 5092 e57a095.exe 82 PID 5092 wrote to memory of 4072 5092 e57a095.exe 83 PID 5092 wrote to memory of 3268 5092 e57a095.exe 84 PID 5092 wrote to memory of 3268 5092 e57a095.exe 84 PID 3268 wrote to memory of 4168 3268 rundll32.exe 86 PID 3268 wrote to memory of 4168 3268 rundll32.exe 86 PID 3268 wrote to memory of 4168 3268 rundll32.exe 86 PID 3268 wrote to memory of 2108 3268 rundll32.exe 94 PID 3268 wrote to memory of 2108 3268 rundll32.exe 94 PID 3268 wrote to memory of 2108 3268 rundll32.exe 94 PID 5092 wrote to memory of 788 5092 e57a095.exe 8 PID 5092 wrote to memory of 796 5092 e57a095.exe 9 PID 5092 wrote to memory of 380 5092 e57a095.exe 13 PID 5092 wrote to memory of 2552 5092 e57a095.exe 44 PID 5092 wrote to memory of 2616 5092 e57a095.exe 45 PID 5092 wrote to memory of 3064 5092 e57a095.exe 53 PID 5092 wrote to memory of 3492 5092 e57a095.exe 56 PID 5092 wrote to memory of 3680 5092 e57a095.exe 57 PID 5092 wrote to memory of 3852 5092 e57a095.exe 58 PID 5092 wrote to memory of 3944 5092 e57a095.exe 59 PID 5092 wrote to memory of 4008 5092 e57a095.exe 60 PID 5092 wrote to memory of 1064 5092 e57a095.exe 61 PID 5092 wrote to memory of 2340 5092 e57a095.exe 62 PID 5092 wrote to memory of 1048 5092 e57a095.exe 74 PID 5092 wrote to memory of 628 5092 e57a095.exe 76 PID 5092 wrote to memory of 3464 5092 e57a095.exe 81 PID 5092 wrote to memory of 4168 5092 e57a095.exe 86 PID 5092 wrote to memory of 4168 5092 e57a095.exe 86 PID 5092 wrote to memory of 1860 5092 e57a095.exe 88 PID 5092 wrote to memory of 5028 5092 e57a095.exe 89 PID 5092 wrote to memory of 2108 5092 e57a095.exe 94 PID 5092 wrote to memory of 2108 5092 e57a095.exe 94 PID 4168 wrote to memory of 788 4168 e57a325.exe 8 PID 4168 wrote to memory of 796 4168 e57a325.exe 9 PID 4168 wrote to memory of 380 4168 e57a325.exe 13 PID 4168 wrote to memory of 2552 4168 e57a325.exe 44 PID 4168 wrote to memory of 2616 4168 e57a325.exe 45 PID 4168 wrote to memory of 3064 4168 e57a325.exe 53 PID 4168 wrote to memory of 3492 4168 e57a325.exe 56 PID 4168 wrote to memory of 3680 4168 e57a325.exe 57 PID 4168 wrote to memory of 3852 4168 e57a325.exe 58 PID 4168 wrote to memory of 3944 4168 e57a325.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a325.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2616
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3064
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e7e4f9b338f634e9818ab8ccb1a12e30N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e7e4f9b338f634e9818ab8ccb1a12e30N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\e57a095.exeC:\Users\Admin\AppData\Local\Temp\e57a095.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\e57a325.exeC:\Users\Admin\AppData\Local\Temp\e57a325.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4168
-
-
C:\Users\Admin\AppData\Local\Temp\e57bbfd.exeC:\Users\Admin\AppData\Local\Temp\e57bbfd.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3680
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2340
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1048
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:628
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3464
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5028
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD528a1c2fd7cf3b73f89d6a33e08bcbc41
SHA1f00d3e202579d968db87b8c754fac64d669942db
SHA256fe0ce40c103e736bdeb2557789fa61d86c25030155908b5cc4c62a78294d19d1
SHA5127cd559a2afe4b611f7a424438f4137aa99a065c21c71dd2d74da700c8c6fe5c628dc9edee408dbfa1e0e3faf5a2435ec643f441598faa65b1b51deb3eb5af0bb
-
Filesize
257B
MD51f93292d851b0bc5c96db58a6ef3dd6e
SHA1b00109579150a3f60a51b238dd26715fee250ec3
SHA256fc3e015072b428018c59aa397f751b7d82a6e203d214679b55f6b4b8009a9910
SHA512570faea476dba7297598ddfe1d51473898580955c0444a577592a9f760281a5ce695eb929ce447860bff82c38055466af5def4252179217ca7963c1d41636a40