Analysis
-
max time kernel
99s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 09:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d84ed8170c84d2fa740aa6bd98af7ba0N.dll
Resource
win7-20240729-en
windows7-x64
16 signatures
120 seconds
General
-
Target
d84ed8170c84d2fa740aa6bd98af7ba0N.dll
-
Size
120KB
-
MD5
d84ed8170c84d2fa740aa6bd98af7ba0
-
SHA1
c8327cfb769ef0412c024b5d0aba9475fbcc613d
-
SHA256
0ef08ad567cc19565194fa084f6b0af70f075d19ea54e54857ddf695ce0bcdcf
-
SHA512
7fdb35ddb611c0d5aa368ceebb131e7eeec9f88a24ccddf504472a850537f268a68c73fca1f056566026bb7669e119fa9af8d26b0764762d7253ffaa933a0341
-
SSDEEP
1536:XNg8TtfpjmUYL8in+JTCJS9Hhw16qs3Z4y4xthJstkCPC8LL6Nr4+PKvq:9Xtf50PL+hw14ZH4UtkCL6NM+PZ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f50e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f50e.exe -
Executes dropped EXE 3 IoCs
pid Process 4176 e57c8be.exe 4072 e57ca35.exe 5108 e57f50e.exe -
resource yara_rule behavioral2/memory/4176-6-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-17-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-18-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-28-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-19-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-34-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-35-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-39-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-40-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-42-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-47-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-56-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-58-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-60-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-61-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-62-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-65-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-67-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-70-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4176-71-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5108-106-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5108-147-0x0000000000800000-0x00000000018BA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c8be.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f50e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f50e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c8be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f50e.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57c8be.exe File opened (read-only) \??\J: e57c8be.exe File opened (read-only) \??\E: e57f50e.exe File opened (read-only) \??\J: e57f50e.exe File opened (read-only) \??\K: e57c8be.exe File opened (read-only) \??\L: e57c8be.exe File opened (read-only) \??\N: e57c8be.exe File opened (read-only) \??\G: e57c8be.exe File opened (read-only) \??\H: e57c8be.exe File opened (read-only) \??\M: e57c8be.exe File opened (read-only) \??\O: e57c8be.exe File opened (read-only) \??\I: e57c8be.exe File opened (read-only) \??\G: e57f50e.exe File opened (read-only) \??\H: e57f50e.exe File opened (read-only) \??\I: e57f50e.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57c8be.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57c8be.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57c8be.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c8fd e57c8be.exe File opened for modification C:\Windows\SYSTEM.INI e57c8be.exe File created C:\Windows\e581cab e57f50e.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c8be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ca35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f50e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4176 e57c8be.exe 4176 e57c8be.exe 4176 e57c8be.exe 4176 e57c8be.exe 5108 e57f50e.exe 5108 e57f50e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe Token: SeDebugPrivilege 4176 e57c8be.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4584 wrote to memory of 3076 4584 rundll32.exe 88 PID 4584 wrote to memory of 3076 4584 rundll32.exe 88 PID 4584 wrote to memory of 3076 4584 rundll32.exe 88 PID 3076 wrote to memory of 4176 3076 rundll32.exe 89 PID 3076 wrote to memory of 4176 3076 rundll32.exe 89 PID 3076 wrote to memory of 4176 3076 rundll32.exe 89 PID 4176 wrote to memory of 796 4176 e57c8be.exe 9 PID 4176 wrote to memory of 804 4176 e57c8be.exe 10 PID 4176 wrote to memory of 336 4176 e57c8be.exe 13 PID 4176 wrote to memory of 2536 4176 e57c8be.exe 44 PID 4176 wrote to memory of 2624 4176 e57c8be.exe 45 PID 4176 wrote to memory of 2776 4176 e57c8be.exe 47 PID 4176 wrote to memory of 3428 4176 e57c8be.exe 55 PID 4176 wrote to memory of 3668 4176 e57c8be.exe 57 PID 4176 wrote to memory of 3840 4176 e57c8be.exe 58 PID 4176 wrote to memory of 3988 4176 e57c8be.exe 59 PID 4176 wrote to memory of 4052 4176 e57c8be.exe 60 PID 4176 wrote to memory of 1516 4176 e57c8be.exe 61 PID 4176 wrote to memory of 2336 4176 e57c8be.exe 62 PID 4176 wrote to memory of 4500 4176 e57c8be.exe 74 PID 4176 wrote to memory of 2028 4176 e57c8be.exe 76 PID 4176 wrote to memory of 3768 4176 e57c8be.exe 79 PID 4176 wrote to memory of 4624 4176 e57c8be.exe 85 PID 4176 wrote to memory of 972 4176 e57c8be.exe 86 PID 4176 wrote to memory of 4584 4176 e57c8be.exe 87 PID 4176 wrote to memory of 3076 4176 e57c8be.exe 88 PID 4176 wrote to memory of 3076 4176 e57c8be.exe 88 PID 3076 wrote to memory of 4072 3076 rundll32.exe 90 PID 3076 wrote to memory of 4072 3076 rundll32.exe 90 PID 3076 wrote to memory of 4072 3076 rundll32.exe 90 PID 4176 wrote to memory of 796 4176 e57c8be.exe 9 PID 4176 wrote to memory of 804 4176 e57c8be.exe 10 PID 4176 wrote to memory of 336 4176 e57c8be.exe 13 PID 4176 wrote to memory of 2536 4176 e57c8be.exe 44 PID 4176 wrote to memory of 2624 4176 e57c8be.exe 45 PID 4176 wrote to memory of 2776 4176 e57c8be.exe 47 PID 4176 wrote to memory of 3428 4176 e57c8be.exe 55 PID 4176 wrote to memory of 3668 4176 e57c8be.exe 57 PID 4176 wrote to memory of 3840 4176 e57c8be.exe 58 PID 4176 wrote to memory of 3988 4176 e57c8be.exe 59 PID 4176 wrote to memory of 4052 4176 e57c8be.exe 60 PID 4176 wrote to memory of 1516 4176 e57c8be.exe 61 PID 4176 wrote to memory of 2336 4176 e57c8be.exe 62 PID 4176 wrote to memory of 4500 4176 e57c8be.exe 74 PID 4176 wrote to memory of 2028 4176 e57c8be.exe 76 PID 4176 wrote to memory of 3768 4176 e57c8be.exe 79 PID 4176 wrote to memory of 4624 4176 e57c8be.exe 85 PID 4176 wrote to memory of 972 4176 e57c8be.exe 86 PID 4176 wrote to memory of 4584 4176 e57c8be.exe 87 PID 4176 wrote to memory of 4072 4176 e57c8be.exe 90 PID 4176 wrote to memory of 4072 4176 e57c8be.exe 90 PID 4176 wrote to memory of 1468 4176 e57c8be.exe 92 PID 3076 wrote to memory of 5108 3076 rundll32.exe 98 PID 3076 wrote to memory of 5108 3076 rundll32.exe 98 PID 3076 wrote to memory of 5108 3076 rundll32.exe 98 PID 5108 wrote to memory of 796 5108 e57f50e.exe 9 PID 5108 wrote to memory of 804 5108 e57f50e.exe 10 PID 5108 wrote to memory of 336 5108 e57f50e.exe 13 PID 5108 wrote to memory of 2536 5108 e57f50e.exe 44 PID 5108 wrote to memory of 2624 5108 e57f50e.exe 45 PID 5108 wrote to memory of 2776 5108 e57f50e.exe 47 PID 5108 wrote to memory of 3428 5108 e57f50e.exe 55 PID 5108 wrote to memory of 3668 5108 e57f50e.exe 57 PID 5108 wrote to memory of 3840 5108 e57f50e.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f50e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2624
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3428
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d84ed8170c84d2fa740aa6bd98af7ba0N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d84ed8170c84d2fa740aa6bd98af7ba0N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\e57c8be.exeC:\Users\Admin\AppData\Local\Temp\e57c8be.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4176
-
-
C:\Users\Admin\AppData\Local\Temp\e57ca35.exeC:\Users\Admin\AppData\Local\Temp\e57ca35.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\e57f50e.exeC:\Users\Admin\AppData\Local\Temp\e57f50e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5108
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4052
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2336
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4500
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3768
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4624
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1468
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5ef93dc703219afff7d973f8e7091e339
SHA1d7e42e23f34c5da57ad910418babe8e9c7c3d18b
SHA2564c56688f8b87d43ead66fc1f653cda236334c2d2d0068e8fb18bbad583fc1f41
SHA51254bb759663c7095c4c5d20438a54504711b7972444fef4d74eeeeabcc828ccbd4418482e10e9e7dbe7aa041e3869a8abd97f480d3ad29005e1b4519dfaf24a17
-
Filesize
257B
MD5eed2c653bb9a608d54cb772cc133fb0c
SHA1c87b92f7db9f346f596f29737bbcf7132ccdce97
SHA256234e8f8fb9700cbe301a0a971dbacbdcbeb070845c39a9794035bfb9465e191c
SHA512fff44d9678e65f24895b6872b1a7f174adca5efd5e7acf1773540cb38b0a1f6109045cf9898fee618d6087fa8b9cf880443cedc1d66c223909e32ebac004c495