Analysis
-
max time kernel
94s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 20:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6be7e4ebd47603bb14ea3ca51196a070N.dll
Resource
win7-20240903-en
windows7-x64
16 signatures
120 seconds
General
-
Target
6be7e4ebd47603bb14ea3ca51196a070N.dll
-
Size
120KB
-
MD5
6be7e4ebd47603bb14ea3ca51196a070
-
SHA1
0309c4a7180b6049614dca3e3877866b26a90ef4
-
SHA256
c4b68225538856f3bf85eb10f67829e195d11291e393e3f130a685c70ebe36d7
-
SHA512
d8f789039cacadbbaca2ab55bd6df10816cb6c75bf211d3959c1bdbedceabb475f130047027970995b431c660bd957b6e521d244237362c92cb555e3905cb564
-
SSDEEP
1536:0K3hXoC0g2b9h0djiIZM4VRWGynCjl3ZbF1DE5U00JH8vNYsmZO9CS13p:B70g2ph0dvTRlF5E5U00dE6smZ8B3p
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5798b6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5798b6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577d2f.exe -
Executes dropped EXE 4 IoCs
pid Process 5080 e577d2f.exe 2792 e577e77.exe 4508 e5798b6.exe 3380 e579904.exe -
resource yara_rule behavioral2/memory/5080-8-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-9-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-6-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-12-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-32-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-28-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-11-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-34-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-33-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-10-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-35-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-36-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-37-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-38-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-39-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-41-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-42-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-57-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-59-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-60-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-74-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-77-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-78-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-80-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-83-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-84-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-88-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-89-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-92-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-93-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/5080-101-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4508-130-0x0000000000BB0000-0x0000000001C6A000-memory.dmp upx behavioral2/memory/4508-166-0x0000000000BB0000-0x0000000001C6A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5798b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5798b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5798b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5798b6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5798b6.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e577d2f.exe File opened (read-only) \??\J: e577d2f.exe File opened (read-only) \??\L: e577d2f.exe File opened (read-only) \??\R: e577d2f.exe File opened (read-only) \??\M: e577d2f.exe File opened (read-only) \??\N: e577d2f.exe File opened (read-only) \??\E: e5798b6.exe File opened (read-only) \??\K: e577d2f.exe File opened (read-only) \??\O: e577d2f.exe File opened (read-only) \??\Q: e577d2f.exe File opened (read-only) \??\S: e577d2f.exe File opened (read-only) \??\G: e5798b6.exe File opened (read-only) \??\E: e577d2f.exe File opened (read-only) \??\G: e577d2f.exe File opened (read-only) \??\I: e577d2f.exe File opened (read-only) \??\P: e577d2f.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e577d2f.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e577d2f.exe File opened for modification C:\Program Files\7-Zip\7z.exe e577d2f.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e577d2f.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57cdc0 e5798b6.exe File created C:\Windows\e577d8c e577d2f.exe File opened for modification C:\Windows\SYSTEM.INI e577d2f.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577e77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5798b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579904.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577d2f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5080 e577d2f.exe 5080 e577d2f.exe 5080 e577d2f.exe 5080 e577d2f.exe 4508 e5798b6.exe 4508 e5798b6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe Token: SeDebugPrivilege 5080 e577d2f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1516 wrote to memory of 2500 1516 rundll32.exe 83 PID 1516 wrote to memory of 2500 1516 rundll32.exe 83 PID 1516 wrote to memory of 2500 1516 rundll32.exe 83 PID 2500 wrote to memory of 5080 2500 rundll32.exe 84 PID 2500 wrote to memory of 5080 2500 rundll32.exe 84 PID 2500 wrote to memory of 5080 2500 rundll32.exe 84 PID 5080 wrote to memory of 804 5080 e577d2f.exe 9 PID 5080 wrote to memory of 812 5080 e577d2f.exe 10 PID 5080 wrote to memory of 316 5080 e577d2f.exe 13 PID 5080 wrote to memory of 2608 5080 e577d2f.exe 44 PID 5080 wrote to memory of 2640 5080 e577d2f.exe 45 PID 5080 wrote to memory of 2892 5080 e577d2f.exe 51 PID 5080 wrote to memory of 3504 5080 e577d2f.exe 56 PID 5080 wrote to memory of 3628 5080 e577d2f.exe 57 PID 5080 wrote to memory of 3808 5080 e577d2f.exe 58 PID 5080 wrote to memory of 3900 5080 e577d2f.exe 59 PID 5080 wrote to memory of 3964 5080 e577d2f.exe 60 PID 5080 wrote to memory of 4052 5080 e577d2f.exe 61 PID 5080 wrote to memory of 2236 5080 e577d2f.exe 62 PID 5080 wrote to memory of 396 5080 e577d2f.exe 74 PID 5080 wrote to memory of 3092 5080 e577d2f.exe 76 PID 5080 wrote to memory of 2604 5080 e577d2f.exe 81 PID 5080 wrote to memory of 1516 5080 e577d2f.exe 82 PID 5080 wrote to memory of 2500 5080 e577d2f.exe 83 PID 5080 wrote to memory of 2500 5080 e577d2f.exe 83 PID 2500 wrote to memory of 2792 2500 rundll32.exe 85 PID 2500 wrote to memory of 2792 2500 rundll32.exe 85 PID 2500 wrote to memory of 2792 2500 rundll32.exe 85 PID 2500 wrote to memory of 4508 2500 rundll32.exe 89 PID 2500 wrote to memory of 4508 2500 rundll32.exe 89 PID 2500 wrote to memory of 4508 2500 rundll32.exe 89 PID 2500 wrote to memory of 3380 2500 rundll32.exe 90 PID 2500 wrote to memory of 3380 2500 rundll32.exe 90 PID 2500 wrote to memory of 3380 2500 rundll32.exe 90 PID 5080 wrote to memory of 804 5080 e577d2f.exe 9 PID 5080 wrote to memory of 812 5080 e577d2f.exe 10 PID 5080 wrote to memory of 316 5080 e577d2f.exe 13 PID 5080 wrote to memory of 2608 5080 e577d2f.exe 44 PID 5080 wrote to memory of 2640 5080 e577d2f.exe 45 PID 5080 wrote to memory of 2892 5080 e577d2f.exe 51 PID 5080 wrote to memory of 3504 5080 e577d2f.exe 56 PID 5080 wrote to memory of 3628 5080 e577d2f.exe 57 PID 5080 wrote to memory of 3808 5080 e577d2f.exe 58 PID 5080 wrote to memory of 3900 5080 e577d2f.exe 59 PID 5080 wrote to memory of 3964 5080 e577d2f.exe 60 PID 5080 wrote to memory of 4052 5080 e577d2f.exe 61 PID 5080 wrote to memory of 2236 5080 e577d2f.exe 62 PID 5080 wrote to memory of 396 5080 e577d2f.exe 74 PID 5080 wrote to memory of 3092 5080 e577d2f.exe 76 PID 5080 wrote to memory of 2792 5080 e577d2f.exe 85 PID 5080 wrote to memory of 2792 5080 e577d2f.exe 85 PID 5080 wrote to memory of 3672 5080 e577d2f.exe 87 PID 5080 wrote to memory of 4244 5080 e577d2f.exe 88 PID 5080 wrote to memory of 4508 5080 e577d2f.exe 89 PID 5080 wrote to memory of 4508 5080 e577d2f.exe 89 PID 5080 wrote to memory of 3380 5080 e577d2f.exe 90 PID 5080 wrote to memory of 3380 5080 e577d2f.exe 90 PID 4508 wrote to memory of 804 4508 e5798b6.exe 9 PID 4508 wrote to memory of 812 4508 e5798b6.exe 10 PID 4508 wrote to memory of 316 4508 e5798b6.exe 13 PID 4508 wrote to memory of 2608 4508 e5798b6.exe 44 PID 4508 wrote to memory of 2640 4508 e5798b6.exe 45 PID 4508 wrote to memory of 2892 4508 e5798b6.exe 51 PID 4508 wrote to memory of 3504 4508 e5798b6.exe 56 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577d2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5798b6.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:812
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2640
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2892
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6be7e4ebd47603bb14ea3ca51196a070N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6be7e4ebd47603bb14ea3ca51196a070N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\e577d2f.exeC:\Users\Admin\AppData\Local\Temp\e577d2f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5080
-
-
C:\Users\Admin\AppData\Local\Temp\e577e77.exeC:\Users\Admin\AppData\Local\Temp\e577e77.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\e5798b6.exeC:\Users\Admin\AppData\Local\Temp\e5798b6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4508
-
-
C:\Users\Admin\AppData\Local\Temp\e579904.exeC:\Users\Admin\AppData\Local\Temp\e579904.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3380
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3628
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3808
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3900
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2236
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:396
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3092
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3672
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4244
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD51253e4f31a6a2e9464e02181cab78b74
SHA108ad74008292906df8fee650e4ea558d21f02e46
SHA256de2188e122221f0b2b1ca3e8e70404c6531b98e126c3dad843fb85a8e75b3af9
SHA5124b63a39ea27f0e5d6a615126467a2859c98995a9cc2759c4c5c3cfce15fa06520b5d19c704bb596fdcf43d95b2e8cef6965124e974550ffedd14aa70f37b8551
-
Filesize
256B
MD571ad75ec22e1fa6247eded4f7998be2e
SHA1c3ef307d7ba72176b6af65036eeba200f9484415
SHA256cd5ac41e65f4eb4ec55a7bd105f2b4792bd46b3e30a927dba6772b642925678e
SHA512f635d83fd1f1cfa08adeffca287f15a1acbfeb7b6edd744de2271e517261f303165e37b002a5afc47acf605477b3620b815c0601eb8547698703958d8f66090a