Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 04:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26f4d49733c8583ccb0f5c598973e890N.dll
Resource
win7-20240903-en
windows7-x64
16 signatures
120 seconds
General
-
Target
26f4d49733c8583ccb0f5c598973e890N.dll
-
Size
120KB
-
MD5
26f4d49733c8583ccb0f5c598973e890
-
SHA1
4536fbe71bcaacae93b70e7b2d6d897600d4daf1
-
SHA256
26f1f892bb9e929c5212a61e3cda12658e23431c65bc4eb0173984ad7d616fc3
-
SHA512
7c71495860f082fe3e6817b65f7e67ac664ee9e2b086ea8bdbd652a0db22581d1f5b5038a7d7cfa4e1ae4b2ad577c73cbf49ab05a139960cb67a2735712c9073
-
SSDEEP
1536:XUDz/ILTRIkb9FJKdZRdvp0rRWdzCvNw4EE2u5csquwmBg3WB6CAeKxiz7ogg2Px:XMj4WkpFJKxdvSrR4Hqhcs/B6CATYfW
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e282.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e282.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e282.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e282.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e282.exe -
Executes dropped EXE 3 IoCs
pid Process 2308 f76c6c8.exe 2776 f76c85e.exe 2660 f76e282.exe -
Loads dropped DLL 6 IoCs
pid Process 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe -
resource yara_rule behavioral1/memory/2308-14-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-15-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-18-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-21-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-17-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-19-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-13-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-20-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-16-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-11-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-59-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-58-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-60-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-62-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-61-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-64-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-65-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-78-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-83-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-85-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-105-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-107-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2308-154-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2776-192-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2776-218-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c6c8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c85e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e282.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c85e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e282.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e282.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: f76c6c8.exe File opened (read-only) \??\L: f76c6c8.exe File opened (read-only) \??\N: f76c6c8.exe File opened (read-only) \??\E: f76c6c8.exe File opened (read-only) \??\S: f76c6c8.exe File opened (read-only) \??\I: f76c6c8.exe File opened (read-only) \??\P: f76c6c8.exe File opened (read-only) \??\G: f76c6c8.exe File opened (read-only) \??\H: f76c6c8.exe File opened (read-only) \??\K: f76c6c8.exe File opened (read-only) \??\M: f76c6c8.exe File opened (read-only) \??\O: f76c6c8.exe File opened (read-only) \??\Q: f76c6c8.exe File opened (read-only) \??\R: f76c6c8.exe File opened (read-only) \??\T: f76c6c8.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f76c716 f76c6c8.exe File opened for modification C:\Windows\SYSTEM.INI f76c6c8.exe File created C:\Windows\f7716cb f76c85e.exe File created C:\Windows\f7730ff f76e282.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c6c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c85e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e282.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2308 f76c6c8.exe 2308 f76c6c8.exe 2776 f76c85e.exe 2660 f76e282.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2308 f76c6c8.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe Token: SeDebugPrivilege 2776 f76c85e.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2120 wrote to memory of 2308 2120 rundll32.exe 31 PID 2120 wrote to memory of 2308 2120 rundll32.exe 31 PID 2120 wrote to memory of 2308 2120 rundll32.exe 31 PID 2120 wrote to memory of 2308 2120 rundll32.exe 31 PID 2308 wrote to memory of 1112 2308 f76c6c8.exe 19 PID 2308 wrote to memory of 1176 2308 f76c6c8.exe 20 PID 2308 wrote to memory of 1208 2308 f76c6c8.exe 21 PID 2308 wrote to memory of 1108 2308 f76c6c8.exe 23 PID 2308 wrote to memory of 2112 2308 f76c6c8.exe 29 PID 2308 wrote to memory of 2120 2308 f76c6c8.exe 30 PID 2308 wrote to memory of 2120 2308 f76c6c8.exe 30 PID 2120 wrote to memory of 2776 2120 rundll32.exe 32 PID 2120 wrote to memory of 2776 2120 rundll32.exe 32 PID 2120 wrote to memory of 2776 2120 rundll32.exe 32 PID 2120 wrote to memory of 2776 2120 rundll32.exe 32 PID 2120 wrote to memory of 2660 2120 rundll32.exe 34 PID 2120 wrote to memory of 2660 2120 rundll32.exe 34 PID 2120 wrote to memory of 2660 2120 rundll32.exe 34 PID 2120 wrote to memory of 2660 2120 rundll32.exe 34 PID 2308 wrote to memory of 1112 2308 f76c6c8.exe 19 PID 2308 wrote to memory of 1176 2308 f76c6c8.exe 20 PID 2308 wrote to memory of 1208 2308 f76c6c8.exe 21 PID 2308 wrote to memory of 1108 2308 f76c6c8.exe 23 PID 2308 wrote to memory of 2776 2308 f76c6c8.exe 32 PID 2308 wrote to memory of 2776 2308 f76c6c8.exe 32 PID 2308 wrote to memory of 2660 2308 f76c6c8.exe 34 PID 2308 wrote to memory of 2660 2308 f76c6c8.exe 34 PID 2776 wrote to memory of 1112 2776 f76c85e.exe 19 PID 2776 wrote to memory of 1176 2776 f76c85e.exe 20 PID 2776 wrote to memory of 1208 2776 f76c85e.exe 21 PID 2776 wrote to memory of 1108 2776 f76c85e.exe 23 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c85e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e282.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26f4d49733c8583ccb0f5c598973e890N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26f4d49733c8583ccb0f5c598973e890N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\f76c6c8.exeC:\Users\Admin\AppData\Local\Temp\f76c6c8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\f76c85e.exeC:\Users\Admin\AppData\Local\Temp\f76c85e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\f76e282.exeC:\Users\Admin\AppData\Local\Temp\f76e282.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2660
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1108
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d06fe1fc027af3ed430ffd898c24ff74
SHA1ca64a6e852704bebd14c0274364b34f7c7350b1d
SHA2562fa0a48ab41f854b24e4116d6dcbfa416c1d6d3ebe14ab84777ef4473800482e
SHA512aa01f1a2deee417eed8ec6e75dc6460477acc961944f5fbb1221068d2ea8cd07ae529728a819905d93614d1deb5841169c87d3adca18fd501cc5c4fadac857de
-
Filesize
256B
MD55a8999c7878e726cb300635ded68375a
SHA19664e3e1619df4e49d9df028b796ed69bed8e0cb
SHA256dc42320749cca685d81f8952baf8f0c40d403b719a6dfd9a00612eb25488d377
SHA512d72c6ab113ecfebe7bed33783a316e1ef63e77d3079dd1a5b606549d3f2b4e67af41b1f8c980a6074545907deaa6f189fdc31f52da4dd77d8cc65e8132a0dde6