Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 06:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aeac6f09794e2465554ba0abf85fa580961a4ee7c4ec7fe6f96c21bc5ef68835N.dll
Resource
win7-20240708-en
windows7-x64
16 signatures
120 seconds
General
-
Target
aeac6f09794e2465554ba0abf85fa580961a4ee7c4ec7fe6f96c21bc5ef68835N.dll
-
Size
120KB
-
MD5
b98ddb915cbe0c7a6ad0631aa889e900
-
SHA1
978019076081460629a79ba3dc250500af04f420
-
SHA256
aeac6f09794e2465554ba0abf85fa580961a4ee7c4ec7fe6f96c21bc5ef68835
-
SHA512
80a8a6008d065073919c265f1be5176f402ae29c8a3be74fa9aa15b7fdea3f0eb6f0c2d704b5af4e4d36d00359713372698b0a43923887621c6387e6acb6318d
-
SSDEEP
1536:GOx9hZrvVeAxLsdcSoLQNxcduojew6xKjfNGLrnlCeyRq9hcN5Kxcvl9Ye70zIkC:GWh5vVeAtsd4C4e+s6N5KyvlpAzIkC
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5797ea.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb8f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5797ea.exe -
Executes dropped EXE 3 IoCs
pid Process 1128 e5797ea.exe 2456 e579952.exe 184 e57bb8f.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb8f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5797ea.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb8f.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e5797ea.exe File opened (read-only) \??\I: e5797ea.exe File opened (read-only) \??\P: e5797ea.exe File opened (read-only) \??\E: e5797ea.exe File opened (read-only) \??\G: e5797ea.exe File opened (read-only) \??\K: e5797ea.exe File opened (read-only) \??\G: e57bb8f.exe File opened (read-only) \??\H: e57bb8f.exe File opened (read-only) \??\E: e57bb8f.exe File opened (read-only) \??\J: e5797ea.exe File opened (read-only) \??\L: e5797ea.exe File opened (read-only) \??\M: e5797ea.exe File opened (read-only) \??\N: e5797ea.exe File opened (read-only) \??\O: e5797ea.exe File opened (read-only) \??\I: e57bb8f.exe -
resource yara_rule behavioral2/memory/1128-6-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-12-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-18-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-19-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-33-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-28-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-11-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-10-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-8-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-9-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-34-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-37-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-36-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-38-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-39-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-40-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-42-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-50-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-61-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-62-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-64-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-65-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-66-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-69-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-71-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-76-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-77-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1128-80-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/184-119-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/184-150-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5797ea.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5797ea.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5797ea.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579896 e5797ea.exe File opened for modification C:\Windows\SYSTEM.INI e5797ea.exe File created C:\Windows\e57e89b e57bb8f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5797ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579952.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb8f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1128 e5797ea.exe 1128 e5797ea.exe 1128 e5797ea.exe 1128 e5797ea.exe 184 e57bb8f.exe 184 e57bb8f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe Token: SeDebugPrivilege 1128 e5797ea.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2900 2564 rundll32.exe 82 PID 2564 wrote to memory of 2900 2564 rundll32.exe 82 PID 2564 wrote to memory of 2900 2564 rundll32.exe 82 PID 2900 wrote to memory of 1128 2900 rundll32.exe 83 PID 2900 wrote to memory of 1128 2900 rundll32.exe 83 PID 2900 wrote to memory of 1128 2900 rundll32.exe 83 PID 1128 wrote to memory of 772 1128 e5797ea.exe 8 PID 1128 wrote to memory of 776 1128 e5797ea.exe 9 PID 1128 wrote to memory of 64 1128 e5797ea.exe 13 PID 1128 wrote to memory of 2600 1128 e5797ea.exe 44 PID 1128 wrote to memory of 2636 1128 e5797ea.exe 45 PID 1128 wrote to memory of 2748 1128 e5797ea.exe 47 PID 1128 wrote to memory of 3600 1128 e5797ea.exe 56 PID 1128 wrote to memory of 3752 1128 e5797ea.exe 57 PID 1128 wrote to memory of 3936 1128 e5797ea.exe 58 PID 1128 wrote to memory of 4032 1128 e5797ea.exe 59 PID 1128 wrote to memory of 4092 1128 e5797ea.exe 60 PID 1128 wrote to memory of 3140 1128 e5797ea.exe 61 PID 1128 wrote to memory of 4224 1128 e5797ea.exe 62 PID 1128 wrote to memory of 3648 1128 e5797ea.exe 75 PID 1128 wrote to memory of 3892 1128 e5797ea.exe 76 PID 1128 wrote to memory of 2564 1128 e5797ea.exe 81 PID 1128 wrote to memory of 2900 1128 e5797ea.exe 82 PID 1128 wrote to memory of 2900 1128 e5797ea.exe 82 PID 2900 wrote to memory of 2456 2900 rundll32.exe 84 PID 2900 wrote to memory of 2456 2900 rundll32.exe 84 PID 2900 wrote to memory of 2456 2900 rundll32.exe 84 PID 2900 wrote to memory of 184 2900 rundll32.exe 85 PID 2900 wrote to memory of 184 2900 rundll32.exe 85 PID 2900 wrote to memory of 184 2900 rundll32.exe 85 PID 1128 wrote to memory of 772 1128 e5797ea.exe 8 PID 1128 wrote to memory of 776 1128 e5797ea.exe 9 PID 1128 wrote to memory of 64 1128 e5797ea.exe 13 PID 1128 wrote to memory of 2600 1128 e5797ea.exe 44 PID 1128 wrote to memory of 2636 1128 e5797ea.exe 45 PID 1128 wrote to memory of 2748 1128 e5797ea.exe 47 PID 1128 wrote to memory of 3600 1128 e5797ea.exe 56 PID 1128 wrote to memory of 3752 1128 e5797ea.exe 57 PID 1128 wrote to memory of 3936 1128 e5797ea.exe 58 PID 1128 wrote to memory of 4032 1128 e5797ea.exe 59 PID 1128 wrote to memory of 4092 1128 e5797ea.exe 60 PID 1128 wrote to memory of 3140 1128 e5797ea.exe 61 PID 1128 wrote to memory of 4224 1128 e5797ea.exe 62 PID 1128 wrote to memory of 3648 1128 e5797ea.exe 75 PID 1128 wrote to memory of 3892 1128 e5797ea.exe 76 PID 1128 wrote to memory of 2456 1128 e5797ea.exe 84 PID 1128 wrote to memory of 2456 1128 e5797ea.exe 84 PID 1128 wrote to memory of 184 1128 e5797ea.exe 85 PID 1128 wrote to memory of 184 1128 e5797ea.exe 85 PID 184 wrote to memory of 772 184 e57bb8f.exe 8 PID 184 wrote to memory of 776 184 e57bb8f.exe 9 PID 184 wrote to memory of 64 184 e57bb8f.exe 13 PID 184 wrote to memory of 2600 184 e57bb8f.exe 44 PID 184 wrote to memory of 2636 184 e57bb8f.exe 45 PID 184 wrote to memory of 2748 184 e57bb8f.exe 47 PID 184 wrote to memory of 3600 184 e57bb8f.exe 56 PID 184 wrote to memory of 3752 184 e57bb8f.exe 57 PID 184 wrote to memory of 3936 184 e57bb8f.exe 58 PID 184 wrote to memory of 4032 184 e57bb8f.exe 59 PID 184 wrote to memory of 4092 184 e57bb8f.exe 60 PID 184 wrote to memory of 3140 184 e57bb8f.exe 61 PID 184 wrote to memory of 4224 184 e57bb8f.exe 62 PID 184 wrote to memory of 3648 184 e57bb8f.exe 75 PID 184 wrote to memory of 3892 184 e57bb8f.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5797ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb8f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2600
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2636
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2748
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3600
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aeac6f09794e2465554ba0abf85fa580961a4ee7c4ec7fe6f96c21bc5ef68835N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aeac6f09794e2465554ba0abf85fa580961a4ee7c4ec7fe6f96c21bc5ef68835N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\e5797ea.exeC:\Users\Admin\AppData\Local\Temp\e5797ea.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\e579952.exeC:\Users\Admin\AppData\Local\Temp\e579952.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Users\Admin\AppData\Local\Temp\e57bb8f.exeC:\Users\Admin\AppData\Local\Temp\e57bb8f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:184
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3752
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4092
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4224
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3648
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3892
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5095031d4dc9813e26c5de322aa3955e9
SHA14e76c30029f97e1369a7201ccac93103c702d3f1
SHA256d328828d643d263136efaed0685bf297385785f03106c5f86fb7fdbe336df202
SHA512e08cbf6e6aa7c265e832ba034aab7769824f26f821022108dd5666be4dc778584d68f505e5a10a8cc9cae8bcc7300d03b1c05ad4f6fff9cacd993cbf63608e74
-
Filesize
257B
MD5bd2e8440b18f9529bbb09ea87b3cdf5c
SHA1d9a9598a90efb5a972190ea05efb9a5b3d51a9e8
SHA256fac614492c71e21e77c714e2aa7f6a418c44e688cacc4c664332be327d2eb9df
SHA512083674c3292c862569b27c6a252c354e5eb217e2401382e4a61c4abbf5f96a5ec4f65cc40495d4b84885ec15d938b3259103fe30e2bc5614277e1ce906ef5510