Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 15:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe
-
Size
100KB
-
MD5
0f46d44af345188b4b6866cee9634e33
-
SHA1
4af28a3ddd80c6603f32914b585a7e61bded686f
-
SHA256
c307fe3795d27c3134bf4fb1496a055fcbc343b1aba95f8f5cc9c826c1ebbf57
-
SHA512
9b84a9ba06745d3741a389a19c3381763f49eca6718bb5dcd3a71d42327c79270fa43d972bc2758d3f896a066586ab6fa639d83c71b21601e367584b3058e158
-
SSDEEP
3072:EoHYjbPf73h77qbpBe0/qN4LL2/a07w/HpQioli:w/3Dh72r3CuLL50M/HpXp
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\O: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\P: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\Q: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\X: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\L: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\S: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\U: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\W: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\Y: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\Z: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\E: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\H: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\I: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\J: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\R: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\K: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\M: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\N: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\T: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened (read-only) \??\V: 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened for modification F:\autorun.inf 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2248-1-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-5-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-4-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-7-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-6-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-3-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-25-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-24-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-23-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-26-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-27-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-28-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-29-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-30-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-32-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-33-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-35-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-36-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-53-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-56-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-57-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-59-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-62-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-64-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-65-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-68-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/2248-70-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe Token: SeDebugPrivilege 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 PID 2248 wrote to memory of 1120 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 19 PID 2248 wrote to memory of 1192 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 20 PID 2248 wrote to memory of 1252 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 21 PID 2248 wrote to memory of 1612 2248 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1192
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f46d44af345188b4b6866cee9634e33_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1612
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD51e4f5f1171ccb877b45f3f93caf63d0e
SHA1650abbea0ca40771a5e41f1594eab6fd7fd2ea5e
SHA256f32414bdc87965b19a6b4a4e01d9ce296aaa44c52ab9eb3852f495ec86c27a37
SHA51290fb7336726f9e2a0193d261fb3f4cf3442e101240ca1868a33d34a2cb40f456139633407b723435e5c07e9b7ea365c99a46fcf84fd9447806e4e0bb57b578fd