Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 07:26
Static task
static1
Behavioral task
behavioral1
Sample
1e16eeca50e75e7f20df367db63348d3393bb9dbeab055004cedff76414abb4cN.dll
Resource
win7-20241023-en
General
-
Target
1e16eeca50e75e7f20df367db63348d3393bb9dbeab055004cedff76414abb4cN.dll
-
Size
120KB
-
MD5
823b82d8bec2ce3b61fe2aeee046e190
-
SHA1
c4eaebfe4e13615c0a6c8f70a0da670205aba82a
-
SHA256
1e16eeca50e75e7f20df367db63348d3393bb9dbeab055004cedff76414abb4c
-
SHA512
4fc8bf511025260c6ecaac079ce6ff8b382806f93c9a28d64311fa8d6c893260fd6a25f4e0421192d99f18a4e696fe0fd2b5e7d0f8ea26063c44670f9eb75e31
-
SSDEEP
1536:ZE/JHv1C5D7LL54JyaURwJvIFnG+nX/+O7FR2rTfdTiw9+z4WOoiGX3GeAcfRJx:ytC5P31RTFnZPb2f1GwAvOCG3O
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57706d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57706d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578d7b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578d7b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578d7b.exe -
Executes dropped EXE 4 IoCs
pid Process 2392 e57706d.exe 3656 e5771e4.exe 5036 e578d7b.exe 3276 e578da9.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578d7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57706d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578d7b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578d7b.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57706d.exe File opened (read-only) \??\L: e57706d.exe File opened (read-only) \??\P: e57706d.exe File opened (read-only) \??\I: e57706d.exe File opened (read-only) \??\H: e57706d.exe File opened (read-only) \??\K: e57706d.exe File opened (read-only) \??\M: e57706d.exe File opened (read-only) \??\O: e57706d.exe File opened (read-only) \??\Q: e57706d.exe File opened (read-only) \??\E: e57706d.exe File opened (read-only) \??\J: e57706d.exe File opened (read-only) \??\N: e57706d.exe File opened (read-only) \??\E: e578d7b.exe File opened (read-only) \??\G: e578d7b.exe -
resource yara_rule behavioral2/memory/2392-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-12-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-22-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-31-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-33-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-29-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-34-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-52-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-53-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-67-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-69-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-70-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-72-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-75-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-78-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-79-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-80-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-83-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2392-94-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/5036-122-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/5036-162-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57706d.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57706d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57706d.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57706d.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57706d.exe File created C:\Windows\e57c14c e578d7b.exe File created C:\Windows\e5770da e57706d.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57706d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5771e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578d7b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578da9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2392 e57706d.exe 2392 e57706d.exe 2392 e57706d.exe 2392 e57706d.exe 5036 e578d7b.exe 5036 e578d7b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe Token: SeDebugPrivilege 2392 e57706d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3940 wrote to memory of 2796 3940 rundll32.exe 83 PID 3940 wrote to memory of 2796 3940 rundll32.exe 83 PID 3940 wrote to memory of 2796 3940 rundll32.exe 83 PID 2796 wrote to memory of 2392 2796 rundll32.exe 84 PID 2796 wrote to memory of 2392 2796 rundll32.exe 84 PID 2796 wrote to memory of 2392 2796 rundll32.exe 84 PID 2392 wrote to memory of 792 2392 e57706d.exe 9 PID 2392 wrote to memory of 800 2392 e57706d.exe 10 PID 2392 wrote to memory of 60 2392 e57706d.exe 13 PID 2392 wrote to memory of 2964 2392 e57706d.exe 51 PID 2392 wrote to memory of 3024 2392 e57706d.exe 52 PID 2392 wrote to memory of 2636 2392 e57706d.exe 53 PID 2392 wrote to memory of 3436 2392 e57706d.exe 56 PID 2392 wrote to memory of 3564 2392 e57706d.exe 57 PID 2392 wrote to memory of 3740 2392 e57706d.exe 58 PID 2392 wrote to memory of 3840 2392 e57706d.exe 59 PID 2392 wrote to memory of 3904 2392 e57706d.exe 60 PID 2392 wrote to memory of 3992 2392 e57706d.exe 61 PID 2392 wrote to memory of 4112 2392 e57706d.exe 62 PID 2392 wrote to memory of 2316 2392 e57706d.exe 64 PID 2392 wrote to memory of 1800 2392 e57706d.exe 76 PID 2392 wrote to memory of 4292 2392 e57706d.exe 81 PID 2392 wrote to memory of 3940 2392 e57706d.exe 82 PID 2392 wrote to memory of 2796 2392 e57706d.exe 83 PID 2392 wrote to memory of 2796 2392 e57706d.exe 83 PID 2796 wrote to memory of 3656 2796 rundll32.exe 85 PID 2796 wrote to memory of 3656 2796 rundll32.exe 85 PID 2796 wrote to memory of 3656 2796 rundll32.exe 85 PID 2796 wrote to memory of 5036 2796 rundll32.exe 89 PID 2796 wrote to memory of 5036 2796 rundll32.exe 89 PID 2796 wrote to memory of 5036 2796 rundll32.exe 89 PID 2796 wrote to memory of 3276 2796 rundll32.exe 90 PID 2796 wrote to memory of 3276 2796 rundll32.exe 90 PID 2796 wrote to memory of 3276 2796 rundll32.exe 90 PID 2392 wrote to memory of 792 2392 e57706d.exe 9 PID 2392 wrote to memory of 800 2392 e57706d.exe 10 PID 2392 wrote to memory of 60 2392 e57706d.exe 13 PID 2392 wrote to memory of 2964 2392 e57706d.exe 51 PID 2392 wrote to memory of 3024 2392 e57706d.exe 52 PID 2392 wrote to memory of 2636 2392 e57706d.exe 53 PID 2392 wrote to memory of 3436 2392 e57706d.exe 56 PID 2392 wrote to memory of 3564 2392 e57706d.exe 57 PID 2392 wrote to memory of 3740 2392 e57706d.exe 58 PID 2392 wrote to memory of 3840 2392 e57706d.exe 59 PID 2392 wrote to memory of 3904 2392 e57706d.exe 60 PID 2392 wrote to memory of 3992 2392 e57706d.exe 61 PID 2392 wrote to memory of 4112 2392 e57706d.exe 62 PID 2392 wrote to memory of 2316 2392 e57706d.exe 64 PID 2392 wrote to memory of 1800 2392 e57706d.exe 76 PID 2392 wrote to memory of 3656 2392 e57706d.exe 85 PID 2392 wrote to memory of 3656 2392 e57706d.exe 85 PID 2392 wrote to memory of 3864 2392 e57706d.exe 87 PID 2392 wrote to memory of 1968 2392 e57706d.exe 88 PID 2392 wrote to memory of 5036 2392 e57706d.exe 89 PID 2392 wrote to memory of 5036 2392 e57706d.exe 89 PID 2392 wrote to memory of 3276 2392 e57706d.exe 90 PID 2392 wrote to memory of 3276 2392 e57706d.exe 90 PID 5036 wrote to memory of 792 5036 e578d7b.exe 9 PID 5036 wrote to memory of 800 5036 e578d7b.exe 10 PID 5036 wrote to memory of 60 5036 e578d7b.exe 13 PID 5036 wrote to memory of 2964 5036 e578d7b.exe 51 PID 5036 wrote to memory of 3024 5036 e578d7b.exe 52 PID 5036 wrote to memory of 2636 5036 e578d7b.exe 53 PID 5036 wrote to memory of 3436 5036 e578d7b.exe 56 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57706d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578d7b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3024
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2636
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e16eeca50e75e7f20df367db63348d3393bb9dbeab055004cedff76414abb4cN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1e16eeca50e75e7f20df367db63348d3393bb9dbeab055004cedff76414abb4cN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\e57706d.exeC:\Users\Admin\AppData\Local\Temp\e57706d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2392
-
-
C:\Users\Admin\AppData\Local\Temp\e5771e4.exeC:\Users\Admin\AppData\Local\Temp\e5771e4.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3656
-
-
C:\Users\Admin\AppData\Local\Temp\e578d7b.exeC:\Users\Admin\AppData\Local\Temp\e578d7b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\e578da9.exeC:\Users\Admin\AppData\Local\Temp\e578da9.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3276
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2316
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1800
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4292
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1968
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD566d41e0f149e01e24d869376f09b051f
SHA1100d1e937afc4a2570b335c70e8cd366cd48944c
SHA256f650e3e07bf97f9f79f4f11cf8342a5aa4ca87f6a6b3a525effeeaceafcbba14
SHA512298a6d567894430005d9541ea36e4d25f3823d79247e08a16e7bc8eb8bd3c74b884c14c0a5bbb8a8b33b72dd999085bcbc44f21a6e2f68c84ec041b7480f1103
-
Filesize
257B
MD572ab7de8a6250818238297b3e03d7e28
SHA1dbdde903959d29df95dc4ff5ee75f4bd0b94627e
SHA256af0fbfdd2d458dea98d27e0df32282a243f844d0ec8fb8d3a3b502c8ae3be276
SHA5128ff9bc0b47a14e7c64d8f70465bee509d2533dcb55abb2257100a14b0b35240f43a61ae31637747a01185410b9fc1fd524ec5aa3d5823be3e381385fd349c5db