Analysis
-
max time kernel
34s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9N.dll
Resource
win7-20240729-en
General
-
Target
a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9N.dll
-
Size
120KB
-
MD5
377cbdad1a91a649c2706f3a78712a10
-
SHA1
864451098f5858effbff0e0844b799633d907f7f
-
SHA256
a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9
-
SHA512
f774388415fe1e6c02b39678eb6d0cdeaa556deb61f37d3420c98eaacf9d77ff63a860af77824ad185ae175f3977ee2450c91f973e49047e8c5ff53ef5cdfb23
-
SSDEEP
3072:yvHADPcH9T2DrjRE7HsgblHKKHOt8TL8v:sATO2fjm7Mgbl5+
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e579e63.exee57d580.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579e63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579e63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d580.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d580.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d580.exe -
Sality family
-
Processes:
e57d580.exee579e63.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e63.exe -
Processes:
e579e63.exee57d580.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d580.exe -
Executes dropped EXE 3 IoCs
Processes:
e579e63.exee579fe9.exee57d580.exepid process 2156 e579e63.exe 1464 e579fe9.exe 4588 e57d580.exe -
Processes:
e579e63.exee57d580.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579e63.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d580.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579e63.exe -
Processes:
e579e63.exee57d580.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d580.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e579e63.exee57d580.exedescription ioc process File opened (read-only) \??\G: e579e63.exe File opened (read-only) \??\I: e579e63.exe File opened (read-only) \??\J: e579e63.exe File opened (read-only) \??\K: e579e63.exe File opened (read-only) \??\L: e579e63.exe File opened (read-only) \??\E: e579e63.exe File opened (read-only) \??\H: e579e63.exe File opened (read-only) \??\E: e57d580.exe File opened (read-only) \??\G: e57d580.exe File opened (read-only) \??\H: e57d580.exe -
Processes:
resource yara_rule behavioral2/memory/2156-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-14-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-30-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-31-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-20-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-12-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-34-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-41-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-42-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-44-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-53-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-56-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-57-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-59-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-60-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-62-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2156-64-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4588-90-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4588-96-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4588-97-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4588-121-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4588-143-0x0000000000780000-0x000000000183A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
Processes:
e579e63.exee57d580.exedescription ioc process File created C:\Windows\e579ec0 e579e63.exe File opened for modification C:\Windows\SYSTEM.INI e579e63.exe File created C:\Windows\e57fcfd e57d580.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exee579e63.exee579fe9.exee57d580.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579e63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579fe9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d580.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e579e63.exee57d580.exepid process 2156 e579e63.exe 2156 e579e63.exe 2156 e579e63.exe 2156 e579e63.exe 4588 e57d580.exe 4588 e57d580.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e579e63.exedescription pid process Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe Token: SeDebugPrivilege 2156 e579e63.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee579e63.exee57d580.exedescription pid process target process PID 4844 wrote to memory of 4800 4844 rundll32.exe rundll32.exe PID 4844 wrote to memory of 4800 4844 rundll32.exe rundll32.exe PID 4844 wrote to memory of 4800 4844 rundll32.exe rundll32.exe PID 4800 wrote to memory of 2156 4800 rundll32.exe e579e63.exe PID 4800 wrote to memory of 2156 4800 rundll32.exe e579e63.exe PID 4800 wrote to memory of 2156 4800 rundll32.exe e579e63.exe PID 2156 wrote to memory of 776 2156 e579e63.exe fontdrvhost.exe PID 2156 wrote to memory of 780 2156 e579e63.exe fontdrvhost.exe PID 2156 wrote to memory of 316 2156 e579e63.exe dwm.exe PID 2156 wrote to memory of 2672 2156 e579e63.exe sihost.exe PID 2156 wrote to memory of 2704 2156 e579e63.exe svchost.exe PID 2156 wrote to memory of 2952 2156 e579e63.exe taskhostw.exe PID 2156 wrote to memory of 3460 2156 e579e63.exe Explorer.EXE PID 2156 wrote to memory of 3648 2156 e579e63.exe svchost.exe PID 2156 wrote to memory of 3856 2156 e579e63.exe DllHost.exe PID 2156 wrote to memory of 3952 2156 e579e63.exe StartMenuExperienceHost.exe PID 2156 wrote to memory of 4016 2156 e579e63.exe RuntimeBroker.exe PID 2156 wrote to memory of 2992 2156 e579e63.exe SearchApp.exe PID 2156 wrote to memory of 3672 2156 e579e63.exe RuntimeBroker.exe PID 2156 wrote to memory of 1492 2156 e579e63.exe TextInputHost.exe PID 2156 wrote to memory of 3500 2156 e579e63.exe RuntimeBroker.exe PID 2156 wrote to memory of 2976 2156 e579e63.exe backgroundTaskHost.exe PID 2156 wrote to memory of 4844 2156 e579e63.exe rundll32.exe PID 2156 wrote to memory of 4800 2156 e579e63.exe rundll32.exe PID 2156 wrote to memory of 4800 2156 e579e63.exe rundll32.exe PID 4800 wrote to memory of 1464 4800 rundll32.exe e579fe9.exe PID 4800 wrote to memory of 1464 4800 rundll32.exe e579fe9.exe PID 4800 wrote to memory of 1464 4800 rundll32.exe e579fe9.exe PID 2156 wrote to memory of 776 2156 e579e63.exe fontdrvhost.exe PID 2156 wrote to memory of 780 2156 e579e63.exe fontdrvhost.exe PID 2156 wrote to memory of 316 2156 e579e63.exe dwm.exe PID 2156 wrote to memory of 2672 2156 e579e63.exe sihost.exe PID 2156 wrote to memory of 2704 2156 e579e63.exe svchost.exe PID 2156 wrote to memory of 2952 2156 e579e63.exe taskhostw.exe PID 2156 wrote to memory of 3460 2156 e579e63.exe Explorer.EXE PID 2156 wrote to memory of 3648 2156 e579e63.exe svchost.exe PID 2156 wrote to memory of 3856 2156 e579e63.exe DllHost.exe PID 2156 wrote to memory of 3952 2156 e579e63.exe StartMenuExperienceHost.exe PID 2156 wrote to memory of 4016 2156 e579e63.exe RuntimeBroker.exe PID 2156 wrote to memory of 2992 2156 e579e63.exe SearchApp.exe PID 2156 wrote to memory of 3672 2156 e579e63.exe RuntimeBroker.exe PID 2156 wrote to memory of 1492 2156 e579e63.exe TextInputHost.exe PID 2156 wrote to memory of 3500 2156 e579e63.exe RuntimeBroker.exe PID 2156 wrote to memory of 2976 2156 e579e63.exe backgroundTaskHost.exe PID 2156 wrote to memory of 4844 2156 e579e63.exe rundll32.exe PID 2156 wrote to memory of 1464 2156 e579e63.exe e579fe9.exe PID 2156 wrote to memory of 1464 2156 e579e63.exe e579fe9.exe PID 2156 wrote to memory of 2416 2156 e579e63.exe RuntimeBroker.exe PID 2156 wrote to memory of 3636 2156 e579e63.exe RuntimeBroker.exe PID 4800 wrote to memory of 4588 4800 rundll32.exe e57d580.exe PID 4800 wrote to memory of 4588 4800 rundll32.exe e57d580.exe PID 4800 wrote to memory of 4588 4800 rundll32.exe e57d580.exe PID 4588 wrote to memory of 776 4588 e57d580.exe fontdrvhost.exe PID 4588 wrote to memory of 780 4588 e57d580.exe fontdrvhost.exe PID 4588 wrote to memory of 316 4588 e57d580.exe dwm.exe PID 4588 wrote to memory of 2672 4588 e57d580.exe sihost.exe PID 4588 wrote to memory of 2704 4588 e57d580.exe svchost.exe PID 4588 wrote to memory of 2952 4588 e57d580.exe taskhostw.exe PID 4588 wrote to memory of 3460 4588 e57d580.exe Explorer.EXE PID 4588 wrote to memory of 3648 4588 e57d580.exe svchost.exe PID 4588 wrote to memory of 3856 4588 e57d580.exe DllHost.exe PID 4588 wrote to memory of 3952 4588 e57d580.exe StartMenuExperienceHost.exe PID 4588 wrote to memory of 4016 4588 e57d580.exe RuntimeBroker.exe PID 4588 wrote to memory of 2992 4588 e57d580.exe SearchApp.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e579e63.exee57d580.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d580.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2704
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2952
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\e579e63.exeC:\Users\Admin\AppData\Local\Temp\e579e63.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\e579fe9.exeC:\Users\Admin\AppData\Local\Temp\e579fe9.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\e57d580.exeC:\Users\Admin\AppData\Local\Temp\e57d580.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4588
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3672
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1492
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3500
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2416
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3636
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD536aa817e00460cb4855674cfc7024421
SHA190b0faf056f2754e83cdf28e9bda519cbdbb1953
SHA256e02ac9c540c662b6e3597d030c524ef35bc12e7202ac8971e299de48aeebbb23
SHA512ec4b06b0c6f8b0aa99bd82da95731d712daa52398a2b759dd2998af506b5aadf901cdfb6cbdbff3e67871d3baf2a95dbebaa26e9213b7a4d38bde39ff644d9e1
-
Filesize
257B
MD573643b68016ecb0584fcf329096dcd33
SHA1008b614510eafb9f0445ed3a107d686429a92e05
SHA256e424187cb7b254c28c1c1349c37af3aee25eafb6d0913a0c3f26e04a0133174f
SHA5123a115046acbed2bbf945611271163496b8415a0b21d69e9dd747525cba691e8efcc2fd72861d59160da4376961558c5bbb27ccf9186e2415b50598a0675e64b5