Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 17:35
Static task
static1
Behavioral task
behavioral1
Sample
b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll
Resource
win7-20240903-en
General
-
Target
b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll
-
Size
120KB
-
MD5
1a6cc5ed8b02f30ff31665b8a8537311
-
SHA1
3bae2ec2245bbc68b1520290b6a92882e8bbaaeb
-
SHA256
b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2
-
SHA512
ecfc18114046f2662c5a3557c2ef97dfe45b36a8a7896ca30408b7080d0802eef5cb07db42a3c8568b27287ebf8a1e7f1c65d801280d47605ff230a911fb7934
-
SSDEEP
3072:pND39Bfsztt1rCl5zntpffoBGVJvELKhffsM6D:DUzL1rCTnFVtg8sP
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
Processes:
e5793d4.exee57acab.exee579153.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57acab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57acab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579153.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579153.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5793d4.exe -
Sality family
-
Processes:
e5793d4.exee57acab.exee579153.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579153.exe -
Processes:
e5793d4.exee57acab.exee579153.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579153.exe -
Executes dropped EXE 4 IoCs
Processes:
e579153.exee5793d4.exee57acab.exee57acca.exepid Process 2896 e579153.exe 4384 e5793d4.exe 3820 e57acab.exe 1028 e57acca.exe -
Processes:
e57acab.exee579153.exee5793d4.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5793d4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57acab.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579153.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57acab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5793d4.exe -
Processes:
e579153.exee5793d4.exee57acab.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57acab.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e579153.exedescription ioc Process File opened (read-only) \??\O: e579153.exe File opened (read-only) \??\Q: e579153.exe File opened (read-only) \??\E: e579153.exe File opened (read-only) \??\K: e579153.exe File opened (read-only) \??\N: e579153.exe File opened (read-only) \??\G: e579153.exe File opened (read-only) \??\J: e579153.exe File opened (read-only) \??\M: e579153.exe File opened (read-only) \??\H: e579153.exe File opened (read-only) \??\I: e579153.exe File opened (read-only) \??\R: e579153.exe File opened (read-only) \??\L: e579153.exe File opened (read-only) \??\P: e579153.exe File opened (read-only) \??\S: e579153.exe -
Processes:
resource yara_rule behavioral2/memory/2896-6-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-18-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-19-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-21-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-22-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-8-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-20-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-39-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-40-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-41-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-43-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-44-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-57-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-59-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-61-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-63-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-64-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-80-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-81-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-84-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-85-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-88-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-91-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-94-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2896-98-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4384-127-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4384-141-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
Processes:
e579153.exedescription ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e579153.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e579153.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e579153.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e579153.exe -
Drops file in Windows directory 4 IoCs
Processes:
e57acab.exee579153.exee5793d4.exedescription ioc Process File created C:\Windows\e57fb19 e57acab.exe File created C:\Windows\e5791b1 e579153.exe File opened for modification C:\Windows\SYSTEM.INI e579153.exe File created C:\Windows\e57e251 e5793d4.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e57acab.exee57acca.exerundll32.exee579153.exee5793d4.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57acab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57acca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579153.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5793d4.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e579153.exee5793d4.exepid Process 2896 e579153.exe 2896 e579153.exe 2896 e579153.exe 2896 e579153.exe 4384 e5793d4.exe 4384 e5793d4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e579153.exedescription pid Process Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe Token: SeDebugPrivilege 2896 e579153.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee579153.exee5793d4.exedescription pid Process procid_target PID 4548 wrote to memory of 3256 4548 rundll32.exe 85 PID 4548 wrote to memory of 3256 4548 rundll32.exe 85 PID 4548 wrote to memory of 3256 4548 rundll32.exe 85 PID 3256 wrote to memory of 2896 3256 rundll32.exe 86 PID 3256 wrote to memory of 2896 3256 rundll32.exe 86 PID 3256 wrote to memory of 2896 3256 rundll32.exe 86 PID 2896 wrote to memory of 776 2896 e579153.exe 8 PID 2896 wrote to memory of 784 2896 e579153.exe 9 PID 2896 wrote to memory of 60 2896 e579153.exe 13 PID 2896 wrote to memory of 2648 2896 e579153.exe 44 PID 2896 wrote to memory of 2688 2896 e579153.exe 45 PID 2896 wrote to memory of 2848 2896 e579153.exe 51 PID 2896 wrote to memory of 3392 2896 e579153.exe 56 PID 2896 wrote to memory of 3540 2896 e579153.exe 57 PID 2896 wrote to memory of 3716 2896 e579153.exe 58 PID 2896 wrote to memory of 3808 2896 e579153.exe 59 PID 2896 wrote to memory of 3872 2896 e579153.exe 60 PID 2896 wrote to memory of 3956 2896 e579153.exe 61 PID 2896 wrote to memory of 3432 2896 e579153.exe 62 PID 2896 wrote to memory of 4408 2896 e579153.exe 74 PID 2896 wrote to memory of 1684 2896 e579153.exe 76 PID 2896 wrote to memory of 2404 2896 e579153.exe 77 PID 2896 wrote to memory of 1552 2896 e579153.exe 78 PID 2896 wrote to memory of 1532 2896 e579153.exe 83 PID 2896 wrote to memory of 4548 2896 e579153.exe 84 PID 2896 wrote to memory of 3256 2896 e579153.exe 85 PID 2896 wrote to memory of 3256 2896 e579153.exe 85 PID 3256 wrote to memory of 4384 3256 rundll32.exe 87 PID 3256 wrote to memory of 4384 3256 rundll32.exe 87 PID 3256 wrote to memory of 4384 3256 rundll32.exe 87 PID 3256 wrote to memory of 3820 3256 rundll32.exe 93 PID 3256 wrote to memory of 3820 3256 rundll32.exe 93 PID 3256 wrote to memory of 3820 3256 rundll32.exe 93 PID 3256 wrote to memory of 1028 3256 rundll32.exe 94 PID 3256 wrote to memory of 1028 3256 rundll32.exe 94 PID 3256 wrote to memory of 1028 3256 rundll32.exe 94 PID 2896 wrote to memory of 776 2896 e579153.exe 8 PID 2896 wrote to memory of 784 2896 e579153.exe 9 PID 2896 wrote to memory of 60 2896 e579153.exe 13 PID 2896 wrote to memory of 2648 2896 e579153.exe 44 PID 2896 wrote to memory of 2688 2896 e579153.exe 45 PID 2896 wrote to memory of 2848 2896 e579153.exe 51 PID 2896 wrote to memory of 3392 2896 e579153.exe 56 PID 2896 wrote to memory of 3540 2896 e579153.exe 57 PID 2896 wrote to memory of 3716 2896 e579153.exe 58 PID 2896 wrote to memory of 3808 2896 e579153.exe 59 PID 2896 wrote to memory of 3872 2896 e579153.exe 60 PID 2896 wrote to memory of 3956 2896 e579153.exe 61 PID 2896 wrote to memory of 3432 2896 e579153.exe 62 PID 2896 wrote to memory of 4408 2896 e579153.exe 74 PID 2896 wrote to memory of 1684 2896 e579153.exe 76 PID 2896 wrote to memory of 2404 2896 e579153.exe 77 PID 2896 wrote to memory of 1552 2896 e579153.exe 78 PID 2896 wrote to memory of 4384 2896 e579153.exe 87 PID 2896 wrote to memory of 4384 2896 e579153.exe 87 PID 2896 wrote to memory of 3820 2896 e579153.exe 93 PID 2896 wrote to memory of 3820 2896 e579153.exe 93 PID 2896 wrote to memory of 1028 2896 e579153.exe 94 PID 2896 wrote to memory of 1028 2896 e579153.exe 94 PID 4384 wrote to memory of 776 4384 e5793d4.exe 8 PID 4384 wrote to memory of 784 4384 e5793d4.exe 9 PID 4384 wrote to memory of 60 4384 e5793d4.exe 13 PID 4384 wrote to memory of 2648 4384 e5793d4.exe 44 PID 4384 wrote to memory of 2688 4384 e5793d4.exe 45 -
System policy modification 1 TTPs 3 IoCs
Processes:
e579153.exee5793d4.exee57acab.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5793d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57acab.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2688
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2848
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\e579153.exeC:\Users\Admin\AppData\Local\Temp\e579153.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\e5793d4.exeC:\Users\Admin\AppData\Local\Temp\e5793d4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\e57acab.exeC:\Users\Admin\AppData\Local\Temp\e57acab.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:3820
-
-
C:\Users\Admin\AppData\Local\Temp\e57acca.exeC:\Users\Admin\AppData\Local\Temp\e57acca.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1028
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3716
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3808
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3872
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3432
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1684
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2404
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1552
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1532
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD589d5b031b2b1b401ebcdc3da1ddb62e7
SHA10bc8c57e96a240918bac201759cfd366843cec6c
SHA2569e216be8e972cc2f483494fcd58460c5ef60036d8af53a3a00dda17c6c83ac3f
SHA512fb9ab954a2178d50be978f8666e30240cc0bddb2bd1bbc869284f3d490d1e181fc19f3e618f78e191b6f6e81b332d0413a2b0a58e1d3e2f69009675aab5deb06
-
Filesize
257B
MD55143ed1324ca8af96d49323ee4946f74
SHA14c5cc48407338c9b7ecf56d16ed4154e118733a1
SHA25634f07ea0838e3576c18266262952bfa8d627873bd39bd2deaae0a982186d60e3
SHA5123c7c83f7dcf4dbf4fb2986cd9e47b1cff54a51f29ba8b1f7827f6e45c11dd9fd6f5be90c388458dbf9deb40bdc1a2814d53ec319075852e2236629c147c2a2a9