Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 12:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3408cf93803aad207da389fbcd472dc0a4e362add871b53430ec4af2f9bc1e6f.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
3408cf93803aad207da389fbcd472dc0a4e362add871b53430ec4af2f9bc1e6f.dll
-
Size
120KB
-
MD5
efd00b594814bc8b9b7c1b21099d46fe
-
SHA1
9e2595583fc34db25aa16ab4c27b8e68bb489490
-
SHA256
3408cf93803aad207da389fbcd472dc0a4e362add871b53430ec4af2f9bc1e6f
-
SHA512
dff4b662e1e49a5b899d2aec7c371d314f62b481f68a69f1abd841263ea416ce7f9cd59a810fb2620b69005bec6ca20d478df81a39312b6123b42218a39e4d13
-
SSDEEP
3072:LCixXchlE7LpWYcyu9HtFiyB0KHX7T34c8:L32h678DyugyBLL74c8
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577c54.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577dac.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577c54.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577dac.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ad18.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ad18.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577dac.exe -
Executes dropped EXE 4 IoCs
pid Process 3572 e577c54.exe 4320 e577dac.exe 4544 e57ad18.exe 4560 e57ad57.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ad18.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577c54.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577dac.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577c54.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ad18.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577c54.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e577c54.exe File opened (read-only) \??\G: e57ad18.exe File opened (read-only) \??\G: e577c54.exe File opened (read-only) \??\H: e577c54.exe File opened (read-only) \??\J: e577c54.exe File opened (read-only) \??\K: e577c54.exe File opened (read-only) \??\L: e577c54.exe File opened (read-only) \??\M: e577c54.exe File opened (read-only) \??\N: e577c54.exe File opened (read-only) \??\E: e57ad18.exe File opened (read-only) \??\E: e577c54.exe File opened (read-only) \??\I: e57ad18.exe File opened (read-only) \??\H: e57ad18.exe -
resource yara_rule behavioral2/memory/3572-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-19-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-27-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-33-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-32-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-18-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-46-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-49-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-63-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-69-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-71-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-73-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-77-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3572-78-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4320-103-0x0000000000C10000-0x0000000001CCA000-memory.dmp upx behavioral2/memory/4320-106-0x0000000000C10000-0x0000000001CCA000-memory.dmp upx behavioral2/memory/4320-102-0x0000000000C10000-0x0000000001CCA000-memory.dmp upx behavioral2/memory/4320-127-0x0000000000C10000-0x0000000001CCA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e57cce5 e577dac.exe File created C:\Windows\e57d84f e57ad18.exe File created C:\Windows\e577ca2 e577c54.exe File opened for modification C:\Windows\SYSTEM.INI e577c54.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577c54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577dac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ad18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ad57.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3572 e577c54.exe 3572 e577c54.exe 3572 e577c54.exe 3572 e577c54.exe 4320 e577dac.exe 4320 e577dac.exe 4544 e57ad18.exe 4544 e57ad18.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe Token: SeDebugPrivilege 3572 e577c54.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4324 wrote to memory of 4068 4324 rundll32.exe 83 PID 4324 wrote to memory of 4068 4324 rundll32.exe 83 PID 4324 wrote to memory of 4068 4324 rundll32.exe 83 PID 4068 wrote to memory of 3572 4068 rundll32.exe 84 PID 4068 wrote to memory of 3572 4068 rundll32.exe 84 PID 4068 wrote to memory of 3572 4068 rundll32.exe 84 PID 3572 wrote to memory of 784 3572 e577c54.exe 8 PID 3572 wrote to memory of 788 3572 e577c54.exe 9 PID 3572 wrote to memory of 316 3572 e577c54.exe 13 PID 3572 wrote to memory of 2488 3572 e577c54.exe 42 PID 3572 wrote to memory of 2500 3572 e577c54.exe 43 PID 3572 wrote to memory of 2632 3572 e577c54.exe 46 PID 3572 wrote to memory of 3456 3572 e577c54.exe 56 PID 3572 wrote to memory of 3604 3572 e577c54.exe 57 PID 3572 wrote to memory of 3832 3572 e577c54.exe 58 PID 3572 wrote to memory of 3928 3572 e577c54.exe 59 PID 3572 wrote to memory of 3992 3572 e577c54.exe 60 PID 3572 wrote to memory of 4076 3572 e577c54.exe 61 PID 3572 wrote to memory of 3596 3572 e577c54.exe 62 PID 3572 wrote to memory of 1868 3572 e577c54.exe 75 PID 3572 wrote to memory of 1508 3572 e577c54.exe 76 PID 3572 wrote to memory of 1768 3572 e577c54.exe 81 PID 3572 wrote to memory of 4324 3572 e577c54.exe 82 PID 3572 wrote to memory of 4068 3572 e577c54.exe 83 PID 3572 wrote to memory of 4068 3572 e577c54.exe 83 PID 4068 wrote to memory of 4320 4068 rundll32.exe 85 PID 4068 wrote to memory of 4320 4068 rundll32.exe 85 PID 4068 wrote to memory of 4320 4068 rundll32.exe 85 PID 3572 wrote to memory of 784 3572 e577c54.exe 8 PID 3572 wrote to memory of 788 3572 e577c54.exe 9 PID 3572 wrote to memory of 316 3572 e577c54.exe 13 PID 3572 wrote to memory of 2488 3572 e577c54.exe 42 PID 3572 wrote to memory of 2500 3572 e577c54.exe 43 PID 3572 wrote to memory of 2632 3572 e577c54.exe 46 PID 3572 wrote to memory of 3456 3572 e577c54.exe 56 PID 3572 wrote to memory of 3604 3572 e577c54.exe 57 PID 3572 wrote to memory of 3832 3572 e577c54.exe 58 PID 3572 wrote to memory of 3928 3572 e577c54.exe 59 PID 3572 wrote to memory of 3992 3572 e577c54.exe 60 PID 3572 wrote to memory of 4076 3572 e577c54.exe 61 PID 3572 wrote to memory of 3596 3572 e577c54.exe 62 PID 3572 wrote to memory of 1868 3572 e577c54.exe 75 PID 3572 wrote to memory of 1508 3572 e577c54.exe 76 PID 3572 wrote to memory of 1768 3572 e577c54.exe 81 PID 3572 wrote to memory of 4324 3572 e577c54.exe 82 PID 3572 wrote to memory of 4320 3572 e577c54.exe 85 PID 3572 wrote to memory of 4320 3572 e577c54.exe 85 PID 4068 wrote to memory of 4544 4068 rundll32.exe 90 PID 4068 wrote to memory of 4544 4068 rundll32.exe 90 PID 4068 wrote to memory of 4544 4068 rundll32.exe 90 PID 4068 wrote to memory of 4560 4068 rundll32.exe 91 PID 4068 wrote to memory of 4560 4068 rundll32.exe 91 PID 4068 wrote to memory of 4560 4068 rundll32.exe 91 PID 4320 wrote to memory of 784 4320 e577dac.exe 8 PID 4320 wrote to memory of 788 4320 e577dac.exe 9 PID 4320 wrote to memory of 316 4320 e577dac.exe 13 PID 4320 wrote to memory of 2488 4320 e577dac.exe 42 PID 4320 wrote to memory of 2500 4320 e577dac.exe 43 PID 4320 wrote to memory of 2632 4320 e577dac.exe 46 PID 4320 wrote to memory of 3456 4320 e577dac.exe 56 PID 4320 wrote to memory of 3604 4320 e577dac.exe 57 PID 4320 wrote to memory of 3832 4320 e577dac.exe 58 PID 4320 wrote to memory of 3928 4320 e577dac.exe 59 PID 4320 wrote to memory of 3992 4320 e577dac.exe 60 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577c54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577dac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ad18.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2500
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2632
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3408cf93803aad207da389fbcd472dc0a4e362add871b53430ec4af2f9bc1e6f.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3408cf93803aad207da389fbcd472dc0a4e362add871b53430ec4af2f9bc1e6f.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\e577c54.exeC:\Users\Admin\AppData\Local\Temp\e577c54.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\e577dac.exeC:\Users\Admin\AppData\Local\Temp\e577dac.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4320
-
-
C:\Users\Admin\AppData\Local\Temp\e57ad18.exeC:\Users\Admin\AppData\Local\Temp\e57ad18.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4544
-
-
C:\Users\Admin\AppData\Local\Temp\e57ad57.exeC:\Users\Admin\AppData\Local\Temp\e57ad57.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4560
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3928
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3596
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1508
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1768
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d33c835cc29a9c7b72fe9805f7d4907f
SHA1d5a63ff9e58b403979638317e68a8850f9cbae36
SHA2568ab690c9d4d2f741258ccfe87cca31f10bc2510b7e187971342d0be7de6a58db
SHA512423d2c2361adf46bfefb3e51ec9f683b76dc415d48f1bc89eb73e6fdadcea5636ab385c3d51b22530b061755693122ab7f687f696dbcab1da6a3424fb0a82c69
-
Filesize
257B
MD5c0765cebdd9105eaeed16099651013d1
SHA1073002c00ce739d016e6336d9e2a9ab812d0f263
SHA256fd6c34111156c90c34f358f9d890c27147e9d378f63a10855de4e98280735908
SHA51274678cacd55a66ea0593d3ca10c1817e93903db96688d6318c36498f9d9e1dcadae3f3ed774e52d3be63ef034145bd441e7490ee1aa12ac0f6dd5147062865e9