Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 23:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3be0847258f277820c8fc9809dfb28273ebbe17d737a0d1bb4587fad52f48019N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
3be0847258f277820c8fc9809dfb28273ebbe17d737a0d1bb4587fad52f48019N.dll
-
Size
120KB
-
MD5
126a6ac9d71d6b7ba2e20ed8593075d0
-
SHA1
3f00d8a8d7eaaea6ca63eadef92e76a37e9e513a
-
SHA256
3be0847258f277820c8fc9809dfb28273ebbe17d737a0d1bb4587fad52f48019
-
SHA512
3aeca0d8536b5bcadf97078f69a99f6e4ad588886cc5c5b4a53dbf3f1ca8f2899d46b01a16a94f109f7f946256279ffa0fc77a5ed7eb4613816effb50c93764b
-
SSDEEP
3072:xOaU4gT6omZjkc+gnzdQaWx7VZLXjNo03+NNT2Q:xX66rnnzdQvRZLXjr3CT2Q
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f769d97.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f769d97.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f769bb3.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769bb3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ba2b.exe -
Executes dropped EXE 3 IoCs
pid Process 2468 f769bb3.exe 2924 f769d97.exe 2572 f76ba2b.exe -
Loads dropped DLL 6 IoCs
pid Process 2508 rundll32.exe 2508 rundll32.exe 2508 rundll32.exe 2508 rundll32.exe 2508 rundll32.exe 2508 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769d97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769bb3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ba2b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ba2b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769bb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769d97.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f769bb3.exe File opened (read-only) \??\M: f769bb3.exe File opened (read-only) \??\P: f769bb3.exe File opened (read-only) \??\J: f769bb3.exe File opened (read-only) \??\Q: f769bb3.exe File opened (read-only) \??\S: f769bb3.exe File opened (read-only) \??\T: f769bb3.exe File opened (read-only) \??\E: f769bb3.exe File opened (read-only) \??\I: f769bb3.exe File opened (read-only) \??\K: f769bb3.exe File opened (read-only) \??\L: f769bb3.exe File opened (read-only) \??\O: f769bb3.exe File opened (read-only) \??\R: f769bb3.exe File opened (read-only) \??\E: f76ba2b.exe File opened (read-only) \??\G: f769bb3.exe File opened (read-only) \??\N: f769bb3.exe -
resource yara_rule behavioral1/memory/2468-14-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-16-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-22-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-23-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-24-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-21-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-20-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-19-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-17-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-18-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-62-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-63-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-61-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-65-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-64-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-67-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-68-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-69-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-70-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-84-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-86-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-106-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2468-149-0x00000000005D0000-0x000000000168A000-memory.dmp upx behavioral1/memory/2924-156-0x0000000000940000-0x00000000019FA000-memory.dmp upx behavioral1/memory/2924-187-0x0000000000940000-0x00000000019FA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f769bb3.exe File created C:\Windows\f76ec71 f769d97.exe File created C:\Windows\f76f4f9 f76ba2b.exe File created C:\Windows\f769c11 f769bb3.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f769bb3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f769d97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76ba2b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2468 f769bb3.exe 2468 f769bb3.exe 2924 f769d97.exe 2572 f76ba2b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2468 f769bb3.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2924 f769d97.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe Token: SeDebugPrivilege 2572 f76ba2b.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 2508 wrote to memory of 2468 2508 rundll32.exe 31 PID 2508 wrote to memory of 2468 2508 rundll32.exe 31 PID 2508 wrote to memory of 2468 2508 rundll32.exe 31 PID 2508 wrote to memory of 2468 2508 rundll32.exe 31 PID 2468 wrote to memory of 1096 2468 f769bb3.exe 19 PID 2468 wrote to memory of 1176 2468 f769bb3.exe 20 PID 2468 wrote to memory of 1204 2468 f769bb3.exe 21 PID 2468 wrote to memory of 884 2468 f769bb3.exe 25 PID 2468 wrote to memory of 1736 2468 f769bb3.exe 29 PID 2468 wrote to memory of 2508 2468 f769bb3.exe 30 PID 2468 wrote to memory of 2508 2468 f769bb3.exe 30 PID 2508 wrote to memory of 2924 2508 rundll32.exe 32 PID 2508 wrote to memory of 2924 2508 rundll32.exe 32 PID 2508 wrote to memory of 2924 2508 rundll32.exe 32 PID 2508 wrote to memory of 2924 2508 rundll32.exe 32 PID 2508 wrote to memory of 2572 2508 rundll32.exe 33 PID 2508 wrote to memory of 2572 2508 rundll32.exe 33 PID 2508 wrote to memory of 2572 2508 rundll32.exe 33 PID 2508 wrote to memory of 2572 2508 rundll32.exe 33 PID 2468 wrote to memory of 1096 2468 f769bb3.exe 19 PID 2468 wrote to memory of 1176 2468 f769bb3.exe 20 PID 2468 wrote to memory of 1204 2468 f769bb3.exe 21 PID 2468 wrote to memory of 884 2468 f769bb3.exe 25 PID 2468 wrote to memory of 2924 2468 f769bb3.exe 32 PID 2468 wrote to memory of 2924 2468 f769bb3.exe 32 PID 2468 wrote to memory of 2572 2468 f769bb3.exe 33 PID 2468 wrote to memory of 2572 2468 f769bb3.exe 33 PID 2924 wrote to memory of 1096 2924 f769d97.exe 19 PID 2924 wrote to memory of 1176 2924 f769d97.exe 20 PID 2924 wrote to memory of 1204 2924 f769d97.exe 21 PID 2924 wrote to memory of 884 2924 f769d97.exe 25 PID 2572 wrote to memory of 1096 2572 f76ba2b.exe 19 PID 2572 wrote to memory of 1176 2572 f76ba2b.exe 20 PID 2572 wrote to memory of 1204 2572 f76ba2b.exe 21 PID 2572 wrote to memory of 884 2572 f76ba2b.exe 25 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769d97.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ba2b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769bb3.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1096
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3be0847258f277820c8fc9809dfb28273ebbe17d737a0d1bb4587fad52f48019N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3be0847258f277820c8fc9809dfb28273ebbe17d737a0d1bb4587fad52f48019N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\f769bb3.exeC:\Users\Admin\AppData\Local\Temp\f769bb3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\f769d97.exeC:\Users\Admin\AppData\Local\Temp\f769d97.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924
-
-
C:\Users\Admin\AppData\Local\Temp\f76ba2b.exeC:\Users\Admin\AppData\Local\Temp\f76ba2b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2572
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:884
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5ddf43ab0ebf081296a240b95dac56a34
SHA12e50dcb22cb47d88d8a7b5350c39e598d630ed56
SHA256debf1da7589c352cfc3cdf7f35d31424e5bda58253949883cdc8602fd814fb95
SHA512d66a1073a67c466d4f79bc6d114a87506d2ee7b80c93b762a57a0861651a4f7923151646f163ac2732f21cb016ff4dae185ccfac318ccf2af717b98c2412f7d0
-
Filesize
257B
MD5c7f62fa56e6c2e39e800830a1545b127
SHA1a9c22aeb7ddec4282e49d115be37ad80c8e0ef3f
SHA2569f6ccbac71c5c0380077befe93c8277690705dae5e0bbd15953b5c6b47f84b1b
SHA5126af11a0191ebb98c3d8aa355cb7378b1106741fcc8fc0b5472f01e6b123e70b05dda762a8dd77aefe53e236d0c0602ef6fc580afbc32d31bbe49adebb0e24e76