Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 03:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ec293d93758a1ab99f8041ba1a6539960c2ee2e43075f4b82a052950ee89710b.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
ec293d93758a1ab99f8041ba1a6539960c2ee2e43075f4b82a052950ee89710b.dll
-
Size
120KB
-
MD5
352a52f611e3a5865385328134ac4c75
-
SHA1
f8d7186045f11c14ec57ace4e6405a09c5a47ac1
-
SHA256
ec293d93758a1ab99f8041ba1a6539960c2ee2e43075f4b82a052950ee89710b
-
SHA512
44b8c4f539628cabbf600e20e40c69efd1a14a87fcf3731ca4e09a7ea37c7f51cee3a34fbe6e3463d1940acc208df51632f58d93d25040d60e99f8c8efacd567
-
SSDEEP
3072:C9OepIjiltian1r2obJ5c8BoWeGS1fDnWdqiwrDyW9:CzQYtNB2oE89S1fDnWdqHDX
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d050.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d050.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ab34.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d050.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d050.exe -
Executes dropped EXE 4 IoCs
pid Process 5040 e57ab34.exe 1360 e57acab.exe 2520 e57d031.exe 4516 e57d050.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab34.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d050.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d050.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d050.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d050.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57ab34.exe File opened (read-only) \??\G: e57ab34.exe File opened (read-only) \??\J: e57ab34.exe File opened (read-only) \??\K: e57ab34.exe File opened (read-only) \??\M: e57ab34.exe File opened (read-only) \??\N: e57ab34.exe File opened (read-only) \??\O: e57ab34.exe File opened (read-only) \??\G: e57d050.exe File opened (read-only) \??\E: e57d050.exe File opened (read-only) \??\H: e57d050.exe File opened (read-only) \??\I: e57d050.exe File opened (read-only) \??\E: e57ab34.exe File opened (read-only) \??\H: e57ab34.exe File opened (read-only) \??\L: e57ab34.exe -
resource yara_rule behavioral2/memory/5040-6-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-9-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-12-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-10-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-8-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-22-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-29-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-30-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-34-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-11-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-35-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-36-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-37-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-38-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-39-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-40-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-55-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-69-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-70-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-72-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-74-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-75-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-78-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-79-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-82-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-84-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-85-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/5040-92-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4516-125-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4516-165-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e57ab34.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57ab34.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57ab34.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57ab82 e57ab34.exe File opened for modification C:\Windows\SYSTEM.INI e57ab34.exe File created C:\Windows\e57fbc5 e57d050.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ab34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57acab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d031.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d050.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5040 e57ab34.exe 5040 e57ab34.exe 5040 e57ab34.exe 5040 e57ab34.exe 4516 e57d050.exe 4516 e57d050.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe Token: SeDebugPrivilege 5040 e57ab34.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2876 2708 rundll32.exe 83 PID 2708 wrote to memory of 2876 2708 rundll32.exe 83 PID 2708 wrote to memory of 2876 2708 rundll32.exe 83 PID 2876 wrote to memory of 5040 2876 rundll32.exe 84 PID 2876 wrote to memory of 5040 2876 rundll32.exe 84 PID 2876 wrote to memory of 5040 2876 rundll32.exe 84 PID 5040 wrote to memory of 788 5040 e57ab34.exe 8 PID 5040 wrote to memory of 792 5040 e57ab34.exe 9 PID 5040 wrote to memory of 388 5040 e57ab34.exe 13 PID 5040 wrote to memory of 3008 5040 e57ab34.exe 50 PID 5040 wrote to memory of 3052 5040 e57ab34.exe 51 PID 5040 wrote to memory of 3100 5040 e57ab34.exe 52 PID 5040 wrote to memory of 3436 5040 e57ab34.exe 56 PID 5040 wrote to memory of 3568 5040 e57ab34.exe 57 PID 5040 wrote to memory of 3744 5040 e57ab34.exe 58 PID 5040 wrote to memory of 3832 5040 e57ab34.exe 59 PID 5040 wrote to memory of 3896 5040 e57ab34.exe 60 PID 5040 wrote to memory of 3980 5040 e57ab34.exe 61 PID 5040 wrote to memory of 3372 5040 e57ab34.exe 62 PID 5040 wrote to memory of 5072 5040 e57ab34.exe 65 PID 5040 wrote to memory of 4792 5040 e57ab34.exe 75 PID 5040 wrote to memory of 908 5040 e57ab34.exe 81 PID 5040 wrote to memory of 2708 5040 e57ab34.exe 82 PID 5040 wrote to memory of 2876 5040 e57ab34.exe 83 PID 5040 wrote to memory of 2876 5040 e57ab34.exe 83 PID 2876 wrote to memory of 1360 2876 rundll32.exe 85 PID 2876 wrote to memory of 1360 2876 rundll32.exe 85 PID 2876 wrote to memory of 1360 2876 rundll32.exe 85 PID 2876 wrote to memory of 2520 2876 rundll32.exe 86 PID 2876 wrote to memory of 2520 2876 rundll32.exe 86 PID 2876 wrote to memory of 2520 2876 rundll32.exe 86 PID 2876 wrote to memory of 4516 2876 rundll32.exe 87 PID 2876 wrote to memory of 4516 2876 rundll32.exe 87 PID 2876 wrote to memory of 4516 2876 rundll32.exe 87 PID 5040 wrote to memory of 788 5040 e57ab34.exe 8 PID 5040 wrote to memory of 792 5040 e57ab34.exe 9 PID 5040 wrote to memory of 388 5040 e57ab34.exe 13 PID 5040 wrote to memory of 3008 5040 e57ab34.exe 50 PID 5040 wrote to memory of 3052 5040 e57ab34.exe 51 PID 5040 wrote to memory of 3100 5040 e57ab34.exe 52 PID 5040 wrote to memory of 3436 5040 e57ab34.exe 56 PID 5040 wrote to memory of 3568 5040 e57ab34.exe 57 PID 5040 wrote to memory of 3744 5040 e57ab34.exe 58 PID 5040 wrote to memory of 3832 5040 e57ab34.exe 59 PID 5040 wrote to memory of 3896 5040 e57ab34.exe 60 PID 5040 wrote to memory of 3980 5040 e57ab34.exe 61 PID 5040 wrote to memory of 3372 5040 e57ab34.exe 62 PID 5040 wrote to memory of 5072 5040 e57ab34.exe 65 PID 5040 wrote to memory of 4792 5040 e57ab34.exe 75 PID 5040 wrote to memory of 908 5040 e57ab34.exe 81 PID 5040 wrote to memory of 1360 5040 e57ab34.exe 85 PID 5040 wrote to memory of 1360 5040 e57ab34.exe 85 PID 5040 wrote to memory of 2520 5040 e57ab34.exe 86 PID 5040 wrote to memory of 2520 5040 e57ab34.exe 86 PID 5040 wrote to memory of 4516 5040 e57ab34.exe 87 PID 5040 wrote to memory of 4516 5040 e57ab34.exe 87 PID 4516 wrote to memory of 788 4516 e57d050.exe 8 PID 4516 wrote to memory of 792 4516 e57d050.exe 9 PID 4516 wrote to memory of 388 4516 e57d050.exe 13 PID 4516 wrote to memory of 3008 4516 e57d050.exe 50 PID 4516 wrote to memory of 3052 4516 e57d050.exe 51 PID 4516 wrote to memory of 3100 4516 e57d050.exe 52 PID 4516 wrote to memory of 3436 4516 e57d050.exe 56 PID 4516 wrote to memory of 3568 4516 e57d050.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d050.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3052
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec293d93758a1ab99f8041ba1a6539960c2ee2e43075f4b82a052950ee89710b.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec293d93758a1ab99f8041ba1a6539960c2ee2e43075f4b82a052950ee89710b.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\e57ab34.exeC:\Users\Admin\AppData\Local\Temp\e57ab34.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5040
-
-
C:\Users\Admin\AppData\Local\Temp\e57acab.exeC:\Users\Admin\AppData\Local\Temp\e57acab.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\e57d031.exeC:\Users\Admin\AppData\Local\Temp\e57d031.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\e57d050.exeC:\Users\Admin\AppData\Local\Temp\e57d050.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4516
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5072
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4792
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:908
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5ea6b373e9b20bbf87c01158c32851ecd
SHA19f8ed72c72dda71341f9570c1a42a771f36177c6
SHA256a952f3c58109517263a87b03adb421773313331c38aa0d48e9a14de95d2cf85f
SHA512e94c9e1b70c6a4e2dab355d20a0f32e80585f1251bb9a306b1f1a4936ce1815db2de7e120d46bce0b5690e812b305d5925fea66377f7d4f4f523bce9909ed2d5
-
Filesize
257B
MD5e5c752441fe6ae7291eaa23456d4dfda
SHA185cd45815f266ba8d2331867a276c6531f1c46a1
SHA256eb0767c06a305a0328596e2daefc18065d1e426afcb740e6fae5cafbf9924ac3
SHA512d6856d89110a274cd0100600fab503778d7455e133bab36efce513561244705c7225271f10a9df9feb8cfb6d32ce38762bc90b284e72d650c545dcece7c1b115