Analysis
-
max time kernel
105s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 14:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e864e4be3d659dac1e29d3bdd48218391dafe8a1e4a8cbaa59bc43869d33f92dN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
e864e4be3d659dac1e29d3bdd48218391dafe8a1e4a8cbaa59bc43869d33f92dN.dll
-
Size
120KB
-
MD5
ab85f2a2099fd95c217a42810e8cd880
-
SHA1
8cf4e7eb7a6c24d3e1e99c07ddc7985739e7413b
-
SHA256
e864e4be3d659dac1e29d3bdd48218391dafe8a1e4a8cbaa59bc43869d33f92d
-
SHA512
b63157c45ec1285b3917449f12ddb5ce3c0d740ae0e3708d00dff09093d95f6fc5253441f44673036bbc557d502fe7954eac6773b0d08e1ff66daa0c7b5c9eb4
-
SSDEEP
1536:o29KEEppnoQGJ4SAbIRch6CFuArYcCDXBpIF/LOugRtOwAyG+52hyr/lJ1KM:MEEjoNJ44ch6gueCDXDugRbvYhyBJ1H
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a393.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a393.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577c25.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577c25.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577c25.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a393.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a393.exe -
Executes dropped EXE 4 IoCs
pid Process 3048 e577c25.exe 2848 e577e19.exe 3628 e57a393.exe 1672 e57a3d1.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a393.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577c25.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577c25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a393.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e577c25.exe File opened (read-only) \??\H: e577c25.exe File opened (read-only) \??\I: e577c25.exe File opened (read-only) \??\L: e577c25.exe File opened (read-only) \??\M: e577c25.exe File opened (read-only) \??\N: e577c25.exe File opened (read-only) \??\G: e57a393.exe File opened (read-only) \??\I: e57a393.exe File opened (read-only) \??\E: e577c25.exe File opened (read-only) \??\J: e577c25.exe File opened (read-only) \??\K: e577c25.exe File opened (read-only) \??\E: e57a393.exe File opened (read-only) \??\H: e57a393.exe -
resource yara_rule behavioral2/memory/3048-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-19-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-21-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-29-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-20-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-18-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-68-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-69-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-70-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-71-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-73-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-77-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-80-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-81-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3048-89-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3628-123-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/3628-159-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e577c25.exe File created C:\Windows\e57ce6c e57a393.exe File created C:\Windows\e577c92 e577c25.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577c25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577e19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a393.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a3d1.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3048 e577c25.exe 3048 e577c25.exe 3048 e577c25.exe 3048 e577c25.exe 3628 e57a393.exe 3628 e57a393.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe Token: SeDebugPrivilege 3048 e577c25.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4524 wrote to memory of 3280 4524 rundll32.exe 82 PID 4524 wrote to memory of 3280 4524 rundll32.exe 82 PID 4524 wrote to memory of 3280 4524 rundll32.exe 82 PID 3280 wrote to memory of 3048 3280 rundll32.exe 83 PID 3280 wrote to memory of 3048 3280 rundll32.exe 83 PID 3280 wrote to memory of 3048 3280 rundll32.exe 83 PID 3048 wrote to memory of 788 3048 e577c25.exe 8 PID 3048 wrote to memory of 796 3048 e577c25.exe 9 PID 3048 wrote to memory of 332 3048 e577c25.exe 13 PID 3048 wrote to memory of 2556 3048 e577c25.exe 42 PID 3048 wrote to memory of 2572 3048 e577c25.exe 43 PID 3048 wrote to memory of 2668 3048 e577c25.exe 46 PID 3048 wrote to memory of 3380 3048 e577c25.exe 56 PID 3048 wrote to memory of 3548 3048 e577c25.exe 57 PID 3048 wrote to memory of 3756 3048 e577c25.exe 58 PID 3048 wrote to memory of 3856 3048 e577c25.exe 59 PID 3048 wrote to memory of 3916 3048 e577c25.exe 60 PID 3048 wrote to memory of 4008 3048 e577c25.exe 61 PID 3048 wrote to memory of 3544 3048 e577c25.exe 62 PID 3048 wrote to memory of 2248 3048 e577c25.exe 74 PID 3048 wrote to memory of 4452 3048 e577c25.exe 76 PID 3048 wrote to memory of 4524 3048 e577c25.exe 81 PID 3048 wrote to memory of 3280 3048 e577c25.exe 82 PID 3048 wrote to memory of 3280 3048 e577c25.exe 82 PID 3280 wrote to memory of 2848 3280 rundll32.exe 84 PID 3280 wrote to memory of 2848 3280 rundll32.exe 84 PID 3280 wrote to memory of 2848 3280 rundll32.exe 84 PID 3280 wrote to memory of 3628 3280 rundll32.exe 85 PID 3280 wrote to memory of 3628 3280 rundll32.exe 85 PID 3280 wrote to memory of 3628 3280 rundll32.exe 85 PID 3280 wrote to memory of 1672 3280 rundll32.exe 86 PID 3280 wrote to memory of 1672 3280 rundll32.exe 86 PID 3280 wrote to memory of 1672 3280 rundll32.exe 86 PID 3048 wrote to memory of 788 3048 e577c25.exe 8 PID 3048 wrote to memory of 796 3048 e577c25.exe 9 PID 3048 wrote to memory of 332 3048 e577c25.exe 13 PID 3048 wrote to memory of 2556 3048 e577c25.exe 42 PID 3048 wrote to memory of 2572 3048 e577c25.exe 43 PID 3048 wrote to memory of 2668 3048 e577c25.exe 46 PID 3048 wrote to memory of 3380 3048 e577c25.exe 56 PID 3048 wrote to memory of 3548 3048 e577c25.exe 57 PID 3048 wrote to memory of 3756 3048 e577c25.exe 58 PID 3048 wrote to memory of 3856 3048 e577c25.exe 59 PID 3048 wrote to memory of 3916 3048 e577c25.exe 60 PID 3048 wrote to memory of 4008 3048 e577c25.exe 61 PID 3048 wrote to memory of 3544 3048 e577c25.exe 62 PID 3048 wrote to memory of 2248 3048 e577c25.exe 74 PID 3048 wrote to memory of 4452 3048 e577c25.exe 76 PID 3048 wrote to memory of 2848 3048 e577c25.exe 84 PID 3048 wrote to memory of 2848 3048 e577c25.exe 84 PID 3048 wrote to memory of 3628 3048 e577c25.exe 85 PID 3048 wrote to memory of 3628 3048 e577c25.exe 85 PID 3048 wrote to memory of 1672 3048 e577c25.exe 86 PID 3048 wrote to memory of 1672 3048 e577c25.exe 86 PID 3628 wrote to memory of 788 3628 e57a393.exe 8 PID 3628 wrote to memory of 796 3628 e57a393.exe 9 PID 3628 wrote to memory of 332 3628 e57a393.exe 13 PID 3628 wrote to memory of 2556 3628 e57a393.exe 42 PID 3628 wrote to memory of 2572 3628 e57a393.exe 43 PID 3628 wrote to memory of 2668 3628 e57a393.exe 46 PID 3628 wrote to memory of 3380 3628 e57a393.exe 56 PID 3628 wrote to memory of 3548 3628 e57a393.exe 57 PID 3628 wrote to memory of 3756 3628 e57a393.exe 58 PID 3628 wrote to memory of 3856 3628 e57a393.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577c25.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2572
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2668
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e864e4be3d659dac1e29d3bdd48218391dafe8a1e4a8cbaa59bc43869d33f92dN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e864e4be3d659dac1e29d3bdd48218391dafe8a1e4a8cbaa59bc43869d33f92dN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\e577c25.exeC:\Users\Admin\AppData\Local\Temp\e577c25.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\e577e19.exeC:\Users\Admin\AppData\Local\Temp\e577e19.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\e57a393.exeC:\Users\Admin\AppData\Local\Temp\e57a393.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\e57a3d1.exeC:\Users\Admin\AppData\Local\Temp\e57a3d1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3544
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2248
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4452
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5114fedd38f155f4dd7945a3ccd41c626
SHA1b12d10f4097d27c133b7813fbcf70817d766dc41
SHA25657f6409839dd14d69ce5fe961d35cded8190016f5e373b2ff159004497d7931c
SHA51218bc440e40eda81582b3ea88a13a5160b722444b0ce6228eba94aaf58b950b23d3463896d556d9d90c506108e5c77444a82a76ed911b690e1419e2abdbe773e0
-
Filesize
257B
MD5d5f93b173792828c4d637c813df77438
SHA1e02f3460f84eb184e1acce6631870269e4e7c64e
SHA256f88e18032060cf1fd86dbc72369fc91a4255ca821932fe7dab83111b886bb7f5
SHA5122ffa2041ac9ffc8d7bb0cb3966b102a27df01a1fb269896105097c4279be6aa04aefdb50bc94c985702876b6228e9621a9eaefacc6c8a3ea1ed1c3079a5ae73e