Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 17:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a9150825e3b664fc09bf1e52255bcbdfb1a03f19b3af4ebdb0303ba3d6b4506.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
5a9150825e3b664fc09bf1e52255bcbdfb1a03f19b3af4ebdb0303ba3d6b4506.dll
-
Size
120KB
-
MD5
d0a76f623ebea38376b9118966fcaec7
-
SHA1
556c31a2fb32c57e7c6150f3610b80fdc24b0579
-
SHA256
5a9150825e3b664fc09bf1e52255bcbdfb1a03f19b3af4ebdb0303ba3d6b4506
-
SHA512
15f66f9431054e8ba9bd0800024aa01dff0e4a6bfedd595053fb1165c618fa89822d55387f5066d8868d4e46b1324df9503834019b3e24aca1a29c803ebb5063
-
SSDEEP
1536:CV2KzKqk0dKamvi6DSRujPOkyVX2A2jj5S1u8voByGoeAXdEXh1bzVEyaWgZcYD:CV2yaamKgFOAj5SYUZDNCh1HGyiiYD
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ce3d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ce3d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ce3d.exe -
Executes dropped EXE 4 IoCs
pid Process 1956 e57ab53.exe 3552 e57acf9.exe 4540 e57ce3d.exe 1544 e57ce6c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ce3d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ce3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab53.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ce3d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ce3d.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57ab53.exe File opened (read-only) \??\I: e57ab53.exe File opened (read-only) \??\J: e57ab53.exe File opened (read-only) \??\L: e57ab53.exe File opened (read-only) \??\G: e57ce3d.exe File opened (read-only) \??\E: e57ab53.exe File opened (read-only) \??\G: e57ab53.exe File opened (read-only) \??\K: e57ab53.exe File opened (read-only) \??\M: e57ab53.exe File opened (read-only) \??\E: e57ce3d.exe File opened (read-only) \??\H: e57ce3d.exe -
resource yara_rule behavioral2/memory/1956-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-25-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-31-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-28-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-33-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-21-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-34-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-35-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-49-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-52-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-67-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-68-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-69-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-71-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-72-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-74-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-76-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-78-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1956-80-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4540-114-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4540-156-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57abd0 e57ab53.exe File opened for modification C:\Windows\SYSTEM.INI e57ab53.exe File created C:\Windows\e57fbf4 e57ce3d.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ab53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57acf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ce3d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ce6c.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1956 e57ab53.exe 1956 e57ab53.exe 1956 e57ab53.exe 1956 e57ab53.exe 4540 e57ce3d.exe 4540 e57ce3d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe Token: SeDebugPrivilege 1956 e57ab53.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2876 2708 rundll32.exe 83 PID 2708 wrote to memory of 2876 2708 rundll32.exe 83 PID 2708 wrote to memory of 2876 2708 rundll32.exe 83 PID 2876 wrote to memory of 1956 2876 rundll32.exe 84 PID 2876 wrote to memory of 1956 2876 rundll32.exe 84 PID 2876 wrote to memory of 1956 2876 rundll32.exe 84 PID 1956 wrote to memory of 788 1956 e57ab53.exe 8 PID 1956 wrote to memory of 792 1956 e57ab53.exe 9 PID 1956 wrote to memory of 388 1956 e57ab53.exe 13 PID 1956 wrote to memory of 3008 1956 e57ab53.exe 50 PID 1956 wrote to memory of 3052 1956 e57ab53.exe 51 PID 1956 wrote to memory of 3100 1956 e57ab53.exe 52 PID 1956 wrote to memory of 3436 1956 e57ab53.exe 56 PID 1956 wrote to memory of 3568 1956 e57ab53.exe 57 PID 1956 wrote to memory of 3744 1956 e57ab53.exe 58 PID 1956 wrote to memory of 3832 1956 e57ab53.exe 59 PID 1956 wrote to memory of 3896 1956 e57ab53.exe 60 PID 1956 wrote to memory of 3980 1956 e57ab53.exe 61 PID 1956 wrote to memory of 3372 1956 e57ab53.exe 62 PID 1956 wrote to memory of 5072 1956 e57ab53.exe 65 PID 1956 wrote to memory of 4792 1956 e57ab53.exe 75 PID 1956 wrote to memory of 1660 1956 e57ab53.exe 81 PID 1956 wrote to memory of 2708 1956 e57ab53.exe 82 PID 1956 wrote to memory of 2876 1956 e57ab53.exe 83 PID 1956 wrote to memory of 2876 1956 e57ab53.exe 83 PID 2876 wrote to memory of 3552 2876 rundll32.exe 85 PID 2876 wrote to memory of 3552 2876 rundll32.exe 85 PID 2876 wrote to memory of 3552 2876 rundll32.exe 85 PID 2876 wrote to memory of 4540 2876 rundll32.exe 86 PID 2876 wrote to memory of 4540 2876 rundll32.exe 86 PID 2876 wrote to memory of 4540 2876 rundll32.exe 86 PID 2876 wrote to memory of 1544 2876 rundll32.exe 87 PID 2876 wrote to memory of 1544 2876 rundll32.exe 87 PID 2876 wrote to memory of 1544 2876 rundll32.exe 87 PID 1956 wrote to memory of 788 1956 e57ab53.exe 8 PID 1956 wrote to memory of 792 1956 e57ab53.exe 9 PID 1956 wrote to memory of 388 1956 e57ab53.exe 13 PID 1956 wrote to memory of 3008 1956 e57ab53.exe 50 PID 1956 wrote to memory of 3052 1956 e57ab53.exe 51 PID 1956 wrote to memory of 3100 1956 e57ab53.exe 52 PID 1956 wrote to memory of 3436 1956 e57ab53.exe 56 PID 1956 wrote to memory of 3568 1956 e57ab53.exe 57 PID 1956 wrote to memory of 3744 1956 e57ab53.exe 58 PID 1956 wrote to memory of 3832 1956 e57ab53.exe 59 PID 1956 wrote to memory of 3896 1956 e57ab53.exe 60 PID 1956 wrote to memory of 3980 1956 e57ab53.exe 61 PID 1956 wrote to memory of 3372 1956 e57ab53.exe 62 PID 1956 wrote to memory of 5072 1956 e57ab53.exe 65 PID 1956 wrote to memory of 4792 1956 e57ab53.exe 75 PID 1956 wrote to memory of 1660 1956 e57ab53.exe 81 PID 1956 wrote to memory of 3552 1956 e57ab53.exe 85 PID 1956 wrote to memory of 3552 1956 e57ab53.exe 85 PID 1956 wrote to memory of 4540 1956 e57ab53.exe 86 PID 1956 wrote to memory of 4540 1956 e57ab53.exe 86 PID 1956 wrote to memory of 1544 1956 e57ab53.exe 87 PID 1956 wrote to memory of 1544 1956 e57ab53.exe 87 PID 4540 wrote to memory of 788 4540 e57ce3d.exe 8 PID 4540 wrote to memory of 792 4540 e57ce3d.exe 9 PID 4540 wrote to memory of 388 4540 e57ce3d.exe 13 PID 4540 wrote to memory of 3008 4540 e57ce3d.exe 50 PID 4540 wrote to memory of 3052 4540 e57ce3d.exe 51 PID 4540 wrote to memory of 3100 4540 e57ce3d.exe 52 PID 4540 wrote to memory of 3436 4540 e57ce3d.exe 56 PID 4540 wrote to memory of 3568 4540 e57ce3d.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ce3d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3052
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a9150825e3b664fc09bf1e52255bcbdfb1a03f19b3af4ebdb0303ba3d6b4506.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a9150825e3b664fc09bf1e52255bcbdfb1a03f19b3af4ebdb0303ba3d6b4506.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\e57ab53.exeC:\Users\Admin\AppData\Local\Temp\e57ab53.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\e57acf9.exeC:\Users\Admin\AppData\Local\Temp\e57acf9.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3552
-
-
C:\Users\Admin\AppData\Local\Temp\e57ce3d.exeC:\Users\Admin\AppData\Local\Temp\e57ce3d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\e57ce6c.exeC:\Users\Admin\AppData\Local\Temp\e57ce6c.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5072
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4792
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1660
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f863570d04d5ba3acdeaa906981e9081
SHA1ed0cddcc73ca643e1d90ef81be62f42f0a8f4115
SHA256010cd4ab4d4a31a404c6beda5ee7359323905b6f896ad9fc9b09d2f79d77c464
SHA512e448b6987aa0cd5411b5b0d0156ba076df66b97eb0cd5933d96ff7541b0a17d9d059ac8ed57b1f371b538bdaf83c296edf5ff987ebc82e937c1291706cac652c
-
Filesize
257B
MD53cab09338c5d80189bcacd8011c88a45
SHA1a6778e8007921d604850c9f75e3bbe4a5b96cd5f
SHA2568f64a6f96622439a5910209aaf44dd47d21e4b6f833ee96cc93ba262dc24c532
SHA512a66942a31bb40a4dbe48d8ab62c4fce490c0ddc64f6b26163ab9d6d8a4a3f27a4aa7d23ec896c2f84839105dfe88c871628aa470ef4e761c190cbc6bd49c5456