Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 20:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0.dll
-
Size
120KB
-
MD5
35daebe77f7f9e5d9687fe7aa2ae10ec
-
SHA1
c55102490f8281eeca2e8fd4a0deee411f7e81b8
-
SHA256
3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0
-
SHA512
325ded718ca68629440b6def683438c422ed09857139d8922bda535c698397b0ad26760f361987fd61285179639d809ff7c25c19661fbe33383e477e80d57fa9
-
SSDEEP
3072:KWq52BJcoVCpyTSBTG2y5L1Nsa3eCsKsc+x:JqIjVkyTATGN5LMCFMx
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d570.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d570.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d570.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d570.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d88d.exe -
Executes dropped EXE 4 IoCs
pid Process 816 e57d570.exe 4336 e57d88d.exe 4852 e57f08a.exe 2864 e57f0a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d570.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d88d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d88d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d88d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d88d.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e57d570.exe File opened (read-only) \??\P: e57d570.exe File opened (read-only) \??\Q: e57d570.exe File opened (read-only) \??\J: e57d570.exe File opened (read-only) \??\M: e57d570.exe File opened (read-only) \??\S: e57d570.exe File opened (read-only) \??\G: e57d570.exe File opened (read-only) \??\H: e57d570.exe File opened (read-only) \??\K: e57d570.exe File opened (read-only) \??\O: e57d570.exe File opened (read-only) \??\E: e57d570.exe File opened (read-only) \??\I: e57d570.exe File opened (read-only) \??\N: e57d570.exe File opened (read-only) \??\R: e57d570.exe -
resource yara_rule behavioral2/memory/816-6-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-10-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-18-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-11-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-8-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-9-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-19-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-17-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-21-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-22-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-20-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-37-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-38-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-39-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-40-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-41-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-43-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-44-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-58-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-60-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-62-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-64-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-78-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-81-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-83-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-84-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-85-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-92-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-94-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-96-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-98-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/816-109-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4336-133-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4336-151-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57d570.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57d570.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57d570.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57d570.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57d5ed e57d570.exe File opened for modification C:\Windows\SYSTEM.INI e57d570.exe File created C:\Windows\e58271b e57d88d.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f0a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d570.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d88d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f08a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 816 e57d570.exe 816 e57d570.exe 816 e57d570.exe 816 e57d570.exe 4336 e57d88d.exe 4336 e57d88d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe Token: SeDebugPrivilege 816 e57d570.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3976 wrote to memory of 4356 3976 rundll32.exe 83 PID 3976 wrote to memory of 4356 3976 rundll32.exe 83 PID 3976 wrote to memory of 4356 3976 rundll32.exe 83 PID 4356 wrote to memory of 816 4356 rundll32.exe 84 PID 4356 wrote to memory of 816 4356 rundll32.exe 84 PID 4356 wrote to memory of 816 4356 rundll32.exe 84 PID 816 wrote to memory of 796 816 e57d570.exe 9 PID 816 wrote to memory of 800 816 e57d570.exe 10 PID 816 wrote to memory of 384 816 e57d570.exe 13 PID 816 wrote to memory of 2784 816 e57d570.exe 49 PID 816 wrote to memory of 2808 816 e57d570.exe 50 PID 816 wrote to memory of 3048 816 e57d570.exe 52 PID 816 wrote to memory of 3456 816 e57d570.exe 56 PID 816 wrote to memory of 3584 816 e57d570.exe 57 PID 816 wrote to memory of 3760 816 e57d570.exe 58 PID 816 wrote to memory of 3844 816 e57d570.exe 59 PID 816 wrote to memory of 3912 816 e57d570.exe 60 PID 816 wrote to memory of 3992 816 e57d570.exe 61 PID 816 wrote to memory of 3604 816 e57d570.exe 62 PID 816 wrote to memory of 4148 816 e57d570.exe 64 PID 816 wrote to memory of 5076 816 e57d570.exe 75 PID 816 wrote to memory of 3860 816 e57d570.exe 81 PID 816 wrote to memory of 3976 816 e57d570.exe 82 PID 816 wrote to memory of 4356 816 e57d570.exe 83 PID 816 wrote to memory of 4356 816 e57d570.exe 83 PID 4356 wrote to memory of 4336 4356 rundll32.exe 85 PID 4356 wrote to memory of 4336 4356 rundll32.exe 85 PID 4356 wrote to memory of 4336 4356 rundll32.exe 85 PID 4356 wrote to memory of 4852 4356 rundll32.exe 87 PID 4356 wrote to memory of 4852 4356 rundll32.exe 87 PID 4356 wrote to memory of 4852 4356 rundll32.exe 87 PID 4356 wrote to memory of 2864 4356 rundll32.exe 88 PID 4356 wrote to memory of 2864 4356 rundll32.exe 88 PID 4356 wrote to memory of 2864 4356 rundll32.exe 88 PID 816 wrote to memory of 796 816 e57d570.exe 9 PID 816 wrote to memory of 800 816 e57d570.exe 10 PID 816 wrote to memory of 384 816 e57d570.exe 13 PID 816 wrote to memory of 2784 816 e57d570.exe 49 PID 816 wrote to memory of 2808 816 e57d570.exe 50 PID 816 wrote to memory of 3048 816 e57d570.exe 52 PID 816 wrote to memory of 3456 816 e57d570.exe 56 PID 816 wrote to memory of 3584 816 e57d570.exe 57 PID 816 wrote to memory of 3760 816 e57d570.exe 58 PID 816 wrote to memory of 3844 816 e57d570.exe 59 PID 816 wrote to memory of 3912 816 e57d570.exe 60 PID 816 wrote to memory of 3992 816 e57d570.exe 61 PID 816 wrote to memory of 3604 816 e57d570.exe 62 PID 816 wrote to memory of 4148 816 e57d570.exe 64 PID 816 wrote to memory of 5076 816 e57d570.exe 75 PID 816 wrote to memory of 4336 816 e57d570.exe 85 PID 816 wrote to memory of 4336 816 e57d570.exe 85 PID 816 wrote to memory of 4852 816 e57d570.exe 87 PID 816 wrote to memory of 4852 816 e57d570.exe 87 PID 816 wrote to memory of 2864 816 e57d570.exe 88 PID 816 wrote to memory of 2864 816 e57d570.exe 88 PID 4336 wrote to memory of 796 4336 e57d88d.exe 9 PID 4336 wrote to memory of 800 4336 e57d88d.exe 10 PID 4336 wrote to memory of 384 4336 e57d88d.exe 13 PID 4336 wrote to memory of 2784 4336 e57d88d.exe 49 PID 4336 wrote to memory of 2808 4336 e57d88d.exe 50 PID 4336 wrote to memory of 3048 4336 e57d88d.exe 52 PID 4336 wrote to memory of 3456 4336 e57d88d.exe 56 PID 4336 wrote to memory of 3584 4336 e57d88d.exe 57 PID 4336 wrote to memory of 3760 4336 e57d88d.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d570.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d88d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2808
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3048
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\e57d570.exeC:\Users\Admin\AppData\Local\Temp\e57d570.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:816
-
-
C:\Users\Admin\AppData\Local\Temp\e57d88d.exeC:\Users\Admin\AppData\Local\Temp\e57d88d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\e57f08a.exeC:\Users\Admin\AppData\Local\Temp\e57f08a.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\e57f0a9.exeC:\Users\Admin\AppData\Local\Temp\e57f0a9.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2864
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5076
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3860
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e6d2a6e91fe52643353bf8a173744eda
SHA14b829916acbf3d4592080c5e7b1625bac20e3ef3
SHA256716b462bbde3398737bea237198d86e00cd41d8ad5d10cd5af22dc008bf8c1b1
SHA5122cfd5ff115add2392bff73767736d72efb4089f08cd9f0b3e2fb9019e8094ee0547683887d247e1afb22b353df2034ed99789d2c7977351e7d3efc8f730191c2
-
Filesize
257B
MD5732053ab27c9873f7e25b90269e577b1
SHA1238a8a64358404edf712048d997966e575a1c707
SHA25662d6ad8d7d6d8dac88155b00d47ca7c3c8c8607116c17bc3ac736a02b55da7c6
SHA512303ec5387656aef5546631e3d5e6180cf4f5ce2f6be1f30fbbb8aa0ceacc21554d596437cdb970fe4cbd14a93073f52b3c65d3f9b135ad05891e9add176402be