Analysis
-
max time kernel
32s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 02:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e80405ef16edc0ea6db2f3d96e24f8907506f7dec26e7bcfba0e4c31e65587dbN.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
e80405ef16edc0ea6db2f3d96e24f8907506f7dec26e7bcfba0e4c31e65587dbN.dll
-
Size
120KB
-
MD5
1ac1b855056f20a0cb8206dc8616adb0
-
SHA1
f10c28bf84296a5ef3a14f0d957afb0f2a288aca
-
SHA256
e80405ef16edc0ea6db2f3d96e24f8907506f7dec26e7bcfba0e4c31e65587db
-
SHA512
6775c64a29a48d3cc8de11f403d6223c1ae30fd4e3a312cb41f5b4e2c35634fe4a36d0effeed1ea6a35f3d848635e0948b22c368e4b07b9d8460bc33804274c6
-
SSDEEP
3072:xdTlgQ9WqLOAjvHs2wa7eh++nzZudLu1Ip:xdT19LDcUdLue
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57eaec.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57eaec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57eaec.exe -
Executes dropped EXE 4 IoCs
pid Process 2244 e57b8b1.exe 1588 e57b9ea.exe 3420 e57eaec.exe 776 e57eb4a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b8b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57eaec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57eaec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57eaec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57eaec.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57b8b1.exe File opened (read-only) \??\I: e57b8b1.exe File opened (read-only) \??\M: e57b8b1.exe File opened (read-only) \??\H: e57eaec.exe File opened (read-only) \??\E: e57eaec.exe File opened (read-only) \??\G: e57eaec.exe File opened (read-only) \??\I: e57eaec.exe File opened (read-only) \??\G: e57b8b1.exe File opened (read-only) \??\H: e57b8b1.exe File opened (read-only) \??\J: e57b8b1.exe File opened (read-only) \??\K: e57b8b1.exe File opened (read-only) \??\L: e57b8b1.exe -
resource yara_rule behavioral2/memory/2244-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-16-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-27-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-33-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-34-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-28-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-40-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-46-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-58-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-63-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-65-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-66-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-68-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-69-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-72-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2244-75-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3420-102-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3420-115-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3420-157-0x0000000000800000-0x00000000018BA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b8ff e57b8b1.exe File opened for modification C:\Windows\SYSTEM.INI e57b8b1.exe File created C:\Windows\e581279 e57eaec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b8b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b9ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57eaec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57eb4a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2244 e57b8b1.exe 2244 e57b8b1.exe 2244 e57b8b1.exe 2244 e57b8b1.exe 3420 e57eaec.exe 3420 e57eaec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe Token: SeDebugPrivilege 2244 e57b8b1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 1964 2060 rundll32.exe 82 PID 2060 wrote to memory of 1964 2060 rundll32.exe 82 PID 2060 wrote to memory of 1964 2060 rundll32.exe 82 PID 1964 wrote to memory of 2244 1964 rundll32.exe 83 PID 1964 wrote to memory of 2244 1964 rundll32.exe 83 PID 1964 wrote to memory of 2244 1964 rundll32.exe 83 PID 2244 wrote to memory of 784 2244 e57b8b1.exe 8 PID 2244 wrote to memory of 788 2244 e57b8b1.exe 9 PID 2244 wrote to memory of 380 2244 e57b8b1.exe 13 PID 2244 wrote to memory of 2896 2244 e57b8b1.exe 50 PID 2244 wrote to memory of 2948 2244 e57b8b1.exe 51 PID 2244 wrote to memory of 3060 2244 e57b8b1.exe 52 PID 2244 wrote to memory of 3500 2244 e57b8b1.exe 56 PID 2244 wrote to memory of 3624 2244 e57b8b1.exe 57 PID 2244 wrote to memory of 3832 2244 e57b8b1.exe 58 PID 2244 wrote to memory of 3920 2244 e57b8b1.exe 59 PID 2244 wrote to memory of 3984 2244 e57b8b1.exe 60 PID 2244 wrote to memory of 4088 2244 e57b8b1.exe 61 PID 2244 wrote to memory of 3864 2244 e57b8b1.exe 62 PID 2244 wrote to memory of 1704 2244 e57b8b1.exe 64 PID 2244 wrote to memory of 1768 2244 e57b8b1.exe 75 PID 2244 wrote to memory of 2060 2244 e57b8b1.exe 81 PID 2244 wrote to memory of 1964 2244 e57b8b1.exe 82 PID 2244 wrote to memory of 1964 2244 e57b8b1.exe 82 PID 1964 wrote to memory of 1588 1964 rundll32.exe 84 PID 1964 wrote to memory of 1588 1964 rundll32.exe 84 PID 1964 wrote to memory of 1588 1964 rundll32.exe 84 PID 2244 wrote to memory of 784 2244 e57b8b1.exe 8 PID 2244 wrote to memory of 788 2244 e57b8b1.exe 9 PID 2244 wrote to memory of 380 2244 e57b8b1.exe 13 PID 2244 wrote to memory of 2896 2244 e57b8b1.exe 50 PID 2244 wrote to memory of 2948 2244 e57b8b1.exe 51 PID 2244 wrote to memory of 3060 2244 e57b8b1.exe 52 PID 2244 wrote to memory of 3500 2244 e57b8b1.exe 56 PID 2244 wrote to memory of 3624 2244 e57b8b1.exe 57 PID 2244 wrote to memory of 3832 2244 e57b8b1.exe 58 PID 2244 wrote to memory of 3920 2244 e57b8b1.exe 59 PID 2244 wrote to memory of 3984 2244 e57b8b1.exe 60 PID 2244 wrote to memory of 4088 2244 e57b8b1.exe 61 PID 2244 wrote to memory of 3864 2244 e57b8b1.exe 62 PID 2244 wrote to memory of 1704 2244 e57b8b1.exe 64 PID 2244 wrote to memory of 1768 2244 e57b8b1.exe 75 PID 2244 wrote to memory of 2060 2244 e57b8b1.exe 81 PID 2244 wrote to memory of 1588 2244 e57b8b1.exe 84 PID 2244 wrote to memory of 1588 2244 e57b8b1.exe 84 PID 1964 wrote to memory of 3420 1964 rundll32.exe 85 PID 1964 wrote to memory of 3420 1964 rundll32.exe 85 PID 1964 wrote to memory of 3420 1964 rundll32.exe 85 PID 1964 wrote to memory of 776 1964 rundll32.exe 86 PID 1964 wrote to memory of 776 1964 rundll32.exe 86 PID 1964 wrote to memory of 776 1964 rundll32.exe 86 PID 3420 wrote to memory of 784 3420 e57eaec.exe 8 PID 3420 wrote to memory of 788 3420 e57eaec.exe 9 PID 3420 wrote to memory of 380 3420 e57eaec.exe 13 PID 3420 wrote to memory of 2896 3420 e57eaec.exe 50 PID 3420 wrote to memory of 2948 3420 e57eaec.exe 51 PID 3420 wrote to memory of 3060 3420 e57eaec.exe 52 PID 3420 wrote to memory of 3500 3420 e57eaec.exe 56 PID 3420 wrote to memory of 3624 3420 e57eaec.exe 57 PID 3420 wrote to memory of 3832 3420 e57eaec.exe 58 PID 3420 wrote to memory of 3920 3420 e57eaec.exe 59 PID 3420 wrote to memory of 3984 3420 e57eaec.exe 60 PID 3420 wrote to memory of 4088 3420 e57eaec.exe 61 PID 3420 wrote to memory of 3864 3420 e57eaec.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b8b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57eaec.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2948
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3060
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e80405ef16edc0ea6db2f3d96e24f8907506f7dec26e7bcfba0e4c31e65587dbN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e80405ef16edc0ea6db2f3d96e24f8907506f7dec26e7bcfba0e4c31e65587dbN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\e57b8b1.exeC:\Users\Admin\AppData\Local\Temp\e57b8b1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\e57b9ea.exeC:\Users\Admin\AppData\Local\Temp\e57b9ea.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\e57eaec.exeC:\Users\Admin\AppData\Local\Temp\e57eaec.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3420
-
-
C:\Users\Admin\AppData\Local\Temp\e57eb4a.exeC:\Users\Admin\AppData\Local\Temp\e57eb4a.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:776
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1704
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1768
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5af5c81b2983292935dc85074102841aa
SHA194a87a31f241b33c886ed16678fcbe3976010e93
SHA2566bdaa9e423fcf163398fc22b9c933772dba833979ae8462b409b2e274be26dca
SHA512f109e1dc38696fac710a9065db75cdcaff338c6330b1fe04df85ea3176aa6812e8a658701fd8141183231fc8b9efcb42c444c8dc2af823ae63c2751abb4ead7b
-
Filesize
257B
MD5d97eda9bd9552cc08e4ff03d000600c9
SHA1bafe8d1d9afd0f7ac1479c52af81ac1c5a906de1
SHA2567ad1e0583c58507d0b21fd1a6a7c5911eb0fa10d380ec8f33ba5c1e06bd5ec86
SHA512117f2aa2a2f318324dd35c583d937dccb5bbfe36185edf52720753458ad1701cf14d09cc9ad8729a679c75da1b489333c3ac8c8fe4d3bbf4ac9e0fdac6393a7c