Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 02:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f06956923f383a5c2b204d6b3a44d2ef304ce03c43e80e092093392a54e82107N.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
f06956923f383a5c2b204d6b3a44d2ef304ce03c43e80e092093392a54e82107N.dll
-
Size
120KB
-
MD5
60b89f2e98956f79b4828f551ccc1b00
-
SHA1
0e603de4ccb826c8aec4cf915843638fa2ecb658
-
SHA256
f06956923f383a5c2b204d6b3a44d2ef304ce03c43e80e092093392a54e82107
-
SHA512
2b91da0bc3eb83b5a3ec7948fcd487c56438bc24102254cd2775344de40178f36c1b0bc7bd0a51797dd1d37d411127be47d3f7bdf6087f076e213e2d2e6aa964
-
SSDEEP
3072:NqyUI87ZFJyBB2941Hoe2s6uK4v0FWsq+Hf:8yP8HeAwIqZ0gsq
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57757e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57757e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579829.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579829.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579829.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579829.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57757e.exe -
Executes dropped EXE 3 IoCs
pid Process 4680 e57757e.exe 1236 e5776a7.exe 1168 e579829.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57757e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579829.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579829.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57757e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579829.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57757e.exe File opened (read-only) \??\L: e57757e.exe File opened (read-only) \??\M: e57757e.exe File opened (read-only) \??\E: e579829.exe File opened (read-only) \??\G: e579829.exe File opened (read-only) \??\H: e579829.exe File opened (read-only) \??\E: e57757e.exe File opened (read-only) \??\G: e57757e.exe File opened (read-only) \??\I: e57757e.exe File opened (read-only) \??\N: e57757e.exe File opened (read-only) \??\P: e57757e.exe File opened (read-only) \??\J: e57757e.exe File opened (read-only) \??\O: e57757e.exe File opened (read-only) \??\K: e57757e.exe -
resource yara_rule behavioral2/memory/4680-6-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-12-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-11-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-10-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-9-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-8-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-31-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-28-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-34-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-33-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-35-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-36-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-37-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-38-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-39-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-49-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-50-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-60-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-61-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-63-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-65-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-66-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-67-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-70-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-72-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-76-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-77-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-83-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4680-79-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1168-105-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1168-150-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57757e.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57757e.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57757e.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5775cc e57757e.exe File opened for modification C:\Windows\SYSTEM.INI e57757e.exe File created C:\Windows\e57c68c e579829.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579829.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57757e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5776a7.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4680 e57757e.exe 4680 e57757e.exe 4680 e57757e.exe 4680 e57757e.exe 1168 e579829.exe 1168 e579829.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe Token: SeDebugPrivilege 4680 e57757e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2844 2708 rundll32.exe 82 PID 2708 wrote to memory of 2844 2708 rundll32.exe 82 PID 2708 wrote to memory of 2844 2708 rundll32.exe 82 PID 2844 wrote to memory of 4680 2844 rundll32.exe 83 PID 2844 wrote to memory of 4680 2844 rundll32.exe 83 PID 2844 wrote to memory of 4680 2844 rundll32.exe 83 PID 4680 wrote to memory of 804 4680 e57757e.exe 9 PID 4680 wrote to memory of 808 4680 e57757e.exe 10 PID 4680 wrote to memory of 60 4680 e57757e.exe 13 PID 4680 wrote to memory of 2500 4680 e57757e.exe 42 PID 4680 wrote to memory of 2528 4680 e57757e.exe 43 PID 4680 wrote to memory of 2684 4680 e57757e.exe 47 PID 4680 wrote to memory of 3516 4680 e57757e.exe 56 PID 4680 wrote to memory of 3640 4680 e57757e.exe 57 PID 4680 wrote to memory of 3820 4680 e57757e.exe 58 PID 4680 wrote to memory of 3916 4680 e57757e.exe 59 PID 4680 wrote to memory of 3984 4680 e57757e.exe 60 PID 4680 wrote to memory of 4068 4680 e57757e.exe 61 PID 4680 wrote to memory of 3708 4680 e57757e.exe 62 PID 4680 wrote to memory of 1860 4680 e57757e.exe 75 PID 4680 wrote to memory of 1680 4680 e57757e.exe 76 PID 4680 wrote to memory of 2708 4680 e57757e.exe 81 PID 4680 wrote to memory of 2844 4680 e57757e.exe 82 PID 4680 wrote to memory of 2844 4680 e57757e.exe 82 PID 2844 wrote to memory of 1236 2844 rundll32.exe 84 PID 2844 wrote to memory of 1236 2844 rundll32.exe 84 PID 2844 wrote to memory of 1236 2844 rundll32.exe 84 PID 2844 wrote to memory of 1168 2844 rundll32.exe 85 PID 2844 wrote to memory of 1168 2844 rundll32.exe 85 PID 2844 wrote to memory of 1168 2844 rundll32.exe 85 PID 4680 wrote to memory of 804 4680 e57757e.exe 9 PID 4680 wrote to memory of 808 4680 e57757e.exe 10 PID 4680 wrote to memory of 60 4680 e57757e.exe 13 PID 4680 wrote to memory of 2500 4680 e57757e.exe 42 PID 4680 wrote to memory of 2528 4680 e57757e.exe 43 PID 4680 wrote to memory of 2684 4680 e57757e.exe 47 PID 4680 wrote to memory of 3516 4680 e57757e.exe 56 PID 4680 wrote to memory of 3640 4680 e57757e.exe 57 PID 4680 wrote to memory of 3820 4680 e57757e.exe 58 PID 4680 wrote to memory of 3916 4680 e57757e.exe 59 PID 4680 wrote to memory of 3984 4680 e57757e.exe 60 PID 4680 wrote to memory of 4068 4680 e57757e.exe 61 PID 4680 wrote to memory of 3708 4680 e57757e.exe 62 PID 4680 wrote to memory of 1860 4680 e57757e.exe 75 PID 4680 wrote to memory of 1680 4680 e57757e.exe 76 PID 4680 wrote to memory of 1236 4680 e57757e.exe 84 PID 4680 wrote to memory of 1236 4680 e57757e.exe 84 PID 4680 wrote to memory of 1168 4680 e57757e.exe 85 PID 4680 wrote to memory of 1168 4680 e57757e.exe 85 PID 1168 wrote to memory of 804 1168 e579829.exe 9 PID 1168 wrote to memory of 808 1168 e579829.exe 10 PID 1168 wrote to memory of 60 1168 e579829.exe 13 PID 1168 wrote to memory of 2500 1168 e579829.exe 42 PID 1168 wrote to memory of 2528 1168 e579829.exe 43 PID 1168 wrote to memory of 2684 1168 e579829.exe 47 PID 1168 wrote to memory of 3516 1168 e579829.exe 56 PID 1168 wrote to memory of 3640 1168 e579829.exe 57 PID 1168 wrote to memory of 3820 1168 e579829.exe 58 PID 1168 wrote to memory of 3916 1168 e579829.exe 59 PID 1168 wrote to memory of 3984 1168 e579829.exe 60 PID 1168 wrote to memory of 4068 1168 e579829.exe 61 PID 1168 wrote to memory of 3708 1168 e579829.exe 62 PID 1168 wrote to memory of 1860 1168 e579829.exe 75 PID 1168 wrote to memory of 1680 1168 e579829.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579829.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57757e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2500
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2528
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3516
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f06956923f383a5c2b204d6b3a44d2ef304ce03c43e80e092093392a54e82107N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f06956923f383a5c2b204d6b3a44d2ef304ce03c43e80e092093392a54e82107N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\e57757e.exeC:\Users\Admin\AppData\Local\Temp\e57757e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4680
-
-
C:\Users\Admin\AppData\Local\Temp\e5776a7.exeC:\Users\Admin\AppData\Local\Temp\e5776a7.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\e579829.exeC:\Users\Admin\AppData\Local\Temp\e579829.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1168
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3708
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1680
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD563700771aa6094d4db46188c03b6e332
SHA1070e005d025567ace050674ffb4c8ef0fd0bf33c
SHA256f6376cbf69aff22e45ec581f868c6f2d61ddede7d1080e66fce266b4756df784
SHA512bf04a54face685b3841587dd98ad6c6f5ebb03848420aba01fb90f1bf00257926f11400f9a5990aad5db6d401482198af2741fbd95ae48f8f26addbde6356d3e
-
Filesize
257B
MD587b949447ac4db8810c60ce4d678dcd6
SHA17436ecb0e1127b2db0d1d708ce2198a0eea50f0f
SHA2562fb4ea0fb571e9b51c3983c5a088ae3edc5fe5459b4dfd05f280eaee67ac525f
SHA51270446d07b9fe14c62fa8a7fc5bf2a14c5f40dfe910e014d4bddaf2c78947054c2e21fc6875cc344ab66afc8cbc7ee89a50710f8887e48123b5b338410b7819a5