Analysis
-
max time kernel
28s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 03:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fa4831a044629ddae349896b5cc6b2dc47015b76cd09c88b9029b188dd13f915.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
fa4831a044629ddae349896b5cc6b2dc47015b76cd09c88b9029b188dd13f915.dll
-
Size
120KB
-
MD5
ea5dfd10ef14c8c2e7c8489d4f4a6edd
-
SHA1
dac3c6a3b77b095034db3630bc0f6b9169d61d3a
-
SHA256
fa4831a044629ddae349896b5cc6b2dc47015b76cd09c88b9029b188dd13f915
-
SHA512
03333e3bf9f55b8e10a1b5cf0d21dd19f3bfa3f5971c1465f48b667f22f45434b782c0f051ee9eb981855d1d853d6296d8d1fac9d6019a2392a5bd3c57bdf030
-
SSDEEP
1536:Vbv5J+HgKH142iN+dMwx5WD38btu41kGa79xb4z/m5rZjyBkSnX/3Bx0lG:V7/7KH142i7CIbot9g9xb4ql2uSP3Bd
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5794be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5794be.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5794be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5794be.exe -
Executes dropped EXE 3 IoCs
pid Process 4444 e5771a6.exe 1996 e5772ce.exe 2428 e5794be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5794be.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5771a6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5794be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5794be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5794be.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e5794be.exe File opened (read-only) \??\I: e5771a6.exe File opened (read-only) \??\M: e5771a6.exe File opened (read-only) \??\K: e5771a6.exe File opened (read-only) \??\N: e5771a6.exe File opened (read-only) \??\G: e5771a6.exe File opened (read-only) \??\H: e5771a6.exe File opened (read-only) \??\L: e5771a6.exe File opened (read-only) \??\O: e5771a6.exe File opened (read-only) \??\Q: e5771a6.exe File opened (read-only) \??\H: e5794be.exe File opened (read-only) \??\E: e5771a6.exe File opened (read-only) \??\J: e5771a6.exe File opened (read-only) \??\P: e5771a6.exe File opened (read-only) \??\E: e5794be.exe -
resource yara_rule behavioral2/memory/4444-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-17-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-25-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-34-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-33-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-32-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-42-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-51-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-58-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-64-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-65-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-67-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-68-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-71-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-73-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-76-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-77-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-79-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-85-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4444-86-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-121-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx behavioral2/memory/2428-157-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5771a6.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5771a6.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5771a6.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e577232 e5771a6.exe File opened for modification C:\Windows\SYSTEM.INI e5771a6.exe File created C:\Windows\e57c208 e5794be.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5771a6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5772ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5794be.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4444 e5771a6.exe 4444 e5771a6.exe 4444 e5771a6.exe 4444 e5771a6.exe 2428 e5794be.exe 2428 e5794be.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe Token: SeDebugPrivilege 4444 e5771a6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4904 wrote to memory of 3076 4904 rundll32.exe 83 PID 4904 wrote to memory of 3076 4904 rundll32.exe 83 PID 4904 wrote to memory of 3076 4904 rundll32.exe 83 PID 3076 wrote to memory of 4444 3076 rundll32.exe 84 PID 3076 wrote to memory of 4444 3076 rundll32.exe 84 PID 3076 wrote to memory of 4444 3076 rundll32.exe 84 PID 4444 wrote to memory of 788 4444 e5771a6.exe 9 PID 4444 wrote to memory of 796 4444 e5771a6.exe 10 PID 4444 wrote to memory of 316 4444 e5771a6.exe 13 PID 4444 wrote to memory of 2652 4444 e5771a6.exe 44 PID 4444 wrote to memory of 2664 4444 e5771a6.exe 45 PID 4444 wrote to memory of 2844 4444 e5771a6.exe 51 PID 4444 wrote to memory of 3488 4444 e5771a6.exe 56 PID 4444 wrote to memory of 3632 4444 e5771a6.exe 57 PID 4444 wrote to memory of 3848 4444 e5771a6.exe 58 PID 4444 wrote to memory of 3940 4444 e5771a6.exe 59 PID 4444 wrote to memory of 4000 4444 e5771a6.exe 60 PID 4444 wrote to memory of 4088 4444 e5771a6.exe 61 PID 4444 wrote to memory of 3844 4444 e5771a6.exe 62 PID 4444 wrote to memory of 4116 4444 e5771a6.exe 75 PID 4444 wrote to memory of 1040 4444 e5771a6.exe 76 PID 4444 wrote to memory of 1968 4444 e5771a6.exe 81 PID 4444 wrote to memory of 4904 4444 e5771a6.exe 82 PID 4444 wrote to memory of 3076 4444 e5771a6.exe 83 PID 4444 wrote to memory of 3076 4444 e5771a6.exe 83 PID 3076 wrote to memory of 1996 3076 rundll32.exe 85 PID 3076 wrote to memory of 1996 3076 rundll32.exe 85 PID 3076 wrote to memory of 1996 3076 rundll32.exe 85 PID 3076 wrote to memory of 2428 3076 rundll32.exe 86 PID 3076 wrote to memory of 2428 3076 rundll32.exe 86 PID 3076 wrote to memory of 2428 3076 rundll32.exe 86 PID 4444 wrote to memory of 788 4444 e5771a6.exe 9 PID 4444 wrote to memory of 796 4444 e5771a6.exe 10 PID 4444 wrote to memory of 316 4444 e5771a6.exe 13 PID 4444 wrote to memory of 2652 4444 e5771a6.exe 44 PID 4444 wrote to memory of 2664 4444 e5771a6.exe 45 PID 4444 wrote to memory of 2844 4444 e5771a6.exe 51 PID 4444 wrote to memory of 3488 4444 e5771a6.exe 56 PID 4444 wrote to memory of 3632 4444 e5771a6.exe 57 PID 4444 wrote to memory of 3848 4444 e5771a6.exe 58 PID 4444 wrote to memory of 3940 4444 e5771a6.exe 59 PID 4444 wrote to memory of 4000 4444 e5771a6.exe 60 PID 4444 wrote to memory of 4088 4444 e5771a6.exe 61 PID 4444 wrote to memory of 3844 4444 e5771a6.exe 62 PID 4444 wrote to memory of 4116 4444 e5771a6.exe 75 PID 4444 wrote to memory of 1040 4444 e5771a6.exe 76 PID 4444 wrote to memory of 1968 4444 e5771a6.exe 81 PID 4444 wrote to memory of 1996 4444 e5771a6.exe 85 PID 4444 wrote to memory of 1996 4444 e5771a6.exe 85 PID 4444 wrote to memory of 2428 4444 e5771a6.exe 86 PID 4444 wrote to memory of 2428 4444 e5771a6.exe 86 PID 2428 wrote to memory of 788 2428 e5794be.exe 9 PID 2428 wrote to memory of 796 2428 e5794be.exe 10 PID 2428 wrote to memory of 316 2428 e5794be.exe 13 PID 2428 wrote to memory of 2652 2428 e5794be.exe 44 PID 2428 wrote to memory of 2664 2428 e5794be.exe 45 PID 2428 wrote to memory of 2844 2428 e5794be.exe 51 PID 2428 wrote to memory of 3488 2428 e5794be.exe 56 PID 2428 wrote to memory of 3632 2428 e5794be.exe 57 PID 2428 wrote to memory of 3848 2428 e5794be.exe 58 PID 2428 wrote to memory of 3940 2428 e5794be.exe 59 PID 2428 wrote to memory of 4000 2428 e5794be.exe 60 PID 2428 wrote to memory of 4088 2428 e5794be.exe 61 PID 2428 wrote to memory of 3844 2428 e5794be.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5771a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5794be.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2844
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa4831a044629ddae349896b5cc6b2dc47015b76cd09c88b9029b188dd13f915.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa4831a044629ddae349896b5cc6b2dc47015b76cd09c88b9029b188dd13f915.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\e5771a6.exeC:\Users\Admin\AppData\Local\Temp\e5771a6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\e5772ce.exeC:\Users\Admin\AppData\Local\Temp\e5772ce.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\e5794be.exeC:\Users\Admin\AppData\Local\Temp\e5794be.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2428
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3844
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1040
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1968
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c7d941c6e0e888e64bb3ed30dd61782b
SHA13ab1460dc288539d70d55304933b1f96ec88e4ad
SHA25698eea928e83630c832cb13e989a4897739ff97829a4a1b7a50b42f9dacb0c5b7
SHA512e7669401c7c695344ef4ffcee84ae633d66f0b22159b5e80f319c26d316404d7e1c8be494f083eb46fa11a3ca836391b4288a925cd4c3f613fd12ddafb01c6e7
-
Filesize
257B
MD5fec6d17826a1a84a8b721304ae080083
SHA1c30383962e571a94d8c02af6a8ff09a769cbadec
SHA256f7ddc8056557e5bb89dc2384834027f955427186595d4f49a3143ae2deed25b0
SHA512b2c71154e1b44c4bb89abf68a21ad9fa7c343ff34da2ee8f073fb41879db34ffacd93a6d8df2fcbb2132a7189b2cf8b3cbffa05ff6776ece961840ce7563e9d1