Analysis
-
max time kernel
33s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2404a2d29ba0ba5fc4117535ae0fc238272995cb75ca3a3c77d83c2436f1144N.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
120 seconds
General
-
Target
d2404a2d29ba0ba5fc4117535ae0fc238272995cb75ca3a3c77d83c2436f1144N.dll
-
Size
120KB
-
MD5
dae0c393d38bfb64c0f03c31d3bb0010
-
SHA1
2d36ff93b91ac38490904998bbe9b4d9f7f6abf5
-
SHA256
d2404a2d29ba0ba5fc4117535ae0fc238272995cb75ca3a3c77d83c2436f1144
-
SHA512
e957e3754fade47f59e50e8d2da7e733d431cfdd69d7b0469ad6717bbb4f1491aea48a7d0449fbed505353b1b4f8b2c7eaf38425d7d775fdaa9e269602a2ce4e
-
SSDEEP
3072:R8qKXN25xs7Xzu3smw34bjsaYTKF2az3:CTXQbs7Du3O3MDkkz3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ab63.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dfb1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dfb1.exe -
Executes dropped EXE 4 IoCs
pid Process 2600 e57ab63.exe 1560 e57acda.exe 4372 e57dfb1.exe 4056 e57dfd1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dfb1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab63.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dfb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dfb1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dfb1.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57ab63.exe File opened (read-only) \??\J: e57ab63.exe File opened (read-only) \??\M: e57ab63.exe File opened (read-only) \??\E: e57dfb1.exe File opened (read-only) \??\H: e57dfb1.exe File opened (read-only) \??\G: e57ab63.exe File opened (read-only) \??\H: e57ab63.exe File opened (read-only) \??\L: e57ab63.exe File opened (read-only) \??\G: e57dfb1.exe File opened (read-only) \??\I: e57dfb1.exe File opened (read-only) \??\E: e57ab63.exe File opened (read-only) \??\K: e57ab63.exe -
resource yara_rule behavioral2/memory/2600-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-32-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-17-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-26-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-33-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-18-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-34-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-45-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-46-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-60-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-61-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-73-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2600-77-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4372-101-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4372-160-0x0000000000770000-0x000000000182A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e580710 e57dfb1.exe File created C:\Windows\e57abb1 e57ab63.exe File opened for modification C:\Windows\SYSTEM.INI e57ab63.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ab63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57acda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dfb1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dfd1.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2600 e57ab63.exe 2600 e57ab63.exe 2600 e57ab63.exe 2600 e57ab63.exe 4372 e57dfb1.exe 4372 e57dfb1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe Token: SeDebugPrivilege 2600 e57ab63.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 4004 4852 rundll32.exe 82 PID 4852 wrote to memory of 4004 4852 rundll32.exe 82 PID 4852 wrote to memory of 4004 4852 rundll32.exe 82 PID 4004 wrote to memory of 2600 4004 rundll32.exe 83 PID 4004 wrote to memory of 2600 4004 rundll32.exe 83 PID 4004 wrote to memory of 2600 4004 rundll32.exe 83 PID 2600 wrote to memory of 780 2600 e57ab63.exe 8 PID 2600 wrote to memory of 788 2600 e57ab63.exe 9 PID 2600 wrote to memory of 316 2600 e57ab63.exe 13 PID 2600 wrote to memory of 2584 2600 e57ab63.exe 44 PID 2600 wrote to memory of 2632 2600 e57ab63.exe 45 PID 2600 wrote to memory of 3032 2600 e57ab63.exe 52 PID 2600 wrote to memory of 3376 2600 e57ab63.exe 55 PID 2600 wrote to memory of 3552 2600 e57ab63.exe 57 PID 2600 wrote to memory of 3776 2600 e57ab63.exe 58 PID 2600 wrote to memory of 3876 2600 e57ab63.exe 59 PID 2600 wrote to memory of 3980 2600 e57ab63.exe 60 PID 2600 wrote to memory of 4076 2600 e57ab63.exe 61 PID 2600 wrote to memory of 4104 2600 e57ab63.exe 62 PID 2600 wrote to memory of 1700 2600 e57ab63.exe 64 PID 2600 wrote to memory of 4140 2600 e57ab63.exe 76 PID 2600 wrote to memory of 4852 2600 e57ab63.exe 81 PID 2600 wrote to memory of 4004 2600 e57ab63.exe 82 PID 2600 wrote to memory of 4004 2600 e57ab63.exe 82 PID 4004 wrote to memory of 1560 4004 rundll32.exe 84 PID 4004 wrote to memory of 1560 4004 rundll32.exe 84 PID 4004 wrote to memory of 1560 4004 rundll32.exe 84 PID 2600 wrote to memory of 780 2600 e57ab63.exe 8 PID 2600 wrote to memory of 788 2600 e57ab63.exe 9 PID 2600 wrote to memory of 316 2600 e57ab63.exe 13 PID 2600 wrote to memory of 2584 2600 e57ab63.exe 44 PID 2600 wrote to memory of 2632 2600 e57ab63.exe 45 PID 2600 wrote to memory of 3032 2600 e57ab63.exe 52 PID 2600 wrote to memory of 3376 2600 e57ab63.exe 55 PID 2600 wrote to memory of 3552 2600 e57ab63.exe 57 PID 2600 wrote to memory of 3776 2600 e57ab63.exe 58 PID 2600 wrote to memory of 3876 2600 e57ab63.exe 59 PID 2600 wrote to memory of 3980 2600 e57ab63.exe 60 PID 2600 wrote to memory of 4076 2600 e57ab63.exe 61 PID 2600 wrote to memory of 4104 2600 e57ab63.exe 62 PID 2600 wrote to memory of 1700 2600 e57ab63.exe 64 PID 2600 wrote to memory of 4140 2600 e57ab63.exe 76 PID 2600 wrote to memory of 4852 2600 e57ab63.exe 81 PID 2600 wrote to memory of 1560 2600 e57ab63.exe 84 PID 2600 wrote to memory of 1560 2600 e57ab63.exe 84 PID 4004 wrote to memory of 4372 4004 rundll32.exe 87 PID 4004 wrote to memory of 4372 4004 rundll32.exe 87 PID 4004 wrote to memory of 4372 4004 rundll32.exe 87 PID 4004 wrote to memory of 4056 4004 rundll32.exe 88 PID 4004 wrote to memory of 4056 4004 rundll32.exe 88 PID 4004 wrote to memory of 4056 4004 rundll32.exe 88 PID 4372 wrote to memory of 780 4372 e57dfb1.exe 8 PID 4372 wrote to memory of 788 4372 e57dfb1.exe 9 PID 4372 wrote to memory of 316 4372 e57dfb1.exe 13 PID 4372 wrote to memory of 2584 4372 e57dfb1.exe 44 PID 4372 wrote to memory of 2632 4372 e57dfb1.exe 45 PID 4372 wrote to memory of 3032 4372 e57dfb1.exe 52 PID 4372 wrote to memory of 3376 4372 e57dfb1.exe 55 PID 4372 wrote to memory of 3552 4372 e57dfb1.exe 57 PID 4372 wrote to memory of 3776 4372 e57dfb1.exe 58 PID 4372 wrote to memory of 3876 4372 e57dfb1.exe 59 PID 4372 wrote to memory of 3980 4372 e57dfb1.exe 60 PID 4372 wrote to memory of 4076 4372 e57dfb1.exe 61 PID 4372 wrote to memory of 4104 4372 e57dfb1.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab63.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dfb1.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2632
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3032
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3376
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2404a2d29ba0ba5fc4117535ae0fc238272995cb75ca3a3c77d83c2436f1144N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2404a2d29ba0ba5fc4117535ae0fc238272995cb75ca3a3c77d83c2436f1144N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\e57ab63.exeC:\Users\Admin\AppData\Local\Temp\e57ab63.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\e57acda.exeC:\Users\Admin\AppData\Local\Temp\e57acda.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\e57dfb1.exeC:\Users\Admin\AppData\Local\Temp\e57dfb1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\e57dfd1.exeC:\Users\Admin\AppData\Local\Temp\e57dfd1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1700
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4140
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56c0013397a984503aae6021c9d0e7cbc
SHA199d22013ef2d1cd147da91d6110eae30bf64d0da
SHA2560be6795b3b317113592a93b82588cecf9bcadb68b4beee9bd0970c8e5cbf51cd
SHA51205743bf26bc38fca1992043b9f94401ddf839ecf5a84656fd29ad364939cc28324b733d58cf4d1ec6d822a884abb6c65c2c85093cbb40d9b1464b0de0e1ff3e2
-
Filesize
257B
MD5e0a7f32f12abe8f6aef81a7c25074153
SHA11024041d578a5ade207bf6f37c8ff7803bbaa134
SHA256894e874282d248a938013dd06b05c816f2665f1e2413b8582ab16161c2a1c374
SHA51292321b680d6a8cb37a849a8f92918587d93c2e8c7e3ef960ef20aaba2404a57631c22f0f75033350b25256ca146630f329bc3189e3fbb4073ee7c5ffad6ff3d0