Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 06:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
06edaed25a768a3b17d68903f59d5978723cfd41f7a4cce3cb0c49840bd21c8dN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
06edaed25a768a3b17d68903f59d5978723cfd41f7a4cce3cb0c49840bd21c8dN.dll
-
Size
120KB
-
MD5
ed0df65cca87123ae16f46d34d047180
-
SHA1
a293f52c6a18c91050b8bfbe13b95f29a9cdcd96
-
SHA256
06edaed25a768a3b17d68903f59d5978723cfd41f7a4cce3cb0c49840bd21c8d
-
SHA512
2f047d6d560ca95fdaff240ba22f481fa56290f28544f34beaa5b208a092fff3dd6d3a369c25d56bda6640a128c9bee42162b95409a623f6084134a990a75fc3
-
SSDEEP
3072:KWq52BJcoVCpyTSBTG2y5L1Nsa3eCsKsc+:JqIjVkyTATGN5LMCFM
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ed9c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ed9c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ed9c.exe -
Executes dropped EXE 4 IoCs
pid Process 3344 e57ca26.exe 2336 e57cb01.exe 4908 e57ed8c.exe 3300 e57ed9c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ed9c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ca26.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ed9c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ca26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ed9c.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57ed9c.exe File opened (read-only) \??\I: e57ca26.exe File opened (read-only) \??\K: e57ca26.exe File opened (read-only) \??\M: e57ca26.exe File opened (read-only) \??\O: e57ca26.exe File opened (read-only) \??\P: e57ca26.exe File opened (read-only) \??\E: e57ca26.exe File opened (read-only) \??\G: e57ed9c.exe File opened (read-only) \??\G: e57ca26.exe File opened (read-only) \??\H: e57ca26.exe File opened (read-only) \??\J: e57ca26.exe File opened (read-only) \??\L: e57ca26.exe File opened (read-only) \??\N: e57ca26.exe File opened (read-only) \??\H: e57ed9c.exe -
resource yara_rule behavioral2/memory/3344-6-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-8-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-16-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-11-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-26-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-30-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-31-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-33-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-10-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-9-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-34-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-35-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-36-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-37-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-38-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-52-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-56-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-69-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-71-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-72-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-74-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-75-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-78-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-82-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-83-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-84-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3344-90-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/3300-124-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/3300-162-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57ca26.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57ca26.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57ca26.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57ca84 e57ca26.exe File opened for modification C:\Windows\SYSTEM.INI e57ca26.exe File created C:\Windows\e581ad6 e57ed9c.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ca26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cb01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ed8c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ed9c.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3344 e57ca26.exe 3344 e57ca26.exe 3344 e57ca26.exe 3344 e57ca26.exe 3300 e57ed9c.exe 3300 e57ed9c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe Token: SeDebugPrivilege 3344 e57ca26.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3296 wrote to memory of 2360 3296 rundll32.exe 82 PID 3296 wrote to memory of 2360 3296 rundll32.exe 82 PID 3296 wrote to memory of 2360 3296 rundll32.exe 82 PID 2360 wrote to memory of 3344 2360 rundll32.exe 83 PID 2360 wrote to memory of 3344 2360 rundll32.exe 83 PID 2360 wrote to memory of 3344 2360 rundll32.exe 83 PID 3344 wrote to memory of 780 3344 e57ca26.exe 8 PID 3344 wrote to memory of 784 3344 e57ca26.exe 9 PID 3344 wrote to memory of 60 3344 e57ca26.exe 13 PID 3344 wrote to memory of 2492 3344 e57ca26.exe 42 PID 3344 wrote to memory of 2532 3344 e57ca26.exe 43 PID 3344 wrote to memory of 2672 3344 e57ca26.exe 46 PID 3344 wrote to memory of 3436 3344 e57ca26.exe 56 PID 3344 wrote to memory of 3672 3344 e57ca26.exe 57 PID 3344 wrote to memory of 3840 3344 e57ca26.exe 58 PID 3344 wrote to memory of 3932 3344 e57ca26.exe 59 PID 3344 wrote to memory of 4008 3344 e57ca26.exe 60 PID 3344 wrote to memory of 4092 3344 e57ca26.exe 61 PID 3344 wrote to memory of 3872 3344 e57ca26.exe 62 PID 3344 wrote to memory of 3904 3344 e57ca26.exe 75 PID 3344 wrote to memory of 3232 3344 e57ca26.exe 76 PID 3344 wrote to memory of 3296 3344 e57ca26.exe 81 PID 3344 wrote to memory of 2360 3344 e57ca26.exe 82 PID 3344 wrote to memory of 2360 3344 e57ca26.exe 82 PID 2360 wrote to memory of 2336 2360 rundll32.exe 84 PID 2360 wrote to memory of 2336 2360 rundll32.exe 84 PID 2360 wrote to memory of 2336 2360 rundll32.exe 84 PID 2360 wrote to memory of 4908 2360 rundll32.exe 85 PID 2360 wrote to memory of 4908 2360 rundll32.exe 85 PID 2360 wrote to memory of 4908 2360 rundll32.exe 85 PID 2360 wrote to memory of 3300 2360 rundll32.exe 86 PID 2360 wrote to memory of 3300 2360 rundll32.exe 86 PID 2360 wrote to memory of 3300 2360 rundll32.exe 86 PID 3344 wrote to memory of 780 3344 e57ca26.exe 8 PID 3344 wrote to memory of 784 3344 e57ca26.exe 9 PID 3344 wrote to memory of 60 3344 e57ca26.exe 13 PID 3344 wrote to memory of 2492 3344 e57ca26.exe 42 PID 3344 wrote to memory of 2532 3344 e57ca26.exe 43 PID 3344 wrote to memory of 2672 3344 e57ca26.exe 46 PID 3344 wrote to memory of 3436 3344 e57ca26.exe 56 PID 3344 wrote to memory of 3672 3344 e57ca26.exe 57 PID 3344 wrote to memory of 3840 3344 e57ca26.exe 58 PID 3344 wrote to memory of 3932 3344 e57ca26.exe 59 PID 3344 wrote to memory of 4008 3344 e57ca26.exe 60 PID 3344 wrote to memory of 4092 3344 e57ca26.exe 61 PID 3344 wrote to memory of 3872 3344 e57ca26.exe 62 PID 3344 wrote to memory of 3904 3344 e57ca26.exe 75 PID 3344 wrote to memory of 3232 3344 e57ca26.exe 76 PID 3344 wrote to memory of 2336 3344 e57ca26.exe 84 PID 3344 wrote to memory of 2336 3344 e57ca26.exe 84 PID 3344 wrote to memory of 4908 3344 e57ca26.exe 85 PID 3344 wrote to memory of 4908 3344 e57ca26.exe 85 PID 3344 wrote to memory of 3300 3344 e57ca26.exe 86 PID 3344 wrote to memory of 3300 3344 e57ca26.exe 86 PID 3300 wrote to memory of 780 3300 e57ed9c.exe 8 PID 3300 wrote to memory of 784 3300 e57ed9c.exe 9 PID 3300 wrote to memory of 60 3300 e57ed9c.exe 13 PID 3300 wrote to memory of 2492 3300 e57ed9c.exe 42 PID 3300 wrote to memory of 2532 3300 e57ed9c.exe 43 PID 3300 wrote to memory of 2672 3300 e57ed9c.exe 46 PID 3300 wrote to memory of 3436 3300 e57ed9c.exe 56 PID 3300 wrote to memory of 3672 3300 e57ed9c.exe 57 PID 3300 wrote to memory of 3840 3300 e57ed9c.exe 58 PID 3300 wrote to memory of 3932 3300 e57ed9c.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ed9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ca26.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2532
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2672
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06edaed25a768a3b17d68903f59d5978723cfd41f7a4cce3cb0c49840bd21c8dN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06edaed25a768a3b17d68903f59d5978723cfd41f7a4cce3cb0c49840bd21c8dN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\e57ca26.exeC:\Users\Admin\AppData\Local\Temp\e57ca26.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\e57cb01.exeC:\Users\Admin\AppData\Local\Temp\e57cb01.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\e57ed8c.exeC:\Users\Admin\AppData\Local\Temp\e57ed8c.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\e57ed9c.exeC:\Users\Admin\AppData\Local\Temp\e57ed9c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3300
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3932
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4092
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3872
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3904
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3232
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e6d2a6e91fe52643353bf8a173744eda
SHA14b829916acbf3d4592080c5e7b1625bac20e3ef3
SHA256716b462bbde3398737bea237198d86e00cd41d8ad5d10cd5af22dc008bf8c1b1
SHA5122cfd5ff115add2392bff73767736d72efb4089f08cd9f0b3e2fb9019e8094ee0547683887d247e1afb22b353df2034ed99789d2c7977351e7d3efc8f730191c2
-
Filesize
257B
MD54b5653deef013227a344ede7a3a68d83
SHA1eef43e66ab25f357dd495cf3d9f8eed1b14f46a3
SHA25654c317b70b4427614cfff3d875a4aaf21b5d9173297cb87fcde05ba576182cb8
SHA5123571cbf34daa7799d0456cfe018d034b5fad13122db4d9f2e8b70949beb1895da6bb139ac79ffc4b928f2a61b9642768f2ede8621e3ef081e94e645a7c2b5f5a