Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 10:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8b77c7b8ccc0db437f2d33c5c17af0d340d82fefc615af14328cd0186338c0e9N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
8b77c7b8ccc0db437f2d33c5c17af0d340d82fefc615af14328cd0186338c0e9N.dll
-
Size
120KB
-
MD5
87432b690821ca17f42e05c9cff5af00
-
SHA1
8c7044e3eb0dce3cf1784160646abd6d43f2e11c
-
SHA256
8b77c7b8ccc0db437f2d33c5c17af0d340d82fefc615af14328cd0186338c0e9
-
SHA512
5faac7970d59f4fa7b4d3977d01eae6f14ff19bb8027a0014e1aa8dbe29acf07bd8e4880e3fd487ab6bc86a963ba70160b1200240f48c70aaa526c919a84d5dc
-
SSDEEP
1536:WQ2ZqiKFJHPNlBnBVIayZTSBcyhBWpbdtAAxN47lDg1km7S8arfKidvDX1Uw:R2ZSXH1lBsailBrtHxNulDS7SZrf7vL
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ca93.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ca93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ca93.exe -
Executes dropped EXE 4 IoCs
pid Process 5020 e57aeed.exe 2328 e57b026.exe 3908 e57ca74.exe 808 e57ca93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ca93.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aeed.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aeed.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ca93.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57aeed.exe File opened (read-only) \??\I: e57aeed.exe File opened (read-only) \??\K: e57aeed.exe File opened (read-only) \??\O: e57aeed.exe File opened (read-only) \??\R: e57aeed.exe File opened (read-only) \??\E: e57aeed.exe File opened (read-only) \??\G: e57aeed.exe File opened (read-only) \??\M: e57aeed.exe File opened (read-only) \??\P: e57aeed.exe File opened (read-only) \??\L: e57aeed.exe File opened (read-only) \??\N: e57aeed.exe File opened (read-only) \??\S: e57aeed.exe File opened (read-only) \??\J: e57aeed.exe File opened (read-only) \??\Q: e57aeed.exe File opened (read-only) \??\E: e57ca93.exe File opened (read-only) \??\G: e57ca93.exe -
resource yara_rule behavioral2/memory/5020-8-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-13-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-20-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-21-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-19-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-34-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-39-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-40-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-42-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-43-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-59-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-60-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-62-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-75-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-77-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-79-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-83-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-84-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-85-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-88-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-90-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-93-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-95-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5020-97-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/808-129-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/808-168-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57aeed.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57aeed.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57aeed.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57aeed.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57af3b e57aeed.exe File opened for modification C:\Windows\SYSTEM.INI e57aeed.exe File created C:\Windows\e57ff20 e57ca93.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57aeed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ca74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ca93.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5020 e57aeed.exe 5020 e57aeed.exe 5020 e57aeed.exe 5020 e57aeed.exe 808 e57ca93.exe 808 e57ca93.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe Token: SeDebugPrivilege 5020 e57aeed.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4156 wrote to memory of 1520 4156 rundll32.exe 83 PID 4156 wrote to memory of 1520 4156 rundll32.exe 83 PID 4156 wrote to memory of 1520 4156 rundll32.exe 83 PID 1520 wrote to memory of 5020 1520 rundll32.exe 84 PID 1520 wrote to memory of 5020 1520 rundll32.exe 84 PID 1520 wrote to memory of 5020 1520 rundll32.exe 84 PID 5020 wrote to memory of 776 5020 e57aeed.exe 8 PID 5020 wrote to memory of 784 5020 e57aeed.exe 9 PID 5020 wrote to memory of 384 5020 e57aeed.exe 13 PID 5020 wrote to memory of 2932 5020 e57aeed.exe 50 PID 5020 wrote to memory of 2948 5020 e57aeed.exe 51 PID 5020 wrote to memory of 392 5020 e57aeed.exe 53 PID 5020 wrote to memory of 3392 5020 e57aeed.exe 56 PID 5020 wrote to memory of 3532 5020 e57aeed.exe 57 PID 5020 wrote to memory of 3732 5020 e57aeed.exe 58 PID 5020 wrote to memory of 3836 5020 e57aeed.exe 59 PID 5020 wrote to memory of 3900 5020 e57aeed.exe 60 PID 5020 wrote to memory of 3984 5020 e57aeed.exe 61 PID 5020 wrote to memory of 3816 5020 e57aeed.exe 62 PID 5020 wrote to memory of 592 5020 e57aeed.exe 74 PID 5020 wrote to memory of 4532 5020 e57aeed.exe 76 PID 5020 wrote to memory of 2660 5020 e57aeed.exe 81 PID 5020 wrote to memory of 4156 5020 e57aeed.exe 82 PID 5020 wrote to memory of 1520 5020 e57aeed.exe 83 PID 5020 wrote to memory of 1520 5020 e57aeed.exe 83 PID 1520 wrote to memory of 2328 1520 rundll32.exe 85 PID 1520 wrote to memory of 2328 1520 rundll32.exe 85 PID 1520 wrote to memory of 2328 1520 rundll32.exe 85 PID 1520 wrote to memory of 3908 1520 rundll32.exe 87 PID 1520 wrote to memory of 3908 1520 rundll32.exe 87 PID 1520 wrote to memory of 3908 1520 rundll32.exe 87 PID 1520 wrote to memory of 808 1520 rundll32.exe 88 PID 1520 wrote to memory of 808 1520 rundll32.exe 88 PID 1520 wrote to memory of 808 1520 rundll32.exe 88 PID 5020 wrote to memory of 776 5020 e57aeed.exe 8 PID 5020 wrote to memory of 784 5020 e57aeed.exe 9 PID 5020 wrote to memory of 384 5020 e57aeed.exe 13 PID 5020 wrote to memory of 2932 5020 e57aeed.exe 50 PID 5020 wrote to memory of 2948 5020 e57aeed.exe 51 PID 5020 wrote to memory of 392 5020 e57aeed.exe 53 PID 5020 wrote to memory of 3392 5020 e57aeed.exe 56 PID 5020 wrote to memory of 3532 5020 e57aeed.exe 57 PID 5020 wrote to memory of 3732 5020 e57aeed.exe 58 PID 5020 wrote to memory of 3836 5020 e57aeed.exe 59 PID 5020 wrote to memory of 3900 5020 e57aeed.exe 60 PID 5020 wrote to memory of 3984 5020 e57aeed.exe 61 PID 5020 wrote to memory of 3816 5020 e57aeed.exe 62 PID 5020 wrote to memory of 592 5020 e57aeed.exe 74 PID 5020 wrote to memory of 4532 5020 e57aeed.exe 76 PID 5020 wrote to memory of 2328 5020 e57aeed.exe 85 PID 5020 wrote to memory of 2328 5020 e57aeed.exe 85 PID 5020 wrote to memory of 3908 5020 e57aeed.exe 87 PID 5020 wrote to memory of 3908 5020 e57aeed.exe 87 PID 5020 wrote to memory of 808 5020 e57aeed.exe 88 PID 5020 wrote to memory of 808 5020 e57aeed.exe 88 PID 808 wrote to memory of 776 808 e57ca93.exe 8 PID 808 wrote to memory of 784 808 e57ca93.exe 9 PID 808 wrote to memory of 384 808 e57ca93.exe 13 PID 808 wrote to memory of 2932 808 e57ca93.exe 50 PID 808 wrote to memory of 2948 808 e57ca93.exe 51 PID 808 wrote to memory of 392 808 e57ca93.exe 53 PID 808 wrote to memory of 3392 808 e57ca93.exe 56 PID 808 wrote to memory of 3532 808 e57ca93.exe 57 PID 808 wrote to memory of 3732 808 e57ca93.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aeed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ca93.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2948
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:392
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8b77c7b8ccc0db437f2d33c5c17af0d340d82fefc615af14328cd0186338c0e9N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8b77c7b8ccc0db437f2d33c5c17af0d340d82fefc615af14328cd0186338c0e9N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\e57aeed.exeC:\Users\Admin\AppData\Local\Temp\e57aeed.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\e57b026.exeC:\Users\Admin\AppData\Local\Temp\e57b026.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\e57ca74.exeC:\Users\Admin\AppData\Local\Temp\e57ca74.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3908
-
-
C:\Users\Admin\AppData\Local\Temp\e57ca93.exeC:\Users\Admin\AppData\Local\Temp\e57ca93.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:808
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3532
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3732
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3816
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:592
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4532
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e2f1958c3893d900fe3888527f14fd7a
SHA1a9d854430a5d4b5b394fb859f78b4ff9e3ab137a
SHA256d4a3e733a7343714eea5497a317599d31783b87dac980ed77cc2d2d4e95d7303
SHA512b2fcecee9bd69936e0b999a4aef57269409c3a894bad97d78eb0ec4188992b1f74cfe2c9c14ebebb4c00d51f7676ac9781fb31bbb4f2c7c6cc954a3b56c1fe10
-
Filesize
257B
MD5930f70f1ade48e88a498b45d52f3dbfe
SHA1e9515d1376a17473fcfcd9706dc674f6580f131d
SHA2566bb6150b3c221a608ffe58f626fb1d48264481a104c0389dc25c65bf6cc75441
SHA512216048094f12c8646e8438e476e35777ff78e9d4b8c0e16dbdc1ec5eac89c750e6093dda8259543ddfd517d7bbf5c17d2452c82ab15cbe4df9cf8eec2164b80b