Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 12:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d262e31f7064b37c64074f3efdf5d4e7_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
d262e31f7064b37c64074f3efdf5d4e7_JaffaCakes118.dll
-
Size
120KB
-
MD5
d262e31f7064b37c64074f3efdf5d4e7
-
SHA1
481888d41074773eb6895f6e29f0b330a6c68299
-
SHA256
66cf90b846d0281d98709495a6bf53b67ab2d34f7fbbe39a9109e8cbbd73b16c
-
SHA512
bdb05dff21cdc7cdb06ac36c68b80fb2dc81c5508dfd56051e087b526f5ba11d5c5072ac30f8bbd483ec879602af4720efb41b2f7b1445026311d0f391c9d483
-
SSDEEP
3072:wNRl36AZXorwnVNnHvXmdZIP7CB7dJ8hq:ARlDPOLIGBdJ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f772a99.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f772a99.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76fa94.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f7b7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f772a99.exe -
Executes dropped EXE 3 IoCs
pid Process 2448 f76f7b7.exe 2176 f76fa94.exe 960 f772a99.exe -
Loads dropped DLL 6 IoCs
pid Process 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe 1580 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f772a99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f7b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fa94.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fa94.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fa94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772a99.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f76f7b7.exe File opened (read-only) \??\L: f76f7b7.exe File opened (read-only) \??\S: f76f7b7.exe File opened (read-only) \??\G: f76f7b7.exe File opened (read-only) \??\J: f76f7b7.exe File opened (read-only) \??\N: f76f7b7.exe File opened (read-only) \??\Q: f76f7b7.exe File opened (read-only) \??\E: f772a99.exe File opened (read-only) \??\I: f772a99.exe File opened (read-only) \??\E: f76f7b7.exe File opened (read-only) \??\H: f76f7b7.exe File opened (read-only) \??\P: f76f7b7.exe File opened (read-only) \??\G: f772a99.exe File opened (read-only) \??\H: f772a99.exe File opened (read-only) \??\K: f76f7b7.exe File opened (read-only) \??\M: f76f7b7.exe File opened (read-only) \??\O: f76f7b7.exe File opened (read-only) \??\R: f76f7b7.exe -
resource yara_rule behavioral1/memory/2448-15-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-21-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-19-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-22-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-25-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-24-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-23-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-20-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-18-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-17-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-66-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-57-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-56-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-68-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-67-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-70-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-71-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-72-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-73-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-76-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-77-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-92-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-93-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-108-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2448-149-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2176-151-0x0000000000990000-0x0000000001A4A000-memory.dmp upx behavioral1/memory/2176-199-0x0000000000990000-0x0000000001A4A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f775457 f772a99.exe File created C:\Windows\f76f872 f76f7b7.exe File opened for modification C:\Windows\SYSTEM.INI f76f7b7.exe File created C:\Windows\f7749cc f76fa94.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76fa94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f772a99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f7b7.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2448 f76f7b7.exe 2448 f76f7b7.exe 2176 f76fa94.exe 960 f772a99.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2448 f76f7b7.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 2176 f76fa94.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe Token: SeDebugPrivilege 960 f772a99.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2684 wrote to memory of 1580 2684 rundll32.exe 30 PID 2684 wrote to memory of 1580 2684 rundll32.exe 30 PID 2684 wrote to memory of 1580 2684 rundll32.exe 30 PID 2684 wrote to memory of 1580 2684 rundll32.exe 30 PID 2684 wrote to memory of 1580 2684 rundll32.exe 30 PID 2684 wrote to memory of 1580 2684 rundll32.exe 30 PID 2684 wrote to memory of 1580 2684 rundll32.exe 30 PID 1580 wrote to memory of 2448 1580 rundll32.exe 31 PID 1580 wrote to memory of 2448 1580 rundll32.exe 31 PID 1580 wrote to memory of 2448 1580 rundll32.exe 31 PID 1580 wrote to memory of 2448 1580 rundll32.exe 31 PID 2448 wrote to memory of 1064 2448 f76f7b7.exe 18 PID 2448 wrote to memory of 1112 2448 f76f7b7.exe 19 PID 2448 wrote to memory of 1152 2448 f76f7b7.exe 20 PID 2448 wrote to memory of 1472 2448 f76f7b7.exe 25 PID 2448 wrote to memory of 2684 2448 f76f7b7.exe 29 PID 2448 wrote to memory of 1580 2448 f76f7b7.exe 30 PID 2448 wrote to memory of 1580 2448 f76f7b7.exe 30 PID 1580 wrote to memory of 2176 1580 rundll32.exe 32 PID 1580 wrote to memory of 2176 1580 rundll32.exe 32 PID 1580 wrote to memory of 2176 1580 rundll32.exe 32 PID 1580 wrote to memory of 2176 1580 rundll32.exe 32 PID 2448 wrote to memory of 1064 2448 f76f7b7.exe 18 PID 2448 wrote to memory of 1112 2448 f76f7b7.exe 19 PID 2448 wrote to memory of 1152 2448 f76f7b7.exe 20 PID 2448 wrote to memory of 1472 2448 f76f7b7.exe 25 PID 2448 wrote to memory of 2684 2448 f76f7b7.exe 29 PID 2448 wrote to memory of 2176 2448 f76f7b7.exe 32 PID 2448 wrote to memory of 2176 2448 f76f7b7.exe 32 PID 1580 wrote to memory of 960 1580 rundll32.exe 33 PID 1580 wrote to memory of 960 1580 rundll32.exe 33 PID 1580 wrote to memory of 960 1580 rundll32.exe 33 PID 1580 wrote to memory of 960 1580 rundll32.exe 33 PID 2176 wrote to memory of 1064 2176 f76fa94.exe 18 PID 2176 wrote to memory of 1112 2176 f76fa94.exe 19 PID 2176 wrote to memory of 1152 2176 f76fa94.exe 20 PID 2176 wrote to memory of 1472 2176 f76fa94.exe 25 PID 2176 wrote to memory of 960 2176 f76fa94.exe 33 PID 2176 wrote to memory of 960 2176 f76fa94.exe 33 PID 960 wrote to memory of 1064 960 f772a99.exe 18 PID 960 wrote to memory of 1112 960 f772a99.exe 19 PID 960 wrote to memory of 1152 960 f772a99.exe 20 PID 960 wrote to memory of 1472 960 f772a99.exe 25 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772a99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f7b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fa94.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1112
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1152
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d262e31f7064b37c64074f3efdf5d4e7_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d262e31f7064b37c64074f3efdf5d4e7_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\f76f7b7.exeC:\Users\Admin\AppData\Local\Temp\f76f7b7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\f76fa94.exeC:\Users\Admin\AppData\Local\Temp\f76fa94.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\f772a99.exeC:\Users\Admin\AppData\Local\Temp\f772a99.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:960
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1472
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD559081f2005da71b498d6a783b7d9c54c
SHA199b68e5b7ca78f01540879ce611ceb73f63185e4
SHA25667c78e27814f430eeab6c0d6d3994b01424874ce352581fa172b0082e235657f
SHA51282cccf287fe66ff101d566a73722da9064b2cae3d527c9334ecb2d03f21354b168c6a5c0edb3f308e9c671fdb779d4e58070bbab7b6de7014763399897d74c67
-
Filesize
257B
MD5b331ed5140013b657a72f48a4897f8d3
SHA1be2623120a1f167889d335fb22c85aaf04873380
SHA2564eee9cb1d88105fddcc84a689a3872d96488a75cdb1eb5a820789dde4a197e06
SHA512c16044af222b59c1a6be662c138b1a1c7ed594ffa1e4c7cf4388665af47ffff9ac0b10d0980eb89b292d83ae851d16498fe66cf16235373b25e691cd40194e41