Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 18:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
828b3e51a078e50aaacf8ca7a38a0525a7dd4879ad57292a34c33abdef528aa8N.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
828b3e51a078e50aaacf8ca7a38a0525a7dd4879ad57292a34c33abdef528aa8N.dll
-
Size
120KB
-
MD5
478462e13bbcfd34b17dac66c3f0e450
-
SHA1
bbc1ac5efb239dce722ce3750755249e7a47c06a
-
SHA256
828b3e51a078e50aaacf8ca7a38a0525a7dd4879ad57292a34c33abdef528aa8
-
SHA512
cdb71aa86b03b834bdcd4353d307c7babcfb06e9697e5f8b5f894ec6ff44faa35ab244b48a4faaaa430610f5a665525d746b44c40ad6ba0b463432e84840bbd6
-
SSDEEP
3072:Q8VwIhJx55iUC9A2230Dur8mstHmqmz1:bBA230c87mqQ1
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5f98af.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f98af.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f98af.exe -
Executes dropped EXE 4 IoCs
pid Process 4372 e5f7d57.exe 5032 e5f7e41.exe 3048 e5f989f.exe 3652 e5f98af.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f7d57.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f98af.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f7d57.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f98af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f7d57.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e5f7d57.exe File opened (read-only) \??\H: e5f7d57.exe File opened (read-only) \??\K: e5f7d57.exe File opened (read-only) \??\O: e5f7d57.exe File opened (read-only) \??\J: e5f7d57.exe File opened (read-only) \??\Q: e5f7d57.exe File opened (read-only) \??\S: e5f7d57.exe File opened (read-only) \??\E: e5f98af.exe File opened (read-only) \??\E: e5f7d57.exe File opened (read-only) \??\L: e5f7d57.exe File opened (read-only) \??\M: e5f7d57.exe File opened (read-only) \??\I: e5f7d57.exe File opened (read-only) \??\N: e5f7d57.exe File opened (read-only) \??\P: e5f7d57.exe File opened (read-only) \??\R: e5f7d57.exe -
resource yara_rule behavioral2/memory/4372-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-21-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-31-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-23-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-12-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-20-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-22-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-35-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-39-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-41-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-42-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-55-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-57-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-59-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-73-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-74-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-77-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-80-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-83-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-84-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-85-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-87-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-90-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-91-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4372-108-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3652-131-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3652-168-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5f7d57.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5f7d57.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5f7d57.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5f7d57.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5f7dc4 e5f7d57.exe File opened for modification C:\Windows\SYSTEM.INI e5f7d57.exe File created C:\Windows\e5fcdb9 e5f98af.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f7d57.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f7e41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f989f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f98af.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4372 e5f7d57.exe 4372 e5f7d57.exe 4372 e5f7d57.exe 4372 e5f7d57.exe 3652 e5f98af.exe 3652 e5f98af.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe Token: SeDebugPrivilege 4372 e5f7d57.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 5044 2384 rundll32.exe 82 PID 2384 wrote to memory of 5044 2384 rundll32.exe 82 PID 2384 wrote to memory of 5044 2384 rundll32.exe 82 PID 5044 wrote to memory of 4372 5044 rundll32.exe 83 PID 5044 wrote to memory of 4372 5044 rundll32.exe 83 PID 5044 wrote to memory of 4372 5044 rundll32.exe 83 PID 4372 wrote to memory of 776 4372 e5f7d57.exe 8 PID 4372 wrote to memory of 772 4372 e5f7d57.exe 9 PID 4372 wrote to memory of 316 4372 e5f7d57.exe 13 PID 4372 wrote to memory of 2248 4372 e5f7d57.exe 49 PID 4372 wrote to memory of 2752 4372 e5f7d57.exe 50 PID 4372 wrote to memory of 2668 4372 e5f7d57.exe 51 PID 4372 wrote to memory of 3464 4372 e5f7d57.exe 54 PID 4372 wrote to memory of 3596 4372 e5f7d57.exe 55 PID 4372 wrote to memory of 3772 4372 e5f7d57.exe 56 PID 4372 wrote to memory of 3864 4372 e5f7d57.exe 57 PID 4372 wrote to memory of 3924 4372 e5f7d57.exe 58 PID 4372 wrote to memory of 4016 4372 e5f7d57.exe 59 PID 4372 wrote to memory of 3592 4372 e5f7d57.exe 60 PID 4372 wrote to memory of 4996 4372 e5f7d57.exe 75 PID 4372 wrote to memory of 4364 4372 e5f7d57.exe 76 PID 4372 wrote to memory of 2384 4372 e5f7d57.exe 81 PID 4372 wrote to memory of 5044 4372 e5f7d57.exe 82 PID 4372 wrote to memory of 5044 4372 e5f7d57.exe 82 PID 5044 wrote to memory of 5032 5044 rundll32.exe 84 PID 5044 wrote to memory of 5032 5044 rundll32.exe 84 PID 5044 wrote to memory of 5032 5044 rundll32.exe 84 PID 5044 wrote to memory of 3048 5044 rundll32.exe 88 PID 5044 wrote to memory of 3048 5044 rundll32.exe 88 PID 5044 wrote to memory of 3048 5044 rundll32.exe 88 PID 5044 wrote to memory of 3652 5044 rundll32.exe 89 PID 5044 wrote to memory of 3652 5044 rundll32.exe 89 PID 5044 wrote to memory of 3652 5044 rundll32.exe 89 PID 4372 wrote to memory of 776 4372 e5f7d57.exe 8 PID 4372 wrote to memory of 772 4372 e5f7d57.exe 9 PID 4372 wrote to memory of 316 4372 e5f7d57.exe 13 PID 4372 wrote to memory of 2248 4372 e5f7d57.exe 49 PID 4372 wrote to memory of 2752 4372 e5f7d57.exe 50 PID 4372 wrote to memory of 2668 4372 e5f7d57.exe 51 PID 4372 wrote to memory of 3464 4372 e5f7d57.exe 54 PID 4372 wrote to memory of 3596 4372 e5f7d57.exe 55 PID 4372 wrote to memory of 3772 4372 e5f7d57.exe 56 PID 4372 wrote to memory of 3864 4372 e5f7d57.exe 57 PID 4372 wrote to memory of 3924 4372 e5f7d57.exe 58 PID 4372 wrote to memory of 4016 4372 e5f7d57.exe 59 PID 4372 wrote to memory of 3592 4372 e5f7d57.exe 60 PID 4372 wrote to memory of 4996 4372 e5f7d57.exe 75 PID 4372 wrote to memory of 4364 4372 e5f7d57.exe 76 PID 4372 wrote to memory of 5032 4372 e5f7d57.exe 84 PID 4372 wrote to memory of 5032 4372 e5f7d57.exe 84 PID 4372 wrote to memory of 3048 4372 e5f7d57.exe 88 PID 4372 wrote to memory of 3048 4372 e5f7d57.exe 88 PID 4372 wrote to memory of 3652 4372 e5f7d57.exe 89 PID 4372 wrote to memory of 3652 4372 e5f7d57.exe 89 PID 3652 wrote to memory of 776 3652 e5f98af.exe 8 PID 3652 wrote to memory of 772 3652 e5f98af.exe 9 PID 3652 wrote to memory of 316 3652 e5f98af.exe 13 PID 3652 wrote to memory of 2248 3652 e5f98af.exe 49 PID 3652 wrote to memory of 2752 3652 e5f98af.exe 50 PID 3652 wrote to memory of 2668 3652 e5f98af.exe 51 PID 3652 wrote to memory of 3464 3652 e5f98af.exe 54 PID 3652 wrote to memory of 3596 3652 e5f98af.exe 55 PID 3652 wrote to memory of 3772 3652 e5f98af.exe 56 PID 3652 wrote to memory of 3864 3652 e5f98af.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f7d57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f98af.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2752
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2668
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\828b3e51a078e50aaacf8ca7a38a0525a7dd4879ad57292a34c33abdef528aa8N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\828b3e51a078e50aaacf8ca7a38a0525a7dd4879ad57292a34c33abdef528aa8N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\e5f7d57.exeC:\Users\Admin\AppData\Local\Temp\e5f7d57.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\e5f7e41.exeC:\Users\Admin\AppData\Local\Temp\e5f7e41.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\e5f989f.exeC:\Users\Admin\AppData\Local\Temp\e5f989f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\e5f98af.exeC:\Users\Admin\AppData\Local\Temp\e5f98af.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3652
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3592
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4364
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b79230444699fb896deec4e7389644d1
SHA13732ff789bd56cad9e923f832293f60756637308
SHA25650de226e4878ce67a7a04a9f309357390a7455d94393bf49ce0bc1d4b710c47b
SHA5124e98035d13a876207d2932a87c347baece0d2377372e9ed72dfcef66b900e963310634d322aa24a05905dc59a6200f6b773c35147080b0bf06cb079efb22a676
-
Filesize
257B
MD58fd96d4cd12cd4bc8d30a8c3ddd989ae
SHA10cab251c2ceeb1e8d7c75a2c437d449c5153b822
SHA25600cc49210e2d2de2e8b888544188b5e9bb2406a921a88389e68b100f0b9cae33
SHA5128d4297f7c29af3239f237bdcfcc3521b23cfb4561dc65445e2dd570acbda117dcb3c963aa3eeb3f2eb3cf64d812bcc7921b680f383fd4637f283b1674c3f939f