Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 21:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd5cf618924bd297606918336a67ef6d3a5d0015efb5b4388357de2107aadabcN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
bd5cf618924bd297606918336a67ef6d3a5d0015efb5b4388357de2107aadabcN.dll
-
Size
120KB
-
MD5
a6e0ef3be175b94f025ea905fe9f3ca0
-
SHA1
93110b3d3af3ae366d8611a332b93fa3b7d2898d
-
SHA256
bd5cf618924bd297606918336a67ef6d3a5d0015efb5b4388357de2107aadabc
-
SHA512
6725d31630108ffc95e1a0018e1f4468901e2effe361cb6f162ccb7625bbaf39fc1f00b204423ae39ea09ca867a14765e484b3a06af24826e87c949d4be8e549
-
SSDEEP
3072:hCQjI+prbd1+3LtrpCidQ87+2MDu9tDIWgi6:hCQk+pnqhi87+6T
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c081.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c081.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57dbf8.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c081.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dbf8.exe -
Executes dropped EXE 4 IoCs
pid Process 4860 e57c081.exe 452 e57c2a4.exe 4976 e57dbf8.exe 1624 e57dc08.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c2a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c081.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dbf8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c2a4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dbf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c2a4.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e57c081.exe File opened (read-only) \??\E: e57c081.exe File opened (read-only) \??\P: e57c081.exe File opened (read-only) \??\O: e57c081.exe File opened (read-only) \??\M: e57c081.exe File opened (read-only) \??\Q: e57c081.exe File opened (read-only) \??\E: e57dbf8.exe File opened (read-only) \??\G: e57c081.exe File opened (read-only) \??\I: e57c081.exe File opened (read-only) \??\J: e57c081.exe File opened (read-only) \??\L: e57c081.exe File opened (read-only) \??\N: e57c081.exe File opened (read-only) \??\R: e57c081.exe File opened (read-only) \??\S: e57c081.exe File opened (read-only) \??\H: e57c081.exe -
resource yara_rule behavioral2/memory/4860-8-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-10-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-15-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-12-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-14-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-22-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-16-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-13-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-11-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-9-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-37-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-38-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-39-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-40-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-41-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-43-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-44-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-58-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-60-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-61-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-64-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-63-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-80-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-82-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-84-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-85-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-88-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-90-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-92-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4860-99-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/452-121-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e57c081.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57c081.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57c081.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57c081.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c0b0 e57c081.exe File opened for modification C:\Windows\SYSTEM.INI e57c081.exe File created C:\Windows\e58121c e57dbf8.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dbf8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dc08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c081.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c2a4.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4860 e57c081.exe 4860 e57c081.exe 4860 e57c081.exe 4860 e57c081.exe 4976 e57dbf8.exe 4976 e57dbf8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe Token: SeDebugPrivilege 4860 e57c081.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4456 wrote to memory of 3616 4456 rundll32.exe 84 PID 4456 wrote to memory of 3616 4456 rundll32.exe 84 PID 4456 wrote to memory of 3616 4456 rundll32.exe 84 PID 3616 wrote to memory of 4860 3616 rundll32.exe 85 PID 3616 wrote to memory of 4860 3616 rundll32.exe 85 PID 3616 wrote to memory of 4860 3616 rundll32.exe 85 PID 4860 wrote to memory of 776 4860 e57c081.exe 8 PID 4860 wrote to memory of 784 4860 e57c081.exe 9 PID 4860 wrote to memory of 384 4860 e57c081.exe 13 PID 4860 wrote to memory of 2556 4860 e57c081.exe 44 PID 4860 wrote to memory of 2576 4860 e57c081.exe 45 PID 4860 wrote to memory of 3008 4860 e57c081.exe 52 PID 4860 wrote to memory of 3436 4860 e57c081.exe 56 PID 4860 wrote to memory of 3572 4860 e57c081.exe 57 PID 4860 wrote to memory of 3764 4860 e57c081.exe 58 PID 4860 wrote to memory of 3852 4860 e57c081.exe 59 PID 4860 wrote to memory of 3920 4860 e57c081.exe 60 PID 4860 wrote to memory of 4000 4860 e57c081.exe 61 PID 4860 wrote to memory of 4152 4860 e57c081.exe 62 PID 4860 wrote to memory of 4992 4860 e57c081.exe 74 PID 4860 wrote to memory of 116 4860 e57c081.exe 76 PID 4860 wrote to memory of 4456 4860 e57c081.exe 83 PID 4860 wrote to memory of 3616 4860 e57c081.exe 84 PID 4860 wrote to memory of 3616 4860 e57c081.exe 84 PID 3616 wrote to memory of 452 3616 rundll32.exe 86 PID 3616 wrote to memory of 452 3616 rundll32.exe 86 PID 3616 wrote to memory of 452 3616 rundll32.exe 86 PID 3616 wrote to memory of 4976 3616 rundll32.exe 87 PID 3616 wrote to memory of 4976 3616 rundll32.exe 87 PID 3616 wrote to memory of 4976 3616 rundll32.exe 87 PID 3616 wrote to memory of 1624 3616 rundll32.exe 88 PID 3616 wrote to memory of 1624 3616 rundll32.exe 88 PID 3616 wrote to memory of 1624 3616 rundll32.exe 88 PID 4860 wrote to memory of 776 4860 e57c081.exe 8 PID 4860 wrote to memory of 784 4860 e57c081.exe 9 PID 4860 wrote to memory of 384 4860 e57c081.exe 13 PID 4860 wrote to memory of 2556 4860 e57c081.exe 44 PID 4860 wrote to memory of 2576 4860 e57c081.exe 45 PID 4860 wrote to memory of 3008 4860 e57c081.exe 52 PID 4860 wrote to memory of 3436 4860 e57c081.exe 56 PID 4860 wrote to memory of 3572 4860 e57c081.exe 57 PID 4860 wrote to memory of 3764 4860 e57c081.exe 58 PID 4860 wrote to memory of 3852 4860 e57c081.exe 59 PID 4860 wrote to memory of 3920 4860 e57c081.exe 60 PID 4860 wrote to memory of 4000 4860 e57c081.exe 61 PID 4860 wrote to memory of 4152 4860 e57c081.exe 62 PID 4860 wrote to memory of 4992 4860 e57c081.exe 74 PID 4860 wrote to memory of 116 4860 e57c081.exe 76 PID 4860 wrote to memory of 452 4860 e57c081.exe 86 PID 4860 wrote to memory of 452 4860 e57c081.exe 86 PID 4860 wrote to memory of 4976 4860 e57c081.exe 87 PID 4860 wrote to memory of 4976 4860 e57c081.exe 87 PID 4860 wrote to memory of 1624 4860 e57c081.exe 88 PID 4860 wrote to memory of 1624 4860 e57c081.exe 88 PID 4976 wrote to memory of 776 4976 e57dbf8.exe 8 PID 4976 wrote to memory of 784 4976 e57dbf8.exe 9 PID 4976 wrote to memory of 384 4976 e57dbf8.exe 13 PID 4976 wrote to memory of 2556 4976 e57dbf8.exe 44 PID 4976 wrote to memory of 2576 4976 e57dbf8.exe 45 PID 4976 wrote to memory of 3008 4976 e57dbf8.exe 52 PID 4976 wrote to memory of 3436 4976 e57dbf8.exe 56 PID 4976 wrote to memory of 3572 4976 e57dbf8.exe 57 PID 4976 wrote to memory of 3764 4976 e57dbf8.exe 58 PID 4976 wrote to memory of 3852 4976 e57dbf8.exe 59 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c2a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dbf8.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3008
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd5cf618924bd297606918336a67ef6d3a5d0015efb5b4388357de2107aadabcN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd5cf618924bd297606918336a67ef6d3a5d0015efb5b4388357de2107aadabcN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\e57c081.exeC:\Users\Admin\AppData\Local\Temp\e57c081.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4860
-
-
C:\Users\Admin\AppData\Local\Temp\e57c2a4.exeC:\Users\Admin\AppData\Local\Temp\e57c2a4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- System policy modification
PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\e57dbf8.exeC:\Users\Admin\AppData\Local\Temp\e57dbf8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\e57dc08.exeC:\Users\Admin\AppData\Local\Temp\e57dc08.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4152
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:116
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD501e2103070da2c8a1ba1db826322b692
SHA1f6b862d7db0d1ea0e00d0fa822c10f86e8132095
SHA25640f1916e6510ac33a1a9ad9e68c0bf3934386446d9144b12aaf16b05e24d90a9
SHA5124c900bb0c279ba237b74c18da5b290882f7bf690bfef17615d22abda5205292dc43df9d004cd271b073d282963242efa7b69d878045d2ba595f5b0a6fe981314
-
Filesize
257B
MD54a760bdb1af029ba0db540ead1eaa343
SHA139de8235f96cc3a0081a04fc786401d3a6abce72
SHA2567e3cfb07a7752f791c3d198a3602da5f3a1f20d9480caa6ff2b6d3ed81e19088
SHA5124ec317e445ee96f24820156d5663b00b73a8d8b28ef46d7723e90a52965c513e2c349b2945bbf928c5de8c2244afcc0536151f4e0ecbba67a25aebd13840294c