Analysis
-
max time kernel
116s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 07:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
General
-
Target
d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe
-
Size
71KB
-
MD5
d60139db2a6d23c965fbc6f844d58d44
-
SHA1
af5ddffc0f6f3433332ceac8ada9ab7906e65729
-
SHA256
ab50c7a6412399a127f6df559d85bdb7de4e5969611d83b4110d766953082ff0
-
SHA512
89f16264493c78659b25b74d3e93b421985ca809f62eeedb1d6c25f997212341997ea2edbf886667a9b263b189252aa11c5f40daab472e7ebda850feb0b255b0
-
SSDEEP
1536:hRBqjWBXxJzH18U1q+xAe90GoAlQuCHOagmuI/Fw:hTq6BjzH18NDW0GoAlQbHOjmuui
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c929.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c929.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 f76c929.exe -
Loads dropped DLL 2 IoCs
pid Process 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c929.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: f76c929.exe File opened (read-only) \??\E: d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe File opened (read-only) \??\L: f76c929.exe File opened (read-only) \??\Q: f76c929.exe File opened (read-only) \??\R: f76c929.exe File opened (read-only) \??\X: f76c929.exe File opened (read-only) \??\K: f76c929.exe File opened (read-only) \??\U: f76c929.exe File opened (read-only) \??\V: f76c929.exe File opened (read-only) \??\M: f76c929.exe File opened (read-only) \??\N: f76c929.exe File opened (read-only) \??\P: f76c929.exe File opened (read-only) \??\S: f76c929.exe File opened (read-only) \??\Y: f76c929.exe File opened (read-only) \??\E: f76c929.exe File opened (read-only) \??\G: f76c929.exe File opened (read-only) \??\H: f76c929.exe File opened (read-only) \??\W: f76c929.exe File opened (read-only) \??\Z: f76c929.exe File opened (read-only) \??\I: f76c929.exe File opened (read-only) \??\J: f76c929.exe File opened (read-only) \??\O: f76c929.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf f76c929.exe File opened for modification F:\autorun.inf f76c929.exe -
resource yara_rule behavioral1/memory/2064-26-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-25-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-22-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-21-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-19-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-51-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-24-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-20-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-18-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-27-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-57-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-58-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-59-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-60-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-61-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-63-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-64-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-65-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-67-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-70-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-86-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-87-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-89-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/2064-222-0x0000000001E70000-0x0000000002F2A000-memory.dmp upx behavioral1/memory/320-234-0x0000000001EE0000-0x0000000002F9A000-memory.dmp upx behavioral1/memory/320-266-0x0000000001EE0000-0x0000000002F9A000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe f76c929.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe f76c929.exe File opened for modification C:\Program Files\7-Zip\7zG.exe f76c929.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe f76c929.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe f76c929.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI f76c929.exe File created C:\Windows\f76c977 f76c929.exe File created C:\Windows\f787916 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c929.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2064 f76c929.exe 2064 f76c929.exe 2064 f76c929.exe 2064 f76c929.exe 2064 f76c929.exe 2064 f76c929.exe 2064 f76c929.exe 2064 f76c929.exe 2064 f76c929.exe 2064 f76c929.exe 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 2064 f76c929.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Token: SeDebugPrivilege 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 320 wrote to memory of 2064 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 30 PID 320 wrote to memory of 2064 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 30 PID 320 wrote to memory of 2064 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 30 PID 320 wrote to memory of 2064 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 30 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 2064 wrote to memory of 320 2064 f76c929.exe 29 PID 2064 wrote to memory of 320 2064 f76c929.exe 29 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 2064 wrote to memory of 1112 2064 f76c929.exe 19 PID 2064 wrote to memory of 1164 2064 f76c929.exe 20 PID 2064 wrote to memory of 1192 2064 f76c929.exe 21 PID 2064 wrote to memory of 2036 2064 f76c929.exe 23 PID 320 wrote to memory of 1112 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 19 PID 320 wrote to memory of 1164 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 20 PID 320 wrote to memory of 1192 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 21 PID 320 wrote to memory of 2036 320 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c929.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:320 -
C:\Users\Admin\AppData\Local\Temp\f76c929.exeC:\Users\Admin\AppData\Local\Temp\f76c929.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2064
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2036
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD50f6f167a1d63d7ac239a2ce640d2ee11
SHA1277d20c77bcfa24ece27410e6222fae02c16887d
SHA25603673f9b4832b0ae483a51f89c4844949fa6928c5453c6361207f86196dc45ab
SHA51238f39e211ec4252df5c3d487954662b2304f71042daa9f9b5afdfe895f8b46e60af567bc5503626584eda3fda181ac7815a9ae36b6445247a8d32cf8c125e533
-
Filesize
1.1MB
MD5c79ae7c2dcdd204edefd63d8da2fb836
SHA12209e0b1192419b06e042c85994671368da68bb8
SHA25635076571febec695b0c6ce3584dd220c62d3ebbd811d7d448093e5c6e746ce5f
SHA5124f5d6be8279296e1a506dbdbfc8fbf4441cf92ab0dae114f8ec0b409474a1a4a385f38aaf7b884d51fa4e0eb24c7ba64ce06b978e5b958bf00cafd054c29fc0f
-
Filesize
296B
MD5c7032bb74a61e752d56660f51454ca16
SHA1ad4a7c0c84fa647a2033463f257f0dae20a2bde7
SHA256b9214f1eaf5d95c0ff38040d349a26d13db342724146a6c060cabb97b5dd654f
SHA5120ece0e84dc305592fdf26da6142f2a80db4422032ac52782f04006cfaffc09504f0a5fd9ccd8c333abbf8ec9e616ca3b200d6d8b26dc126f466d080306abf54a
-
Filesize
97KB
MD5983fdcdc5032fd1fdc998fa3846a93eb
SHA1907936183a52d730ac630f8b652f87a1c9311daa
SHA256a986423b53a5d5de42b0b9e7f176bc032f9e450a4936b6c873b2836559122996
SHA51256ba7c7acfdcd399e2e5b2ae10d43ba4fcb4c964a6924fa28e422b0c132766ccec6e5d14a77571a2bfe8b5700fd9a1d78b70ed4f3074e572845dc5edf116cc1c
-
Filesize
66KB
MD5bcf0c446568d477595073685e4d00ac9
SHA16c472d78657957f58814b10b491c4a8a0b2435ec
SHA2562b89c377e951919aaf8834702739430578f3073526e52234ffbcb7cbd294ed7e
SHA512f0b32beb9d55cdb4836aa9a5703d8fde5430482e6862804d712a45b3d1aef8648e470f87dd173eb36195fc6fb6a0dc3eb926d0697babda0d230cbb9a9cf34bcb