Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 23:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a19006698c5ba025a6dc155b3738ba2616fe50692dc96de8984d68fb8e38cd7eN.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
a19006698c5ba025a6dc155b3738ba2616fe50692dc96de8984d68fb8e38cd7eN.dll
-
Size
120KB
-
MD5
99b348c619b4698238fa89e1f3fabad0
-
SHA1
f1cfc5816595c0afacab7aeb353734a94018c372
-
SHA256
a19006698c5ba025a6dc155b3738ba2616fe50692dc96de8984d68fb8e38cd7e
-
SHA512
f6ef0b14c11592ff38619fe9c70fc21b2e6ba9ed574b9c3eb6a771ebc7dcd3fdde3ee85d09cacb70f216cd1c64de0b5fef3a45bc80f20bebcb572b43a976517c
-
SSDEEP
3072:Z5Bll+AaOozzyXp58QM7RTYucpECyddayRqjU1GFiiq9b:jBGp8CQM7xYtErwyc5q9b
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c89f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f4df.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c89f.exe -
Executes dropped EXE 3 IoCs
pid Process 100 e57c6ea.exe 4668 e57c89f.exe 4564 e57f4df.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c6ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f4df.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c6ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f4df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f4df.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f4df.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57c6ea.exe File opened (read-only) \??\K: e57c6ea.exe File opened (read-only) \??\L: e57c6ea.exe File opened (read-only) \??\G: e57f4df.exe File opened (read-only) \??\I: e57f4df.exe File opened (read-only) \??\G: e57c6ea.exe File opened (read-only) \??\H: e57c6ea.exe File opened (read-only) \??\I: e57c6ea.exe File opened (read-only) \??\J: e57c6ea.exe File opened (read-only) \??\M: e57c6ea.exe File opened (read-only) \??\E: e57f4df.exe File opened (read-only) \??\H: e57f4df.exe -
resource yara_rule behavioral2/memory/100-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-6-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-33-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-31-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-34-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-22-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-12-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-23-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-35-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-41-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-53-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-55-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-56-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-58-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-60-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-61-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-65-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-64-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/100-69-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4668-88-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4668-92-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4668-91-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4668-90-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4668-109-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4564-126-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4564-161-0x00000000007A0000-0x000000000185A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57c6ea.exe File created C:\Windows\e5817b9 e57c89f.exe File created C:\Windows\e5820d1 e57f4df.exe File created C:\Windows\e57c757 e57c6ea.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c6ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c89f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f4df.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 100 e57c6ea.exe 100 e57c6ea.exe 100 e57c6ea.exe 100 e57c6ea.exe 4564 e57f4df.exe 4564 e57f4df.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe Token: SeDebugPrivilege 100 e57c6ea.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2788 1948 rundll32.exe 82 PID 1948 wrote to memory of 2788 1948 rundll32.exe 82 PID 1948 wrote to memory of 2788 1948 rundll32.exe 82 PID 2788 wrote to memory of 100 2788 rundll32.exe 83 PID 2788 wrote to memory of 100 2788 rundll32.exe 83 PID 2788 wrote to memory of 100 2788 rundll32.exe 83 PID 100 wrote to memory of 780 100 e57c6ea.exe 8 PID 100 wrote to memory of 788 100 e57c6ea.exe 9 PID 100 wrote to memory of 60 100 e57c6ea.exe 13 PID 100 wrote to memory of 2644 100 e57c6ea.exe 44 PID 100 wrote to memory of 2680 100 e57c6ea.exe 45 PID 100 wrote to memory of 2792 100 e57c6ea.exe 47 PID 100 wrote to memory of 3452 100 e57c6ea.exe 56 PID 100 wrote to memory of 3588 100 e57c6ea.exe 57 PID 100 wrote to memory of 3780 100 e57c6ea.exe 58 PID 100 wrote to memory of 3876 100 e57c6ea.exe 59 PID 100 wrote to memory of 3940 100 e57c6ea.exe 60 PID 100 wrote to memory of 4020 100 e57c6ea.exe 61 PID 100 wrote to memory of 2960 100 e57c6ea.exe 62 PID 100 wrote to memory of 4396 100 e57c6ea.exe 75 PID 100 wrote to memory of 1624 100 e57c6ea.exe 76 PID 100 wrote to memory of 1948 100 e57c6ea.exe 81 PID 100 wrote to memory of 2788 100 e57c6ea.exe 82 PID 100 wrote to memory of 2788 100 e57c6ea.exe 82 PID 2788 wrote to memory of 4668 2788 rundll32.exe 84 PID 2788 wrote to memory of 4668 2788 rundll32.exe 84 PID 2788 wrote to memory of 4668 2788 rundll32.exe 84 PID 100 wrote to memory of 780 100 e57c6ea.exe 8 PID 100 wrote to memory of 788 100 e57c6ea.exe 9 PID 100 wrote to memory of 60 100 e57c6ea.exe 13 PID 100 wrote to memory of 2644 100 e57c6ea.exe 44 PID 100 wrote to memory of 2680 100 e57c6ea.exe 45 PID 100 wrote to memory of 2792 100 e57c6ea.exe 47 PID 100 wrote to memory of 3452 100 e57c6ea.exe 56 PID 100 wrote to memory of 3588 100 e57c6ea.exe 57 PID 100 wrote to memory of 3780 100 e57c6ea.exe 58 PID 100 wrote to memory of 3876 100 e57c6ea.exe 59 PID 100 wrote to memory of 3940 100 e57c6ea.exe 60 PID 100 wrote to memory of 4020 100 e57c6ea.exe 61 PID 100 wrote to memory of 2960 100 e57c6ea.exe 62 PID 100 wrote to memory of 4396 100 e57c6ea.exe 75 PID 100 wrote to memory of 1624 100 e57c6ea.exe 76 PID 100 wrote to memory of 1948 100 e57c6ea.exe 81 PID 100 wrote to memory of 4668 100 e57c6ea.exe 84 PID 100 wrote to memory of 4668 100 e57c6ea.exe 84 PID 2788 wrote to memory of 4564 2788 rundll32.exe 85 PID 2788 wrote to memory of 4564 2788 rundll32.exe 85 PID 2788 wrote to memory of 4564 2788 rundll32.exe 85 PID 4564 wrote to memory of 780 4564 e57f4df.exe 8 PID 4564 wrote to memory of 788 4564 e57f4df.exe 9 PID 4564 wrote to memory of 60 4564 e57f4df.exe 13 PID 4564 wrote to memory of 2644 4564 e57f4df.exe 44 PID 4564 wrote to memory of 2680 4564 e57f4df.exe 45 PID 4564 wrote to memory of 2792 4564 e57f4df.exe 47 PID 4564 wrote to memory of 3452 4564 e57f4df.exe 56 PID 4564 wrote to memory of 3588 4564 e57f4df.exe 57 PID 4564 wrote to memory of 3780 4564 e57f4df.exe 58 PID 4564 wrote to memory of 3876 4564 e57f4df.exe 59 PID 4564 wrote to memory of 3940 4564 e57f4df.exe 60 PID 4564 wrote to memory of 4020 4564 e57f4df.exe 61 PID 4564 wrote to memory of 2960 4564 e57f4df.exe 62 PID 4564 wrote to memory of 4396 4564 e57f4df.exe 75 PID 4564 wrote to memory of 1624 4564 e57f4df.exe 76 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c6ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c89f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f4df.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2792
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a19006698c5ba025a6dc155b3738ba2616fe50692dc96de8984d68fb8e38cd7eN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a19006698c5ba025a6dc155b3738ba2616fe50692dc96de8984d68fb8e38cd7eN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\e57c6ea.exeC:\Users\Admin\AppData\Local\Temp\e57c6ea.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:100
-
-
C:\Users\Admin\AppData\Local\Temp\e57c89f.exeC:\Users\Admin\AppData\Local\Temp\e57c89f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:4668
-
-
C:\Users\Admin\AppData\Local\Temp\e57f4df.exeC:\Users\Admin\AppData\Local\Temp\e57f4df.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4564
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2960
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4396
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b428f56180e65dcfcb10b89c8c61b1ea
SHA19d49d6b4fe25af8dbf017167defeab900c84d1c4
SHA256f567d14095c3e1a254fa1640f902712f2a9f3b4e0508920ab2826841f8cae068
SHA512adf97557ea2dfa8106e89e8fc879033ba3f6a83ff23040655fb845e1cb0650be6296f87928fb010b9b4a6be13bc445c3ead9d8eab87f195881f9c117b9efb2ea
-
Filesize
257B
MD561b2c3c9457f67b68469d4b991ff4f06
SHA1d9f6901839f63b7542cf4559b24a041c89319063
SHA25693fdfa36f5579debf1916602b9af7aeca2e1fdf72c1d70540c1b4df98f175214
SHA512cd1472f318e875a45cabd0c32252ddef72d82718252b20219f89029b72f88a274237e3c137098464b51f59e744468b06ea08187a08c3a9047a57d57fa8e243c5