Analysis
-
max time kernel
95s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 08:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e095a92627d97f748616bcf4643facac_JaffaCakes118.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
150 seconds
General
-
Target
e095a92627d97f748616bcf4643facac_JaffaCakes118.dll
-
Size
120KB
-
MD5
e095a92627d97f748616bcf4643facac
-
SHA1
3b0a78fd998a23fd51f69884e2e294b21ee9e722
-
SHA256
3e5d723d2671fa761cc9fe681929ed6ffd2a4cb9b6f24be0b9f06c8adc15af88
-
SHA512
81c514755449a8eefee5cc04c81efad05734bc582c9e2cc757ae2f2d343e7966b11cc032b4f42ebcc3517a681eb89dd5395cd012451e57b56e525838010c6ccc
-
SSDEEP
3072:xlqdfRCFbxOD0dFONaI4HIpboGCYuWn5OLn/:xno0mNv4opboG+C52/
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5b6974.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b976a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b976a.exe -
Executes dropped EXE 4 IoCs
pid Process 3220 e5b6974.exe 3532 e5b6c14.exe 1596 e5b976a.exe 1780 e5b9799.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b976a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b976a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5b976a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5b6974.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b976a.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e5b6974.exe File opened (read-only) \??\J: e5b6974.exe File opened (read-only) \??\L: e5b6974.exe File opened (read-only) \??\M: e5b6974.exe File opened (read-only) \??\E: e5b976a.exe File opened (read-only) \??\H: e5b976a.exe File opened (read-only) \??\E: e5b6974.exe File opened (read-only) \??\H: e5b6974.exe File opened (read-only) \??\I: e5b6974.exe File opened (read-only) \??\K: e5b6974.exe File opened (read-only) \??\N: e5b6974.exe File opened (read-only) \??\G: e5b976a.exe File opened (read-only) \??\I: e5b976a.exe -
resource yara_rule behavioral2/memory/3220-6-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-8-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-19-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-33-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-32-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-34-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-24-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-11-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-9-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-10-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-35-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-36-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-37-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-38-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-39-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-45-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-59-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-62-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-63-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-65-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-66-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-67-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-70-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-72-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3220-75-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1596-99-0x00000000008B0000-0x000000000196A000-memory.dmp upx behavioral2/memory/1596-156-0x00000000008B0000-0x000000000196A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5bbed8 e5b976a.exe File created C:\Windows\e5b6a11 e5b6974.exe File opened for modification C:\Windows\SYSTEM.INI e5b6974.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5b6974.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5b6c14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5b976a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5b9799.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3220 e5b6974.exe 3220 e5b6974.exe 3220 e5b6974.exe 3220 e5b6974.exe 1596 e5b976a.exe 1596 e5b976a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe Token: SeDebugPrivilege 3220 e5b6974.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4456 wrote to memory of 1720 4456 rundll32.exe 81 PID 4456 wrote to memory of 1720 4456 rundll32.exe 81 PID 4456 wrote to memory of 1720 4456 rundll32.exe 81 PID 1720 wrote to memory of 3220 1720 rundll32.exe 82 PID 1720 wrote to memory of 3220 1720 rundll32.exe 82 PID 1720 wrote to memory of 3220 1720 rundll32.exe 82 PID 3220 wrote to memory of 788 3220 e5b6974.exe 8 PID 3220 wrote to memory of 792 3220 e5b6974.exe 9 PID 3220 wrote to memory of 376 3220 e5b6974.exe 13 PID 3220 wrote to memory of 2996 3220 e5b6974.exe 49 PID 3220 wrote to memory of 3068 3220 e5b6974.exe 50 PID 3220 wrote to memory of 1052 3220 e5b6974.exe 51 PID 3220 wrote to memory of 3436 3220 e5b6974.exe 54 PID 3220 wrote to memory of 3572 3220 e5b6974.exe 55 PID 3220 wrote to memory of 3752 3220 e5b6974.exe 56 PID 3220 wrote to memory of 3840 3220 e5b6974.exe 57 PID 3220 wrote to memory of 3944 3220 e5b6974.exe 58 PID 3220 wrote to memory of 4028 3220 e5b6974.exe 59 PID 3220 wrote to memory of 3336 3220 e5b6974.exe 60 PID 3220 wrote to memory of 2968 3220 e5b6974.exe 74 PID 3220 wrote to memory of 4384 3220 e5b6974.exe 75 PID 3220 wrote to memory of 4456 3220 e5b6974.exe 80 PID 3220 wrote to memory of 1720 3220 e5b6974.exe 81 PID 3220 wrote to memory of 1720 3220 e5b6974.exe 81 PID 1720 wrote to memory of 3532 1720 rundll32.exe 83 PID 1720 wrote to memory of 3532 1720 rundll32.exe 83 PID 1720 wrote to memory of 3532 1720 rundll32.exe 83 PID 3220 wrote to memory of 788 3220 e5b6974.exe 8 PID 3220 wrote to memory of 792 3220 e5b6974.exe 9 PID 3220 wrote to memory of 376 3220 e5b6974.exe 13 PID 3220 wrote to memory of 2996 3220 e5b6974.exe 49 PID 3220 wrote to memory of 3068 3220 e5b6974.exe 50 PID 3220 wrote to memory of 1052 3220 e5b6974.exe 51 PID 3220 wrote to memory of 3436 3220 e5b6974.exe 54 PID 3220 wrote to memory of 3572 3220 e5b6974.exe 55 PID 3220 wrote to memory of 3752 3220 e5b6974.exe 56 PID 3220 wrote to memory of 3840 3220 e5b6974.exe 57 PID 3220 wrote to memory of 3944 3220 e5b6974.exe 58 PID 3220 wrote to memory of 4028 3220 e5b6974.exe 59 PID 3220 wrote to memory of 3336 3220 e5b6974.exe 60 PID 3220 wrote to memory of 2968 3220 e5b6974.exe 74 PID 3220 wrote to memory of 4384 3220 e5b6974.exe 75 PID 3220 wrote to memory of 4456 3220 e5b6974.exe 80 PID 3220 wrote to memory of 3532 3220 e5b6974.exe 83 PID 3220 wrote to memory of 3532 3220 e5b6974.exe 83 PID 1720 wrote to memory of 1596 1720 rundll32.exe 84 PID 1720 wrote to memory of 1596 1720 rundll32.exe 84 PID 1720 wrote to memory of 1596 1720 rundll32.exe 84 PID 1720 wrote to memory of 1780 1720 rundll32.exe 85 PID 1720 wrote to memory of 1780 1720 rundll32.exe 85 PID 1720 wrote to memory of 1780 1720 rundll32.exe 85 PID 1596 wrote to memory of 788 1596 e5b976a.exe 8 PID 1596 wrote to memory of 792 1596 e5b976a.exe 9 PID 1596 wrote to memory of 376 1596 e5b976a.exe 13 PID 1596 wrote to memory of 2996 1596 e5b976a.exe 49 PID 1596 wrote to memory of 3068 1596 e5b976a.exe 50 PID 1596 wrote to memory of 1052 1596 e5b976a.exe 51 PID 1596 wrote to memory of 3436 1596 e5b976a.exe 54 PID 1596 wrote to memory of 3572 1596 e5b976a.exe 55 PID 1596 wrote to memory of 3752 1596 e5b976a.exe 56 PID 1596 wrote to memory of 3840 1596 e5b976a.exe 57 PID 1596 wrote to memory of 3944 1596 e5b976a.exe 58 PID 1596 wrote to memory of 4028 1596 e5b976a.exe 59 PID 1596 wrote to memory of 3336 1596 e5b976a.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b6974.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b976a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3068
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1052
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e095a92627d97f748616bcf4643facac_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e095a92627d97f748616bcf4643facac_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\e5b6974.exeC:\Users\Admin\AppData\Local\Temp\e5b6974.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3220
-
-
C:\Users\Admin\AppData\Local\Temp\e5b6c14.exeC:\Users\Admin\AppData\Local\Temp\e5b6c14.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3532
-
-
C:\Users\Admin\AppData\Local\Temp\e5b976a.exeC:\Users\Admin\AppData\Local\Temp\e5b976a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\e5b9799.exeC:\Users\Admin\AppData\Local\Temp\e5b9799.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3336
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4384
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c4df1617d0df36fd155247a6615e6e80
SHA17c918d4692fcf11a741baf284770ae76622b4288
SHA256ba4659a660f39c5861dc61ac9a149ac2e4b7c55d50d88b45fd86b0c5f0ceaba8
SHA5128eb62138d691fbe1c560c7ebda2188aeb9d475b5b2d759214878f44b83fa8ef986d11b2dcbe487d708a864c6c3ab5062e366f5f6a9cff1689066da2a7ca1992a
-
Filesize
257B
MD5b731e8c81b18aec83b60a4215e0f8e65
SHA1bd4ad77c820f8b0e0875ddba640e33ca83e16885
SHA256857630f2251e912f2b441cba4678eeb32a60505221780a493cd14993a2d2254a
SHA5120254d7817d0f8550612fa5c021879076a601a4dd518d2fe3e4452eace2f2c6b86ea385c4c2bd25602de2afdaa4ead4010b626aefa21c6e2bb572c431db4ac403