Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 19:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0293d1b458466cfe2feaf63e3539cb384fe739ff05de26a23bbd50104e30877a.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
0293d1b458466cfe2feaf63e3539cb384fe739ff05de26a23bbd50104e30877a.dll
-
Size
120KB
-
MD5
a15f43c40f63475120c09dffacb5ed83
-
SHA1
2008298f678ada46534bba38fd5616c132faa091
-
SHA256
0293d1b458466cfe2feaf63e3539cb384fe739ff05de26a23bbd50104e30877a
-
SHA512
5b40e70563347fc3e0301a0f6145c2d2ece31a6b4b69b528d44a7e7eeaef04ca71e6f72bf5004a1f372878c1d1a7c69059dfef02083e9a113904e1ae36135493
-
SSDEEP
1536:ySWlmUdV8eQhl4ChjQPfZrvVUkyLdvb+ZREn2hXdjp0B8iaxLKY7XQZYjkFw/hgn:ySWlmUdOQPffz6d+U2/iCjQZYYmZg
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76ceb4.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b4fd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ceb4.exe -
Executes dropped EXE 3 IoCs
pid Process 2016 f76b2fa.exe 2752 f76b4fd.exe 1508 f76ceb4.exe -
Loads dropped DLL 6 IoCs
pid Process 2548 rundll32.exe 2548 rundll32.exe 2548 rundll32.exe 2548 rundll32.exe 2548 rundll32.exe 2548 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76ceb4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b4fd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ceb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b4fd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ceb4.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76ceb4.exe File opened (read-only) \??\H: f76b2fa.exe File opened (read-only) \??\K: f76b2fa.exe File opened (read-only) \??\M: f76b2fa.exe File opened (read-only) \??\O: f76b2fa.exe File opened (read-only) \??\S: f76b2fa.exe File opened (read-only) \??\E: f76b2fa.exe File opened (read-only) \??\J: f76b2fa.exe File opened (read-only) \??\L: f76b2fa.exe File opened (read-only) \??\N: f76b2fa.exe File opened (read-only) \??\P: f76b2fa.exe File opened (read-only) \??\Q: f76b2fa.exe File opened (read-only) \??\R: f76b2fa.exe File opened (read-only) \??\G: f76b2fa.exe File opened (read-only) \??\I: f76b2fa.exe -
resource yara_rule behavioral1/memory/2016-15-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-18-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-17-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-25-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-22-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-20-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-23-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-24-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-19-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-26-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-67-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-66-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-68-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-69-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-70-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-72-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-74-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-87-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-88-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-91-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-92-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2016-158-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2752-168-0x0000000000A00000-0x0000000001ABA000-memory.dmp upx behavioral1/memory/1508-180-0x0000000000A10000-0x0000000001ACA000-memory.dmp upx behavioral1/memory/1508-218-0x0000000000A10000-0x0000000001ACA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f76b2fa.exe File created C:\Windows\f77036a f76b4fd.exe File created C:\Windows\f7707ae f76ceb4.exe File created C:\Windows\f76b367 f76b2fa.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b2fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76ceb4.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2016 f76b2fa.exe 2016 f76b2fa.exe 1508 f76ceb4.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 2016 f76b2fa.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe Token: SeDebugPrivilege 1508 f76ceb4.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2548 2108 rundll32.exe 30 PID 2108 wrote to memory of 2548 2108 rundll32.exe 30 PID 2108 wrote to memory of 2548 2108 rundll32.exe 30 PID 2108 wrote to memory of 2548 2108 rundll32.exe 30 PID 2108 wrote to memory of 2548 2108 rundll32.exe 30 PID 2108 wrote to memory of 2548 2108 rundll32.exe 30 PID 2108 wrote to memory of 2548 2108 rundll32.exe 30 PID 2548 wrote to memory of 2016 2548 rundll32.exe 31 PID 2548 wrote to memory of 2016 2548 rundll32.exe 31 PID 2548 wrote to memory of 2016 2548 rundll32.exe 31 PID 2548 wrote to memory of 2016 2548 rundll32.exe 31 PID 2016 wrote to memory of 1116 2016 f76b2fa.exe 19 PID 2016 wrote to memory of 1160 2016 f76b2fa.exe 20 PID 2016 wrote to memory of 1196 2016 f76b2fa.exe 21 PID 2016 wrote to memory of 1608 2016 f76b2fa.exe 23 PID 2016 wrote to memory of 2108 2016 f76b2fa.exe 29 PID 2016 wrote to memory of 2548 2016 f76b2fa.exe 30 PID 2016 wrote to memory of 2548 2016 f76b2fa.exe 30 PID 2548 wrote to memory of 2752 2548 rundll32.exe 32 PID 2548 wrote to memory of 2752 2548 rundll32.exe 32 PID 2548 wrote to memory of 2752 2548 rundll32.exe 32 PID 2548 wrote to memory of 2752 2548 rundll32.exe 32 PID 2548 wrote to memory of 1508 2548 rundll32.exe 34 PID 2548 wrote to memory of 1508 2548 rundll32.exe 34 PID 2548 wrote to memory of 1508 2548 rundll32.exe 34 PID 2548 wrote to memory of 1508 2548 rundll32.exe 34 PID 2016 wrote to memory of 1116 2016 f76b2fa.exe 19 PID 2016 wrote to memory of 1160 2016 f76b2fa.exe 20 PID 2016 wrote to memory of 1196 2016 f76b2fa.exe 21 PID 2016 wrote to memory of 1608 2016 f76b2fa.exe 23 PID 2016 wrote to memory of 2752 2016 f76b2fa.exe 32 PID 2016 wrote to memory of 2752 2016 f76b2fa.exe 32 PID 2016 wrote to memory of 1508 2016 f76b2fa.exe 34 PID 2016 wrote to memory of 1508 2016 f76b2fa.exe 34 PID 1508 wrote to memory of 1116 1508 f76ceb4.exe 19 PID 1508 wrote to memory of 1160 1508 f76ceb4.exe 20 PID 1508 wrote to memory of 1196 1508 f76ceb4.exe 21 PID 1508 wrote to memory of 1608 1508 f76ceb4.exe 23 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b2fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b4fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ceb4.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0293d1b458466cfe2feaf63e3539cb384fe739ff05de26a23bbd50104e30877a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0293d1b458466cfe2feaf63e3539cb384fe739ff05de26a23bbd50104e30877a.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\f76b2fa.exeC:\Users\Admin\AppData\Local\Temp\f76b2fa.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\f76b4fd.exeC:\Users\Admin\AppData\Local\Temp\f76b4fd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\f76ceb4.exeC:\Users\Admin\AppData\Local\Temp\f76ceb4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1508
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1608
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56390abb747226971c7f06e95986c949c
SHA186ace88e016f86a8ada8f89d82f4cfb3b9a5cb43
SHA256345903c7a74e73c33b5da576dbe79d435e710034db42eb96caa08a5470830309
SHA512553da30c7861537a873dd28012901387aa9dbf7576dab6cd9f7c4f5558b91ad32b145cdf6412ae1f05cc9a0008d648d26df6662d7403d1661ef499882bd9902b
-
Filesize
256B
MD52cf64b4ff0a6517b567c8c76466e9b22
SHA17264ece8ff505661ab9dca61a5f3ad21a2042185
SHA256924fdcbb7573d75c01c388e1e2c42248b1f48a26fe9e86615412c3fdd921651e
SHA512bf5e6955ece2dd96aedabc710fa2811288c210ff0b6a2c869651fc2e4ea5266d81cd93be5d64f050eb4938a93901b19485575deaa2cbd66d15152dc95f864d90