Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 21:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4434d84e94dbf07dc5f0bc979998d4f87a9ec055491fae8aeae20e25d5d42029.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
4434d84e94dbf07dc5f0bc979998d4f87a9ec055491fae8aeae20e25d5d42029.dll
-
Size
120KB
-
MD5
3d479fcc0f656b38d72cc7f8c3234a2e
-
SHA1
4651876f534d77ed68d17096b2f7be75c49c8e8d
-
SHA256
4434d84e94dbf07dc5f0bc979998d4f87a9ec055491fae8aeae20e25d5d42029
-
SHA512
cf40eebbb0f755092ae31af0997de8b5bacec2047eb926fc671053cff3ef92b66d9e7149a9dca54b04d02920fe9212590428cc4fe0886dff7ec3dda98f434da3
-
SSDEEP
3072:2Y2huLKplfZRJHrUqs2seGzIKKGmqp2HBb:+UL8fRpjsbIgzp2F
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579124.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579124.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ac9b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac9b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac9b.exe -
Executes dropped EXE 4 IoCs
pid Process 4372 e579124.exe 2452 e57927c.exe 1076 e57ac9b.exe 2316 e57acbb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac9b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579124.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac9b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac9b.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e579124.exe File opened (read-only) \??\N: e579124.exe File opened (read-only) \??\E: e57ac9b.exe File opened (read-only) \??\H: e579124.exe File opened (read-only) \??\J: e579124.exe File opened (read-only) \??\K: e579124.exe File opened (read-only) \??\O: e579124.exe File opened (read-only) \??\P: e579124.exe File opened (read-only) \??\Q: e579124.exe File opened (read-only) \??\R: e579124.exe File opened (read-only) \??\E: e579124.exe File opened (read-only) \??\L: e579124.exe File opened (read-only) \??\M: e579124.exe File opened (read-only) \??\I: e579124.exe File opened (read-only) \??\S: e579124.exe -
resource yara_rule behavioral2/memory/4372-12-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-8-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-10-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-11-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-18-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-20-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-33-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-19-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-9-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-6-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-35-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-36-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-37-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-38-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-40-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-39-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-42-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-43-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-58-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-60-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-61-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-75-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-77-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-80-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-82-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-84-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-86-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-88-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-90-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-91-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4372-94-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/1076-130-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1076-160-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e579124.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e579124.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e579124.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e579124.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e579124.exe File created C:\Windows\e57e1d4 e57ac9b.exe File created C:\Windows\e579182 e579124.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579124.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57927c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ac9b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57acbb.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4372 e579124.exe 4372 e579124.exe 4372 e579124.exe 4372 e579124.exe 1076 e57ac9b.exe 1076 e57ac9b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe Token: SeDebugPrivilege 4372 e579124.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 3156 3484 rundll32.exe 82 PID 3484 wrote to memory of 3156 3484 rundll32.exe 82 PID 3484 wrote to memory of 3156 3484 rundll32.exe 82 PID 3156 wrote to memory of 4372 3156 rundll32.exe 83 PID 3156 wrote to memory of 4372 3156 rundll32.exe 83 PID 3156 wrote to memory of 4372 3156 rundll32.exe 83 PID 4372 wrote to memory of 776 4372 e579124.exe 8 PID 4372 wrote to memory of 784 4372 e579124.exe 9 PID 4372 wrote to memory of 316 4372 e579124.exe 13 PID 4372 wrote to memory of 2988 4372 e579124.exe 50 PID 4372 wrote to memory of 3036 4372 e579124.exe 51 PID 4372 wrote to memory of 1068 4372 e579124.exe 52 PID 4372 wrote to memory of 3492 4372 e579124.exe 56 PID 4372 wrote to memory of 3616 4372 e579124.exe 57 PID 4372 wrote to memory of 3816 4372 e579124.exe 58 PID 4372 wrote to memory of 3912 4372 e579124.exe 59 PID 4372 wrote to memory of 3976 4372 e579124.exe 60 PID 4372 wrote to memory of 4056 4372 e579124.exe 61 PID 4372 wrote to memory of 4156 4372 e579124.exe 62 PID 4372 wrote to memory of 1568 4372 e579124.exe 75 PID 4372 wrote to memory of 5044 4372 e579124.exe 76 PID 4372 wrote to memory of 3484 4372 e579124.exe 81 PID 4372 wrote to memory of 3156 4372 e579124.exe 82 PID 4372 wrote to memory of 3156 4372 e579124.exe 82 PID 3156 wrote to memory of 2452 3156 rundll32.exe 84 PID 3156 wrote to memory of 2452 3156 rundll32.exe 84 PID 3156 wrote to memory of 2452 3156 rundll32.exe 84 PID 3156 wrote to memory of 1076 3156 rundll32.exe 85 PID 3156 wrote to memory of 1076 3156 rundll32.exe 85 PID 3156 wrote to memory of 1076 3156 rundll32.exe 85 PID 3156 wrote to memory of 2316 3156 rundll32.exe 86 PID 3156 wrote to memory of 2316 3156 rundll32.exe 86 PID 3156 wrote to memory of 2316 3156 rundll32.exe 86 PID 4372 wrote to memory of 776 4372 e579124.exe 8 PID 4372 wrote to memory of 784 4372 e579124.exe 9 PID 4372 wrote to memory of 316 4372 e579124.exe 13 PID 4372 wrote to memory of 2988 4372 e579124.exe 50 PID 4372 wrote to memory of 3036 4372 e579124.exe 51 PID 4372 wrote to memory of 1068 4372 e579124.exe 52 PID 4372 wrote to memory of 3492 4372 e579124.exe 56 PID 4372 wrote to memory of 3616 4372 e579124.exe 57 PID 4372 wrote to memory of 3816 4372 e579124.exe 58 PID 4372 wrote to memory of 3912 4372 e579124.exe 59 PID 4372 wrote to memory of 3976 4372 e579124.exe 60 PID 4372 wrote to memory of 4056 4372 e579124.exe 61 PID 4372 wrote to memory of 4156 4372 e579124.exe 62 PID 4372 wrote to memory of 1568 4372 e579124.exe 75 PID 4372 wrote to memory of 5044 4372 e579124.exe 76 PID 4372 wrote to memory of 2452 4372 e579124.exe 84 PID 4372 wrote to memory of 2452 4372 e579124.exe 84 PID 4372 wrote to memory of 1076 4372 e579124.exe 85 PID 4372 wrote to memory of 1076 4372 e579124.exe 85 PID 4372 wrote to memory of 2316 4372 e579124.exe 86 PID 4372 wrote to memory of 2316 4372 e579124.exe 86 PID 1076 wrote to memory of 776 1076 e57ac9b.exe 8 PID 1076 wrote to memory of 784 1076 e57ac9b.exe 9 PID 1076 wrote to memory of 316 1076 e57ac9b.exe 13 PID 1076 wrote to memory of 2988 1076 e57ac9b.exe 50 PID 1076 wrote to memory of 3036 1076 e57ac9b.exe 51 PID 1076 wrote to memory of 1068 1076 e57ac9b.exe 52 PID 1076 wrote to memory of 3492 1076 e57ac9b.exe 56 PID 1076 wrote to memory of 3616 1076 e57ac9b.exe 57 PID 1076 wrote to memory of 3816 1076 e57ac9b.exe 58 PID 1076 wrote to memory of 3912 1076 e57ac9b.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579124.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac9b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3036
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1068
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4434d84e94dbf07dc5f0bc979998d4f87a9ec055491fae8aeae20e25d5d42029.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4434d84e94dbf07dc5f0bc979998d4f87a9ec055491fae8aeae20e25d5d42029.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\e579124.exeC:\Users\Admin\AppData\Local\Temp\e579124.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\e57927c.exeC:\Users\Admin\AppData\Local\Temp\e57927c.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\e57ac9b.exeC:\Users\Admin\AppData\Local\Temp\e57ac9b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1076
-
-
C:\Users\Admin\AppData\Local\Temp\e57acbb.exeC:\Users\Admin\AppData\Local\Temp\e57acbb.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3816
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3912
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1568
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5044
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD588bbf3ab1d9ccfbe1cd9ed5f295b55ea
SHA13c03ee2ce263d38fd0c4968057059952b161e498
SHA256e32082ad4e3943e57df6608980e9ec726cb7bec7c09735fc4319e55ce9e3982f
SHA512bb258a667d4d12954d6a20355d3f062d3f9667dc6d1793bafcdcf676a9344ec367433a4da9b649e7c1429a6d844aedf8c0e23275ac64efdc020badf1ada2fdc0
-
Filesize
257B
MD512838b7d9581c0e8a9e7372fce85cc3b
SHA19c23b60a3c209971a8316627d52e4d17fc3778c4
SHA256fdfc038f16293c30e87d81e4be62fde51b52549f0d693569914243d9e101f698
SHA5121ff52beaa564bab18c13ffa2da9b63de24290b8d005b05bda7fbdc167ff6a7664b2cfe785a65b722c7902705e95ab6af572b36946b941497e55d596c4878ff5c