Analysis
-
max time kernel
93s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 22:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88b3b6dfee1b32656ca066c264b06250abeeca011edf5a0e5600e56fed20f0d8N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
88b3b6dfee1b32656ca066c264b06250abeeca011edf5a0e5600e56fed20f0d8N.dll
-
Size
120KB
-
MD5
05a961bf4cfb8be7ffb83454d5c2d6b0
-
SHA1
0687239408d0db9d233917bb17420a86bc547797
-
SHA256
88b3b6dfee1b32656ca066c264b06250abeeca011edf5a0e5600e56fed20f0d8
-
SHA512
8edd590e99a0a0125db81ce6353409627244e6015dcec1f1f23a6e423930256a8c1bda5de2d5eaf95fa970c9c9915e6403d2ffdc0ca1b3cc9f38cbc86d977ffb
-
SSDEEP
3072:J6AqmJvSYdOrKLWrVX8nFQaCGf5/s5Ua:NJvr7LeXquGf5/2
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579da7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578201.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578201.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579da7.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578201.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579da7.exe -
Executes dropped EXE 4 IoCs
pid Process 4192 e578201.exe 212 e578378.exe 4456 e579d98.exe 2004 e579da7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578201.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579da7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579da7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579da7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579da7.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e578201.exe File opened (read-only) \??\P: e578201.exe File opened (read-only) \??\E: e579da7.exe File opened (read-only) \??\K: e578201.exe File opened (read-only) \??\Q: e578201.exe File opened (read-only) \??\R: e578201.exe File opened (read-only) \??\G: e579da7.exe File opened (read-only) \??\H: e578201.exe File opened (read-only) \??\I: e578201.exe File opened (read-only) \??\J: e578201.exe File opened (read-only) \??\O: e578201.exe File opened (read-only) \??\S: e578201.exe File opened (read-only) \??\E: e578201.exe File opened (read-only) \??\L: e578201.exe File opened (read-only) \??\N: e578201.exe File opened (read-only) \??\M: e578201.exe -
resource yara_rule behavioral2/memory/4192-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-21-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-22-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-27-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-28-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-34-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-35-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-41-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-42-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-57-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-59-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-61-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-74-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-75-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-78-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-80-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-83-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-84-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-87-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-90-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-97-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4192-98-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2004-131-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/2004-171-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e578201.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e578201.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e578201.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e578201.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57829d e578201.exe File opened for modification C:\Windows\SYSTEM.INI e578201.exe File created C:\Windows\e57d254 e579da7.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579d98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579da7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578201.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578378.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4192 e578201.exe 4192 e578201.exe 4192 e578201.exe 4192 e578201.exe 2004 e579da7.exe 2004 e579da7.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe Token: SeDebugPrivilege 4192 e578201.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 4044 3484 rundll32.exe 83 PID 3484 wrote to memory of 4044 3484 rundll32.exe 83 PID 3484 wrote to memory of 4044 3484 rundll32.exe 83 PID 4044 wrote to memory of 4192 4044 rundll32.exe 84 PID 4044 wrote to memory of 4192 4044 rundll32.exe 84 PID 4044 wrote to memory of 4192 4044 rundll32.exe 84 PID 4192 wrote to memory of 768 4192 e578201.exe 8 PID 4192 wrote to memory of 776 4192 e578201.exe 9 PID 4192 wrote to memory of 64 4192 e578201.exe 13 PID 4192 wrote to memory of 2628 4192 e578201.exe 44 PID 4192 wrote to memory of 2664 4192 e578201.exe 45 PID 4192 wrote to memory of 2820 4192 e578201.exe 48 PID 4192 wrote to memory of 3440 4192 e578201.exe 56 PID 4192 wrote to memory of 3568 4192 e578201.exe 57 PID 4192 wrote to memory of 3760 4192 e578201.exe 58 PID 4192 wrote to memory of 3848 4192 e578201.exe 59 PID 4192 wrote to memory of 3908 4192 e578201.exe 60 PID 4192 wrote to memory of 4000 4192 e578201.exe 61 PID 4192 wrote to memory of 4176 4192 e578201.exe 62 PID 4192 wrote to memory of 4840 4192 e578201.exe 64 PID 4192 wrote to memory of 1436 4192 e578201.exe 75 PID 4192 wrote to memory of 4532 4192 e578201.exe 81 PID 4192 wrote to memory of 3484 4192 e578201.exe 82 PID 4192 wrote to memory of 4044 4192 e578201.exe 83 PID 4192 wrote to memory of 4044 4192 e578201.exe 83 PID 4044 wrote to memory of 212 4044 rundll32.exe 85 PID 4044 wrote to memory of 212 4044 rundll32.exe 85 PID 4044 wrote to memory of 212 4044 rundll32.exe 85 PID 4044 wrote to memory of 4456 4044 rundll32.exe 87 PID 4044 wrote to memory of 4456 4044 rundll32.exe 87 PID 4044 wrote to memory of 4456 4044 rundll32.exe 87 PID 4044 wrote to memory of 2004 4044 rundll32.exe 88 PID 4044 wrote to memory of 2004 4044 rundll32.exe 88 PID 4044 wrote to memory of 2004 4044 rundll32.exe 88 PID 4192 wrote to memory of 768 4192 e578201.exe 8 PID 4192 wrote to memory of 776 4192 e578201.exe 9 PID 4192 wrote to memory of 64 4192 e578201.exe 13 PID 4192 wrote to memory of 2628 4192 e578201.exe 44 PID 4192 wrote to memory of 2664 4192 e578201.exe 45 PID 4192 wrote to memory of 2820 4192 e578201.exe 48 PID 4192 wrote to memory of 3440 4192 e578201.exe 56 PID 4192 wrote to memory of 3568 4192 e578201.exe 57 PID 4192 wrote to memory of 3760 4192 e578201.exe 58 PID 4192 wrote to memory of 3848 4192 e578201.exe 59 PID 4192 wrote to memory of 3908 4192 e578201.exe 60 PID 4192 wrote to memory of 4000 4192 e578201.exe 61 PID 4192 wrote to memory of 4176 4192 e578201.exe 62 PID 4192 wrote to memory of 4840 4192 e578201.exe 64 PID 4192 wrote to memory of 1436 4192 e578201.exe 75 PID 4192 wrote to memory of 212 4192 e578201.exe 85 PID 4192 wrote to memory of 212 4192 e578201.exe 85 PID 4192 wrote to memory of 4456 4192 e578201.exe 87 PID 4192 wrote to memory of 4456 4192 e578201.exe 87 PID 4192 wrote to memory of 2004 4192 e578201.exe 88 PID 4192 wrote to memory of 2004 4192 e578201.exe 88 PID 2004 wrote to memory of 768 2004 e579da7.exe 8 PID 2004 wrote to memory of 776 2004 e579da7.exe 9 PID 2004 wrote to memory of 64 2004 e579da7.exe 13 PID 2004 wrote to memory of 2628 2004 e579da7.exe 44 PID 2004 wrote to memory of 2664 2004 e579da7.exe 45 PID 2004 wrote to memory of 2820 2004 e579da7.exe 48 PID 2004 wrote to memory of 3440 2004 e579da7.exe 56 PID 2004 wrote to memory of 3568 2004 e579da7.exe 57 PID 2004 wrote to memory of 3760 2004 e579da7.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579da7.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2820
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88b3b6dfee1b32656ca066c264b06250abeeca011edf5a0e5600e56fed20f0d8N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88b3b6dfee1b32656ca066c264b06250abeeca011edf5a0e5600e56fed20f0d8N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\e578201.exeC:\Users\Admin\AppData\Local\Temp\e578201.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\e578378.exeC:\Users\Admin\AppData\Local\Temp\e578378.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:212
-
-
C:\Users\Admin\AppData\Local\Temp\e579d98.exeC:\Users\Admin\AppData\Local\Temp\e579d98.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4456
-
-
C:\Users\Admin\AppData\Local\Temp\e579da7.exeC:\Users\Admin\AppData\Local\Temp\e579da7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2004
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4840
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1436
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4532
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b975ff476a694e19d86f52c51a28d695
SHA10fa80cff406244a6f83dd226c7982b321e8a0cce
SHA2567a03d010156499294f67ca93108fafb1ef21d585f1f86a4b81741701188dedd8
SHA51232aab108b703b56807b3462f076cc14ac53e6206b569e3dc8b73fece9ab7ec90ef5b215db5f0c2d279d76803dc7bfd15ee87c73734e1b87ca308d716cd1d86af
-
Filesize
256B
MD5489352c267bce721af57c392243a7f5d
SHA1170c08ddbc74db105b4d3c28f98b825becbbc6b8
SHA25650741f79915a9e608c74ae89d8fc4c60c533a1defa4acb9c1b146a6801fae6c9
SHA512874b9d06d32c2e3fa6f78db22e4247f8662605a82abf0b8df0f4855be6c0aa9612eeeb5ae79addd5a4f387081ce16398258c03756aa9ae504c772e421d9b0ad0