Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 23:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
057ceabb90d85e615b19388dd9fa38045e39f103692c159cc24034d83c9d82deN.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
057ceabb90d85e615b19388dd9fa38045e39f103692c159cc24034d83c9d82deN.dll
-
Size
120KB
-
MD5
31f26e520de49804fe312845ec97afa0
-
SHA1
43398ee2d39a9863b99651afd723886f82e70367
-
SHA256
057ceabb90d85e615b19388dd9fa38045e39f103692c159cc24034d83c9d82de
-
SHA512
a7efce77cdb8b7f7840cf216d40cfe2e255f0dc3f0a3837c5977ec34da413ae5df78fd82857c3d5f987cbb5a0bc458e09b2ef20d29c94b48319af68a7c4fccff
-
SSDEEP
3072:zC7nxwZOqh7uL9vAOxBlJTHfnWIYd/6sRNWFwMG3GiT:enlqhCvAOdJ7nTYdi4NWFxO1
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57903a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57903a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57aa3a.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aa3a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aa3a.exe -
Executes dropped EXE 4 IoCs
pid Process 3168 e578ea3.exe 4232 e57903a.exe 3872 e57aa2a.exe 444 e57aa3a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57903a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578ea3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578ea3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aa3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aa3a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aa3a.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: e578ea3.exe File opened (read-only) \??\E: e578ea3.exe File opened (read-only) \??\I: e578ea3.exe File opened (read-only) \??\J: e578ea3.exe File opened (read-only) \??\M: e578ea3.exe File opened (read-only) \??\H: e578ea3.exe File opened (read-only) \??\K: e578ea3.exe File opened (read-only) \??\O: e578ea3.exe File opened (read-only) \??\S: e578ea3.exe File opened (read-only) \??\R: e578ea3.exe File opened (read-only) \??\T: e578ea3.exe File opened (read-only) \??\G: e578ea3.exe File opened (read-only) \??\L: e578ea3.exe File opened (read-only) \??\N: e578ea3.exe File opened (read-only) \??\Q: e578ea3.exe -
resource yara_rule behavioral2/memory/3168-20-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-12-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-28-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-19-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-18-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-11-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-10-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-9-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-8-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-29-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-36-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-35-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-37-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-38-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-39-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-41-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-42-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-56-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-59-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-60-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-74-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-75-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-78-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-81-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-83-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-84-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-86-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-90-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-92-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-96-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/3168-97-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/4232-123-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/4232-146-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e578ea3.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e578ea3.exe File opened for modification C:\Program Files\7-Zip\7z.exe e578ea3.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e578ea3.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e578ea3.exe File created C:\Windows\e57df83 e57903a.exe File created C:\Windows\e57f8b8 e57aa3a.exe File created C:\Windows\e578f11 e578ea3.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578ea3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57903a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57aa2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57aa3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3168 e578ea3.exe 3168 e578ea3.exe 3168 e578ea3.exe 3168 e578ea3.exe 4232 e57903a.exe 4232 e57903a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe Token: SeDebugPrivilege 3168 e578ea3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 744 2672 rundll32.exe 83 PID 2672 wrote to memory of 744 2672 rundll32.exe 83 PID 2672 wrote to memory of 744 2672 rundll32.exe 83 PID 744 wrote to memory of 3168 744 rundll32.exe 84 PID 744 wrote to memory of 3168 744 rundll32.exe 84 PID 744 wrote to memory of 3168 744 rundll32.exe 84 PID 3168 wrote to memory of 776 3168 e578ea3.exe 8 PID 3168 wrote to memory of 784 3168 e578ea3.exe 9 PID 3168 wrote to memory of 64 3168 e578ea3.exe 13 PID 3168 wrote to memory of 2652 3168 e578ea3.exe 44 PID 3168 wrote to memory of 2660 3168 e578ea3.exe 45 PID 3168 wrote to memory of 2832 3168 e578ea3.exe 49 PID 3168 wrote to memory of 3504 3168 e578ea3.exe 56 PID 3168 wrote to memory of 3636 3168 e578ea3.exe 57 PID 3168 wrote to memory of 3820 3168 e578ea3.exe 58 PID 3168 wrote to memory of 3912 3168 e578ea3.exe 59 PID 3168 wrote to memory of 3980 3168 e578ea3.exe 60 PID 3168 wrote to memory of 4060 3168 e578ea3.exe 61 PID 3168 wrote to memory of 4132 3168 e578ea3.exe 62 PID 3168 wrote to memory of 5112 3168 e578ea3.exe 74 PID 3168 wrote to memory of 4980 3168 e578ea3.exe 76 PID 3168 wrote to memory of 3924 3168 e578ea3.exe 81 PID 3168 wrote to memory of 2672 3168 e578ea3.exe 82 PID 3168 wrote to memory of 744 3168 e578ea3.exe 83 PID 3168 wrote to memory of 744 3168 e578ea3.exe 83 PID 744 wrote to memory of 4232 744 rundll32.exe 85 PID 744 wrote to memory of 4232 744 rundll32.exe 85 PID 744 wrote to memory of 4232 744 rundll32.exe 85 PID 744 wrote to memory of 3872 744 rundll32.exe 86 PID 744 wrote to memory of 3872 744 rundll32.exe 86 PID 744 wrote to memory of 3872 744 rundll32.exe 86 PID 744 wrote to memory of 444 744 rundll32.exe 87 PID 744 wrote to memory of 444 744 rundll32.exe 87 PID 744 wrote to memory of 444 744 rundll32.exe 87 PID 3168 wrote to memory of 776 3168 e578ea3.exe 8 PID 3168 wrote to memory of 784 3168 e578ea3.exe 9 PID 3168 wrote to memory of 64 3168 e578ea3.exe 13 PID 3168 wrote to memory of 2652 3168 e578ea3.exe 44 PID 3168 wrote to memory of 2660 3168 e578ea3.exe 45 PID 3168 wrote to memory of 2832 3168 e578ea3.exe 49 PID 3168 wrote to memory of 3504 3168 e578ea3.exe 56 PID 3168 wrote to memory of 3636 3168 e578ea3.exe 57 PID 3168 wrote to memory of 3820 3168 e578ea3.exe 58 PID 3168 wrote to memory of 3912 3168 e578ea3.exe 59 PID 3168 wrote to memory of 3980 3168 e578ea3.exe 60 PID 3168 wrote to memory of 4060 3168 e578ea3.exe 61 PID 3168 wrote to memory of 4132 3168 e578ea3.exe 62 PID 3168 wrote to memory of 5112 3168 e578ea3.exe 74 PID 3168 wrote to memory of 4980 3168 e578ea3.exe 76 PID 3168 wrote to memory of 4232 3168 e578ea3.exe 85 PID 3168 wrote to memory of 4232 3168 e578ea3.exe 85 PID 3168 wrote to memory of 3872 3168 e578ea3.exe 86 PID 3168 wrote to memory of 3872 3168 e578ea3.exe 86 PID 3168 wrote to memory of 444 3168 e578ea3.exe 87 PID 3168 wrote to memory of 444 3168 e578ea3.exe 87 PID 4232 wrote to memory of 776 4232 e57903a.exe 8 PID 4232 wrote to memory of 784 4232 e57903a.exe 9 PID 4232 wrote to memory of 64 4232 e57903a.exe 13 PID 4232 wrote to memory of 2652 4232 e57903a.exe 44 PID 4232 wrote to memory of 2660 4232 e57903a.exe 45 PID 4232 wrote to memory of 2832 4232 e57903a.exe 49 PID 4232 wrote to memory of 3504 4232 e57903a.exe 56 PID 4232 wrote to memory of 3636 4232 e57903a.exe 57 PID 4232 wrote to memory of 3820 4232 e57903a.exe 58 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578ea3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57903a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aa3a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2660
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2832
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\057ceabb90d85e615b19388dd9fa38045e39f103692c159cc24034d83c9d82deN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\057ceabb90d85e615b19388dd9fa38045e39f103692c159cc24034d83c9d82deN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\e578ea3.exeC:\Users\Admin\AppData\Local\Temp\e578ea3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\e57903a.exeC:\Users\Admin\AppData\Local\Temp\e57903a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4232
-
-
C:\Users\Admin\AppData\Local\Temp\e57aa2a.exeC:\Users\Admin\AppData\Local\Temp\e57aa2a.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3872
-
-
C:\Users\Admin\AppData\Local\Temp\e57aa3a.exeC:\Users\Admin\AppData\Local\Temp\e57aa3a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:444
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3636
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3912
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4132
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4980
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3924
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD509773753f699021521cffc61036911cd
SHA1ab81c7f45f3161317ef282f4ec34618f70df68dc
SHA256d620e5a61fb815f233732662f8fcd4b77f3de83ae618feda7e7c4261008528d2
SHA512eb8484f2b7b734d707ed53ebd88797328f6bdbb3a5aa32173f2d1cc4dc7383a38a98583a89495d75aa6c6947b3c714e7275869cd3627916612b5cbd59fe0f859
-
Filesize
257B
MD5d061e2f3d308b76f686531143e7807f6
SHA1478855b432f756197bb4a84ba2d8d7eead9781e8
SHA256b6cc577be645a34a82b92b6a0522b3f34b0aa74cb7ba3de52efa40ec8ae84566
SHA512b61f38de2577ee946e114284683608bb348a1b5cce73af613154487130a6a1dbf2da823d9a65868d7f375b97cf042436d72980f48206f3f63edabcb8390153d7