Analysis
-
max time kernel
31s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 23:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9918aef775c477acdbb0a9ec35c1fcd843feeec97d8ea74b67d771ab46395a2N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
a9918aef775c477acdbb0a9ec35c1fcd843feeec97d8ea74b67d771ab46395a2N.dll
-
Size
120KB
-
MD5
45ed632c5a5bd3d21c796625496b8ad0
-
SHA1
a38d1a725cd53bc232d6229ca5c6648ffde3d0c0
-
SHA256
a9918aef775c477acdbb0a9ec35c1fcd843feeec97d8ea74b67d771ab46395a2
-
SHA512
0f0aac942eea42bbb985a740986071d78e5bfbdefdd1733f83fb98da5eb7a83776d097c72e11569159b849020632572054b23870b2aa7f2df63faf30dce207f2
-
SSDEEP
3072:2xMmFcHmvcN6OzxwU0SlXsAPwUGwa7BHoMU9:wJF2cCwU05awaaZjU9
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e678.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e678.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e678.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e678.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ba28.exe -
Executes dropped EXE 3 IoCs
pid Process 1980 e57ba28.exe 2272 e57bb8f.exe 2028 e57e678.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ba28.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e678.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e678.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e678.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57ba28.exe File opened (read-only) \??\L: e57ba28.exe File opened (read-only) \??\M: e57ba28.exe File opened (read-only) \??\I: e57e678.exe File opened (read-only) \??\E: e57ba28.exe File opened (read-only) \??\H: e57ba28.exe File opened (read-only) \??\N: e57ba28.exe File opened (read-only) \??\J: e57ba28.exe File opened (read-only) \??\E: e57e678.exe File opened (read-only) \??\H: e57e678.exe File opened (read-only) \??\G: e57ba28.exe File opened (read-only) \??\K: e57ba28.exe File opened (read-only) \??\O: e57ba28.exe File opened (read-only) \??\G: e57e678.exe -
resource yara_rule behavioral2/memory/1980-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-22-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-31-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-23-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-27-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-34-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-42-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-47-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-59-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-60-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-61-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-63-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-64-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-68-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-70-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-76-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-77-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1980-78-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2028-113-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/2028-134-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/2028-158-0x0000000000790000-0x000000000184A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e57ba28.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57ba28.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57ba28.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e580e24 e57e678.exe File created C:\Windows\e57ba76 e57ba28.exe File opened for modification C:\Windows\SYSTEM.INI e57ba28.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e678.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ba28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb8f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1980 e57ba28.exe 1980 e57ba28.exe 1980 e57ba28.exe 1980 e57ba28.exe 2028 e57e678.exe 2028 e57e678.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe Token: SeDebugPrivilege 1980 e57ba28.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4764 3164 rundll32.exe 82 PID 3164 wrote to memory of 4764 3164 rundll32.exe 82 PID 3164 wrote to memory of 4764 3164 rundll32.exe 82 PID 4764 wrote to memory of 1980 4764 rundll32.exe 83 PID 4764 wrote to memory of 1980 4764 rundll32.exe 83 PID 4764 wrote to memory of 1980 4764 rundll32.exe 83 PID 1980 wrote to memory of 776 1980 e57ba28.exe 8 PID 1980 wrote to memory of 784 1980 e57ba28.exe 9 PID 1980 wrote to memory of 336 1980 e57ba28.exe 13 PID 1980 wrote to memory of 2652 1980 e57ba28.exe 44 PID 1980 wrote to memory of 2680 1980 e57ba28.exe 45 PID 1980 wrote to memory of 2776 1980 e57ba28.exe 47 PID 1980 wrote to memory of 3536 1980 e57ba28.exe 56 PID 1980 wrote to memory of 3652 1980 e57ba28.exe 57 PID 1980 wrote to memory of 3828 1980 e57ba28.exe 58 PID 1980 wrote to memory of 3920 1980 e57ba28.exe 59 PID 1980 wrote to memory of 3984 1980 e57ba28.exe 60 PID 1980 wrote to memory of 4076 1980 e57ba28.exe 61 PID 1980 wrote to memory of 4124 1980 e57ba28.exe 62 PID 1980 wrote to memory of 3836 1980 e57ba28.exe 73 PID 1980 wrote to memory of 3200 1980 e57ba28.exe 75 PID 1980 wrote to memory of 3712 1980 e57ba28.exe 80 PID 1980 wrote to memory of 3164 1980 e57ba28.exe 81 PID 1980 wrote to memory of 4764 1980 e57ba28.exe 82 PID 1980 wrote to memory of 4764 1980 e57ba28.exe 82 PID 4764 wrote to memory of 2272 4764 rundll32.exe 84 PID 4764 wrote to memory of 2272 4764 rundll32.exe 84 PID 4764 wrote to memory of 2272 4764 rundll32.exe 84 PID 1980 wrote to memory of 776 1980 e57ba28.exe 8 PID 1980 wrote to memory of 784 1980 e57ba28.exe 9 PID 1980 wrote to memory of 336 1980 e57ba28.exe 13 PID 1980 wrote to memory of 2652 1980 e57ba28.exe 44 PID 1980 wrote to memory of 2680 1980 e57ba28.exe 45 PID 1980 wrote to memory of 2776 1980 e57ba28.exe 47 PID 1980 wrote to memory of 3536 1980 e57ba28.exe 56 PID 1980 wrote to memory of 3652 1980 e57ba28.exe 57 PID 1980 wrote to memory of 3828 1980 e57ba28.exe 58 PID 1980 wrote to memory of 3920 1980 e57ba28.exe 59 PID 1980 wrote to memory of 3984 1980 e57ba28.exe 60 PID 1980 wrote to memory of 4076 1980 e57ba28.exe 61 PID 1980 wrote to memory of 4124 1980 e57ba28.exe 62 PID 1980 wrote to memory of 3836 1980 e57ba28.exe 73 PID 1980 wrote to memory of 3200 1980 e57ba28.exe 75 PID 1980 wrote to memory of 3164 1980 e57ba28.exe 81 PID 1980 wrote to memory of 2272 1980 e57ba28.exe 84 PID 1980 wrote to memory of 2272 1980 e57ba28.exe 84 PID 4764 wrote to memory of 2028 4764 rundll32.exe 86 PID 4764 wrote to memory of 2028 4764 rundll32.exe 86 PID 4764 wrote to memory of 2028 4764 rundll32.exe 86 PID 2028 wrote to memory of 776 2028 e57e678.exe 8 PID 2028 wrote to memory of 784 2028 e57e678.exe 9 PID 2028 wrote to memory of 336 2028 e57e678.exe 13 PID 2028 wrote to memory of 2652 2028 e57e678.exe 44 PID 2028 wrote to memory of 2680 2028 e57e678.exe 45 PID 2028 wrote to memory of 2776 2028 e57e678.exe 47 PID 2028 wrote to memory of 3536 2028 e57e678.exe 56 PID 2028 wrote to memory of 3652 2028 e57e678.exe 57 PID 2028 wrote to memory of 3828 2028 e57e678.exe 58 PID 2028 wrote to memory of 3920 2028 e57e678.exe 59 PID 2028 wrote to memory of 3984 2028 e57e678.exe 60 PID 2028 wrote to memory of 4076 2028 e57e678.exe 61 PID 2028 wrote to memory of 4124 2028 e57e678.exe 62 PID 2028 wrote to memory of 3836 2028 e57e678.exe 73 PID 2028 wrote to memory of 3200 2028 e57e678.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ba28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e678.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3536
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9918aef775c477acdbb0a9ec35c1fcd843feeec97d8ea74b67d771ab46395a2N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9918aef775c477acdbb0a9ec35c1fcd843feeec97d8ea74b67d771ab46395a2N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\e57ba28.exeC:\Users\Admin\AppData\Local\Temp\e57ba28.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\e57bb8f.exeC:\Users\Admin\AppData\Local\Temp\e57bb8f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\e57e678.exeC:\Users\Admin\AppData\Local\Temp\e57e678.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2028
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3652
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3200
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3712
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3476
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a68b9133d308e45d9bb4aef54ccfb367
SHA11d59117c49d0a2a76ef2ef4f6765908b814a80ca
SHA2569e8a916a40552853bd8505a4b264ece3d078cde99027342c2ffa222355ecf017
SHA5126f9ecc487b89d94417def4209307d5616312d58da14dda633cbecf9f73044e771650377e4b710078671cfe21945773ebdb5370c0c1f93f40ac5ee0dae1cb5f36
-
Filesize
257B
MD5a9dae71e40d48534fce31af1a24377ce
SHA100c7c3d4feb27719c23d49b10764dd7dfeb60aff
SHA256281c3e638a415ad59be4771effc60f83a76e23b45b102e59e2eb42d05c0ba2c8
SHA512340016a13c37a2f335ab1cc47e70db937a2b1a22ffdc8acff029c9201689782c44c0f1e766a7aef78efd23ff5d870cfab18d4c94eb1701256a1c1f9d853e07cb