Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 00:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
df92a92425260e9c28009a76bc2a9cc9ab812c92771131f0243e2f3824553ea7N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
df92a92425260e9c28009a76bc2a9cc9ab812c92771131f0243e2f3824553ea7N.dll
-
Size
120KB
-
MD5
88f29dfb98f1b3871c2e2becd5bc2870
-
SHA1
f3aeb0a8c7ec723710f8c90bf4a0f99d8e4f8ff7
-
SHA256
df92a92425260e9c28009a76bc2a9cc9ab812c92771131f0243e2f3824553ea7
-
SHA512
430d1d2296bb3237ae4ac3fadcfef7744a5545f9cf37846d378c3613e8c078cc7935df034d6ece5cab134fe3682e5f34a24f9a1db166e55224cc17c9f064a682
-
SSDEEP
1536:XAbzO76H7DNgZMpmt1MNPdZNhixGFzWLzLxrdxXGEFUm/imVgteWYqMZ7U:gpH7DNrIfMVdHhhFwPxvXGPmVgeZH
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579b55.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57800d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57800d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579b55.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579b55.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57800d.exe -
Executes dropped EXE 4 IoCs
pid Process 2116 e57800d.exe 3796 e5781b3.exe 1436 e579b55.exe 5080 e579b65.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57800d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579b55.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579b55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579b55.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579b55.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: e57800d.exe File opened (read-only) \??\N: e57800d.exe File opened (read-only) \??\O: e57800d.exe File opened (read-only) \??\G: e57800d.exe File opened (read-only) \??\L: e57800d.exe File opened (read-only) \??\R: e57800d.exe File opened (read-only) \??\K: e57800d.exe File opened (read-only) \??\Q: e57800d.exe File opened (read-only) \??\I: e57800d.exe File opened (read-only) \??\J: e57800d.exe File opened (read-only) \??\P: e57800d.exe File opened (read-only) \??\S: e57800d.exe File opened (read-only) \??\E: e57800d.exe File opened (read-only) \??\H: e57800d.exe -
resource yara_rule behavioral2/memory/2116-12-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-6-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-32-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-27-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-19-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-18-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-8-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-33-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-35-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-41-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-42-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-54-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-60-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-61-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-62-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-76-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-79-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-81-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-85-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-86-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-88-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-89-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-92-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-93-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2116-94-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1436-141-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1436-154-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57800d.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57800d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57800d.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57800d.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57805b e57800d.exe File opened for modification C:\Windows\SYSTEM.INI e57800d.exe File created C:\Windows\e57e9c4 e579b55.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57800d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5781b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579b55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579b65.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2116 e57800d.exe 2116 e57800d.exe 2116 e57800d.exe 2116 e57800d.exe 1436 e579b55.exe 1436 e579b55.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe Token: SeDebugPrivilege 2116 e57800d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 396 wrote to memory of 4836 396 rundll32.exe 83 PID 396 wrote to memory of 4836 396 rundll32.exe 83 PID 396 wrote to memory of 4836 396 rundll32.exe 83 PID 4836 wrote to memory of 2116 4836 rundll32.exe 84 PID 4836 wrote to memory of 2116 4836 rundll32.exe 84 PID 4836 wrote to memory of 2116 4836 rundll32.exe 84 PID 2116 wrote to memory of 788 2116 e57800d.exe 8 PID 2116 wrote to memory of 792 2116 e57800d.exe 9 PID 2116 wrote to memory of 376 2116 e57800d.exe 13 PID 2116 wrote to memory of 2972 2116 e57800d.exe 50 PID 2116 wrote to memory of 2996 2116 e57800d.exe 51 PID 2116 wrote to memory of 2096 2116 e57800d.exe 53 PID 2116 wrote to memory of 3428 2116 e57800d.exe 56 PID 2116 wrote to memory of 3572 2116 e57800d.exe 57 PID 2116 wrote to memory of 3736 2116 e57800d.exe 58 PID 2116 wrote to memory of 3832 2116 e57800d.exe 59 PID 2116 wrote to memory of 3896 2116 e57800d.exe 60 PID 2116 wrote to memory of 3988 2116 e57800d.exe 61 PID 2116 wrote to memory of 3552 2116 e57800d.exe 62 PID 2116 wrote to memory of 4984 2116 e57800d.exe 74 PID 2116 wrote to memory of 2176 2116 e57800d.exe 76 PID 2116 wrote to memory of 1412 2116 e57800d.exe 81 PID 2116 wrote to memory of 396 2116 e57800d.exe 82 PID 2116 wrote to memory of 4836 2116 e57800d.exe 83 PID 2116 wrote to memory of 4836 2116 e57800d.exe 83 PID 4836 wrote to memory of 3796 4836 rundll32.exe 85 PID 4836 wrote to memory of 3796 4836 rundll32.exe 85 PID 4836 wrote to memory of 3796 4836 rundll32.exe 85 PID 4836 wrote to memory of 1436 4836 rundll32.exe 87 PID 4836 wrote to memory of 1436 4836 rundll32.exe 87 PID 4836 wrote to memory of 1436 4836 rundll32.exe 87 PID 4836 wrote to memory of 5080 4836 rundll32.exe 88 PID 4836 wrote to memory of 5080 4836 rundll32.exe 88 PID 4836 wrote to memory of 5080 4836 rundll32.exe 88 PID 2116 wrote to memory of 788 2116 e57800d.exe 8 PID 2116 wrote to memory of 792 2116 e57800d.exe 9 PID 2116 wrote to memory of 376 2116 e57800d.exe 13 PID 2116 wrote to memory of 2972 2116 e57800d.exe 50 PID 2116 wrote to memory of 2996 2116 e57800d.exe 51 PID 2116 wrote to memory of 2096 2116 e57800d.exe 53 PID 2116 wrote to memory of 3428 2116 e57800d.exe 56 PID 2116 wrote to memory of 3572 2116 e57800d.exe 57 PID 2116 wrote to memory of 3736 2116 e57800d.exe 58 PID 2116 wrote to memory of 3832 2116 e57800d.exe 59 PID 2116 wrote to memory of 3896 2116 e57800d.exe 60 PID 2116 wrote to memory of 3988 2116 e57800d.exe 61 PID 2116 wrote to memory of 3552 2116 e57800d.exe 62 PID 2116 wrote to memory of 4984 2116 e57800d.exe 74 PID 2116 wrote to memory of 2176 2116 e57800d.exe 76 PID 2116 wrote to memory of 3796 2116 e57800d.exe 85 PID 2116 wrote to memory of 3796 2116 e57800d.exe 85 PID 2116 wrote to memory of 1436 2116 e57800d.exe 87 PID 2116 wrote to memory of 1436 2116 e57800d.exe 87 PID 2116 wrote to memory of 5080 2116 e57800d.exe 88 PID 2116 wrote to memory of 5080 2116 e57800d.exe 88 PID 1436 wrote to memory of 788 1436 e579b55.exe 8 PID 1436 wrote to memory of 792 1436 e579b55.exe 9 PID 1436 wrote to memory of 376 1436 e579b55.exe 13 PID 1436 wrote to memory of 2972 1436 e579b55.exe 50 PID 1436 wrote to memory of 2996 1436 e579b55.exe 51 PID 1436 wrote to memory of 2096 1436 e579b55.exe 53 PID 1436 wrote to memory of 3428 1436 e579b55.exe 56 PID 1436 wrote to memory of 3572 1436 e579b55.exe 57 PID 1436 wrote to memory of 3736 1436 e579b55.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57800d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579b55.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2996
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2096
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3428
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df92a92425260e9c28009a76bc2a9cc9ab812c92771131f0243e2f3824553ea7N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df92a92425260e9c28009a76bc2a9cc9ab812c92771131f0243e2f3824553ea7N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\e57800d.exeC:\Users\Admin\AppData\Local\Temp\e57800d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\e5781b3.exeC:\Users\Admin\AppData\Local\Temp\e5781b3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3796
-
-
C:\Users\Admin\AppData\Local\Temp\e579b55.exeC:\Users\Admin\AppData\Local\Temp\e579b55.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1436
-
-
C:\Users\Admin\AppData\Local\Temp\e579b65.exeC:\Users\Admin\AppData\Local\Temp\e579b65.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3552
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2176
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1412
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD53c0323f1e90be623d8eebe502d6d5ab9
SHA1ac2b42071fd28c1a7fb1516d250d36ffed83a3ab
SHA256ef034da88a1761be1412976f7541f7e3b18751fabbdfac5178016799b0d42090
SHA5128cfbd7aefa69ef5b1bf749945db55347d26c1ab9643395bc9f88908f591bf58fabeaa202dd2c87f55280d8ea92c73071054f09aa64d38fcaddbb5e799e4c22bc
-
Filesize
257B
MD5608e18bf6a7faa8b3e8daed371dec487
SHA1136a94c2e4b8e45be91aa511979bca2d5fcf22af
SHA2569a739f8e1c9e0f61715aaab31a32cc94e14dd07ef5e8a6cae4479c223795a6a4
SHA51234fad933cf56262d42fd6f7e3b92c6d1a246b543f6c6e8682abc8e1ef6a5b517b88c046aa28019b8c2e0bf0fbf602720f1a80da90b00d7e7ba5c132520e6f663