Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 00:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
47ad4fca26b51985a3655622754682736e5aae7b877fbc2dad5568a23a7beee5N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
47ad4fca26b51985a3655622754682736e5aae7b877fbc2dad5568a23a7beee5N.dll
-
Size
120KB
-
MD5
50692d16ffbce75004e7354a2e92f1f0
-
SHA1
e252cebc0777beef504172de5e68801e3ea39219
-
SHA256
47ad4fca26b51985a3655622754682736e5aae7b877fbc2dad5568a23a7beee5
-
SHA512
e5cb45c8b0d341f68f45833e1dc1e89e6be5b18ed69d653742b90995b2231f397b722c0ff19e95b9c7b8a8bf1b355dca8c2682018ad670bcd1a99627d26e5b48
-
SSDEEP
3072:YDe4UCBe3rI6k7qTlkXdkGMvpu7QYK94umeL:v4UCBexk7iOXcvAqWumU
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578666.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578666.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a1be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578666.exe -
Executes dropped EXE 4 IoCs
pid Process 2936 e578666.exe 1308 e5787be.exe 1816 e57a1ae.exe 4944 e57a1be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a1be.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a1be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578666.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a1be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a1be.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e578666.exe File opened (read-only) \??\J: e578666.exe File opened (read-only) \??\K: e578666.exe File opened (read-only) \??\N: e578666.exe File opened (read-only) \??\E: e578666.exe File opened (read-only) \??\G: e57a1be.exe File opened (read-only) \??\E: e57a1be.exe File opened (read-only) \??\L: e578666.exe File opened (read-only) \??\O: e578666.exe File opened (read-only) \??\G: e578666.exe File opened (read-only) \??\M: e578666.exe File opened (read-only) \??\P: e578666.exe File opened (read-only) \??\Q: e578666.exe File opened (read-only) \??\R: e578666.exe File opened (read-only) \??\S: e578666.exe File opened (read-only) \??\I: e578666.exe -
resource yara_rule behavioral2/memory/2936-6-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-8-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-9-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-11-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-18-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-22-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-32-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-13-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-12-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-10-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-35-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-36-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-37-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-39-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-38-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-41-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-42-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-57-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-59-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-60-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-74-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-75-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-78-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-80-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-83-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-84-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-87-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-90-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-93-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2936-94-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4944-126-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/4944-166-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e578666.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e578666.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e578666.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e578666.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5786d3 e578666.exe File opened for modification C:\Windows\SYSTEM.INI e578666.exe File created C:\Windows\e57d68a e57a1be.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5787be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a1ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a1be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578666.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2936 e578666.exe 2936 e578666.exe 2936 e578666.exe 2936 e578666.exe 4944 e57a1be.exe 4944 e57a1be.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe Token: SeDebugPrivilege 2936 e578666.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 4508 2624 rundll32.exe 82 PID 2624 wrote to memory of 4508 2624 rundll32.exe 82 PID 2624 wrote to memory of 4508 2624 rundll32.exe 82 PID 4508 wrote to memory of 2936 4508 rundll32.exe 83 PID 4508 wrote to memory of 2936 4508 rundll32.exe 83 PID 4508 wrote to memory of 2936 4508 rundll32.exe 83 PID 2936 wrote to memory of 764 2936 e578666.exe 8 PID 2936 wrote to memory of 768 2936 e578666.exe 9 PID 2936 wrote to memory of 376 2936 e578666.exe 13 PID 2936 wrote to memory of 2652 2936 e578666.exe 44 PID 2936 wrote to memory of 2700 2936 e578666.exe 45 PID 2936 wrote to memory of 2940 2936 e578666.exe 51 PID 2936 wrote to memory of 3416 2936 e578666.exe 56 PID 2936 wrote to memory of 3552 2936 e578666.exe 57 PID 2936 wrote to memory of 3772 2936 e578666.exe 58 PID 2936 wrote to memory of 3864 2936 e578666.exe 59 PID 2936 wrote to memory of 3928 2936 e578666.exe 60 PID 2936 wrote to memory of 4020 2936 e578666.exe 61 PID 2936 wrote to memory of 3492 2936 e578666.exe 62 PID 2936 wrote to memory of 2252 2936 e578666.exe 75 PID 2936 wrote to memory of 4444 2936 e578666.exe 76 PID 2936 wrote to memory of 2624 2936 e578666.exe 81 PID 2936 wrote to memory of 4508 2936 e578666.exe 82 PID 2936 wrote to memory of 4508 2936 e578666.exe 82 PID 4508 wrote to memory of 1308 4508 rundll32.exe 84 PID 4508 wrote to memory of 1308 4508 rundll32.exe 84 PID 4508 wrote to memory of 1308 4508 rundll32.exe 84 PID 4508 wrote to memory of 1816 4508 rundll32.exe 85 PID 4508 wrote to memory of 1816 4508 rundll32.exe 85 PID 4508 wrote to memory of 1816 4508 rundll32.exe 85 PID 4508 wrote to memory of 4944 4508 rundll32.exe 86 PID 4508 wrote to memory of 4944 4508 rundll32.exe 86 PID 4508 wrote to memory of 4944 4508 rundll32.exe 86 PID 2936 wrote to memory of 764 2936 e578666.exe 8 PID 2936 wrote to memory of 768 2936 e578666.exe 9 PID 2936 wrote to memory of 376 2936 e578666.exe 13 PID 2936 wrote to memory of 2652 2936 e578666.exe 44 PID 2936 wrote to memory of 2700 2936 e578666.exe 45 PID 2936 wrote to memory of 2940 2936 e578666.exe 51 PID 2936 wrote to memory of 3416 2936 e578666.exe 56 PID 2936 wrote to memory of 3552 2936 e578666.exe 57 PID 2936 wrote to memory of 3772 2936 e578666.exe 58 PID 2936 wrote to memory of 3864 2936 e578666.exe 59 PID 2936 wrote to memory of 3928 2936 e578666.exe 60 PID 2936 wrote to memory of 4020 2936 e578666.exe 61 PID 2936 wrote to memory of 3492 2936 e578666.exe 62 PID 2936 wrote to memory of 2252 2936 e578666.exe 75 PID 2936 wrote to memory of 4444 2936 e578666.exe 76 PID 2936 wrote to memory of 1308 2936 e578666.exe 84 PID 2936 wrote to memory of 1308 2936 e578666.exe 84 PID 2936 wrote to memory of 1816 2936 e578666.exe 85 PID 2936 wrote to memory of 1816 2936 e578666.exe 85 PID 2936 wrote to memory of 4944 2936 e578666.exe 86 PID 2936 wrote to memory of 4944 2936 e578666.exe 86 PID 4944 wrote to memory of 764 4944 e57a1be.exe 8 PID 4944 wrote to memory of 768 4944 e57a1be.exe 9 PID 4944 wrote to memory of 376 4944 e57a1be.exe 13 PID 4944 wrote to memory of 2652 4944 e57a1be.exe 44 PID 4944 wrote to memory of 2700 4944 e57a1be.exe 45 PID 4944 wrote to memory of 2940 4944 e57a1be.exe 51 PID 4944 wrote to memory of 3416 4944 e57a1be.exe 56 PID 4944 wrote to memory of 3552 4944 e57a1be.exe 57 PID 4944 wrote to memory of 3772 4944 e57a1be.exe 58 PID 4944 wrote to memory of 3864 4944 e57a1be.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578666.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a1be.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2700
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2940
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\47ad4fca26b51985a3655622754682736e5aae7b877fbc2dad5568a23a7beee5N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\47ad4fca26b51985a3655622754682736e5aae7b877fbc2dad5568a23a7beee5N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\e578666.exeC:\Users\Admin\AppData\Local\Temp\e578666.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\e5787be.exeC:\Users\Admin\AppData\Local\Temp\e5787be.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308
-
-
C:\Users\Admin\AppData\Local\Temp\e57a1ae.exeC:\Users\Admin\AppData\Local\Temp\e57a1ae.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\e57a1be.exeC:\Users\Admin\AppData\Local\Temp\e57a1be.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4944
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3492
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2252
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4444
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD597e0a070873f929414b99013bffd93f4
SHA1cf750ad8a176709ccb66138e01d2d62a5ff5c978
SHA256bcd308c9f1802e1191a34d09f31bdc5e6b8d4e8dcc0f9911a06272bd3935cb3b
SHA512df3933c86ceaa75388630f094f167701dca634377e262985be7dd1be527dcfbeebebbe1a90d48f4179d172c6a373f7e3384b1cb5b571c5d7e532cef265bd0720
-
Filesize
257B
MD5d9ef5b855088fe79f0e06e61555c51a8
SHA157797f2d87dbecd7e556e28683cf0d5b70699d54
SHA256c24b2476a24237f7250ec0cbc5dbaf74a00390579d0587102d84e378f81571b2
SHA5122f0c45a0d479722ff12593802c52100cc66cb54732edbcfca45b96f40e6cf3552e522f420335d6733d5c33f9593ab8e6a1bbcb00f34343596081e02521642b03