Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 00:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
72f2cd8708d129af01bc33c3fd6425749b6d86068b19b4f16689c4a19290af33N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
72f2cd8708d129af01bc33c3fd6425749b6d86068b19b4f16689c4a19290af33N.dll
-
Size
120KB
-
MD5
f7300e3a5be0dc3ea09fc2959bc91560
-
SHA1
2732711ac33b5acceb6f23930a6415092cc55561
-
SHA256
72f2cd8708d129af01bc33c3fd6425749b6d86068b19b4f16689c4a19290af33
-
SHA512
710fc0117af83e03d421f0f5550d097d34ac624b49dad95d7332de44ab23f5cf9ef2c6ecc1658f0807b86069f598b5fd801ed5a99cfcc05437946a1a99ff4224
-
SSDEEP
1536:/M4kngq7u0vgmjtvbZO3+9blJuE9xTeAzYiAxdB9MqUL6Slm1sAruxyX1mKN8O5B:xknHvq3+zx36kYH9A6Mm1V2CoKNL
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ea6f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ea6f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bff4.exe -
Executes dropped EXE 3 IoCs
pid Process 4084 e57bff4.exe 3648 e57c1aa.exe 1620 e57ea6f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ea6f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ea6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bff4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ea6f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ea6f.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57bff4.exe File opened (read-only) \??\K: e57bff4.exe File opened (read-only) \??\G: e57ea6f.exe File opened (read-only) \??\I: e57ea6f.exe File opened (read-only) \??\E: e57bff4.exe File opened (read-only) \??\H: e57bff4.exe File opened (read-only) \??\I: e57bff4.exe File opened (read-only) \??\E: e57ea6f.exe File opened (read-only) \??\H: e57ea6f.exe File opened (read-only) \??\J: e57ea6f.exe File opened (read-only) \??\G: e57bff4.exe File opened (read-only) \??\L: e57bff4.exe File opened (read-only) \??\M: e57bff4.exe -
resource yara_rule behavioral2/memory/4084-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-13-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-12-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-19-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-32-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-28-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-33-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-35-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-53-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-56-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-57-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-58-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-61-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-62-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-69-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-72-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4084-75-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1620-97-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1620-128-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1620-152-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57bff4.exe File created C:\Windows\e5811ed e57ea6f.exe File created C:\Windows\e57c043 e57bff4.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bff4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c1aa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ea6f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4084 e57bff4.exe 4084 e57bff4.exe 4084 e57bff4.exe 4084 e57bff4.exe 1620 e57ea6f.exe 1620 e57ea6f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe Token: SeDebugPrivilege 4084 e57bff4.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 5024 wrote to memory of 3112 5024 rundll32.exe 82 PID 5024 wrote to memory of 3112 5024 rundll32.exe 82 PID 5024 wrote to memory of 3112 5024 rundll32.exe 82 PID 3112 wrote to memory of 4084 3112 rundll32.exe 83 PID 3112 wrote to memory of 4084 3112 rundll32.exe 83 PID 3112 wrote to memory of 4084 3112 rundll32.exe 83 PID 4084 wrote to memory of 776 4084 e57bff4.exe 8 PID 4084 wrote to memory of 784 4084 e57bff4.exe 9 PID 4084 wrote to memory of 380 4084 e57bff4.exe 13 PID 4084 wrote to memory of 2520 4084 e57bff4.exe 42 PID 4084 wrote to memory of 2544 4084 e57bff4.exe 43 PID 4084 wrote to memory of 2672 4084 e57bff4.exe 47 PID 4084 wrote to memory of 3488 4084 e57bff4.exe 56 PID 4084 wrote to memory of 3636 4084 e57bff4.exe 57 PID 4084 wrote to memory of 3860 4084 e57bff4.exe 58 PID 4084 wrote to memory of 3956 4084 e57bff4.exe 59 PID 4084 wrote to memory of 4032 4084 e57bff4.exe 60 PID 4084 wrote to memory of 2168 4084 e57bff4.exe 61 PID 4084 wrote to memory of 4180 4084 e57bff4.exe 62 PID 4084 wrote to memory of 3460 4084 e57bff4.exe 75 PID 4084 wrote to memory of 836 4084 e57bff4.exe 76 PID 4084 wrote to memory of 5024 4084 e57bff4.exe 81 PID 4084 wrote to memory of 3112 4084 e57bff4.exe 82 PID 4084 wrote to memory of 3112 4084 e57bff4.exe 82 PID 3112 wrote to memory of 3648 3112 rundll32.exe 84 PID 3112 wrote to memory of 3648 3112 rundll32.exe 84 PID 3112 wrote to memory of 3648 3112 rundll32.exe 84 PID 3112 wrote to memory of 1620 3112 rundll32.exe 85 PID 3112 wrote to memory of 1620 3112 rundll32.exe 85 PID 3112 wrote to memory of 1620 3112 rundll32.exe 85 PID 4084 wrote to memory of 776 4084 e57bff4.exe 8 PID 4084 wrote to memory of 784 4084 e57bff4.exe 9 PID 4084 wrote to memory of 380 4084 e57bff4.exe 13 PID 4084 wrote to memory of 2520 4084 e57bff4.exe 42 PID 4084 wrote to memory of 2544 4084 e57bff4.exe 43 PID 4084 wrote to memory of 2672 4084 e57bff4.exe 47 PID 4084 wrote to memory of 3488 4084 e57bff4.exe 56 PID 4084 wrote to memory of 3636 4084 e57bff4.exe 57 PID 4084 wrote to memory of 3860 4084 e57bff4.exe 58 PID 4084 wrote to memory of 3956 4084 e57bff4.exe 59 PID 4084 wrote to memory of 4032 4084 e57bff4.exe 60 PID 4084 wrote to memory of 2168 4084 e57bff4.exe 61 PID 4084 wrote to memory of 4180 4084 e57bff4.exe 62 PID 4084 wrote to memory of 3460 4084 e57bff4.exe 75 PID 4084 wrote to memory of 836 4084 e57bff4.exe 76 PID 4084 wrote to memory of 5024 4084 e57bff4.exe 81 PID 4084 wrote to memory of 3648 4084 e57bff4.exe 84 PID 4084 wrote to memory of 3648 4084 e57bff4.exe 84 PID 1620 wrote to memory of 776 1620 e57ea6f.exe 8 PID 1620 wrote to memory of 784 1620 e57ea6f.exe 9 PID 1620 wrote to memory of 380 1620 e57ea6f.exe 13 PID 1620 wrote to memory of 2520 1620 e57ea6f.exe 42 PID 1620 wrote to memory of 2544 1620 e57ea6f.exe 43 PID 1620 wrote to memory of 2672 1620 e57ea6f.exe 47 PID 1620 wrote to memory of 3488 1620 e57ea6f.exe 56 PID 1620 wrote to memory of 3636 1620 e57ea6f.exe 57 PID 1620 wrote to memory of 3860 1620 e57ea6f.exe 58 PID 1620 wrote to memory of 3956 1620 e57ea6f.exe 59 PID 1620 wrote to memory of 4032 1620 e57ea6f.exe 60 PID 1620 wrote to memory of 2168 1620 e57ea6f.exe 61 PID 1620 wrote to memory of 4180 1620 e57ea6f.exe 62 PID 1620 wrote to memory of 3460 1620 e57ea6f.exe 75 PID 1620 wrote to memory of 836 1620 e57ea6f.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bff4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ea6f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2544
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2672
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72f2cd8708d129af01bc33c3fd6425749b6d86068b19b4f16689c4a19290af33N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72f2cd8708d129af01bc33c3fd6425749b6d86068b19b4f16689c4a19290af33N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\e57bff4.exeC:\Users\Admin\AppData\Local\Temp\e57bff4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\e57c1aa.exeC:\Users\Admin\AppData\Local\Temp\e57c1aa.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648
-
-
C:\Users\Admin\AppData\Local\Temp\e57ea6f.exeC:\Users\Admin\AppData\Local\Temp\e57ea6f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3636
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3860
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4032
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2168
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4180
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3460
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:836
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5eebe12e47f6a88c60a4e8691d84b7585
SHA10de7053b17e035e64fad700f4a03efe688efb441
SHA25608c2e9731d5c7096173dc24a31f29b29dc8534ee8c20e7aec03ce8084b35239b
SHA5124a2ae2492794057399cf0ad2213704841ba2157c527fd7b289ece3bc1363e031493a34a539ed71bfe9f659e69e7f1f22cfb714a112ad2d36af744e80ec6319b5
-
Filesize
257B
MD5e51bc22eef364a4a1e5b418ebdde8a58
SHA1507a8ac4c5087f3446fbeb5eb146bfd4c8e47365
SHA25640c5ee117a8a4eaa2cf41229c1ebe4a18d92d03d2f8280319cf3a681a30332c4
SHA5124cdbff9fa39fea5299547acfc117dfc3d4050c9f87fb2b874049eb486af62c654e1cbc38b2d8e83ab39953a63d4497d61055447d554cc5d91cabc43d9d4a7aca