Analysis
-
max time kernel
34s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 00:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll
-
Size
120KB
-
MD5
790dc15e1a2dbcf016963904499a8520
-
SHA1
87786547ed264dcc5958ac4b207a45663fe43cca
-
SHA256
654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fd
-
SHA512
09d0533f48f9d8d7e9e0dfc3e2c868245005ec32b19e97aeefa38fffa023d05fcb381dcb11535324ff72b220910346f219c6942b84127a02eb9af3118d77167e
-
SSDEEP
1536:zr+6wOnMvsnZJjb2HXki8L2TkWZJVxUbVeessIaGiyLyxTJQp6tSDEDHfI:Hp6vSB2HtgHWZ3xUZedH2/9O6wD4
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f767752.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f767926.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f767926.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f767752.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76a841.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76a841.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76a841.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a841.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a841.exe -
Executes dropped EXE 3 IoCs
pid Process 2308 f767752.exe 1976 f767926.exe 332 f76a841.exe -
Loads dropped DLL 6 IoCs
pid Process 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a841.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767752.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767926.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767926.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a841.exe -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f767752.exe File opened (read-only) \??\H: f767752.exe File opened (read-only) \??\I: f767752.exe File opened (read-only) \??\J: f767752.exe File opened (read-only) \??\K: f767752.exe File opened (read-only) \??\L: f767752.exe File opened (read-only) \??\E: f767752.exe -
resource yara_rule behavioral1/memory/2308-18-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-16-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-13-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-15-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-19-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-21-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-20-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-22-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-14-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-17-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-63-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-59-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-65-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-66-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-68-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-69-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-101-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-102-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-103-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-107-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-108-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-111-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-114-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-137-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/1976-149-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/1976-186-0x0000000000930000-0x00000000019EA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f76f2c8 f76a841.exe File created C:\Windows\f7677cf f767752.exe File opened for modification C:\Windows\SYSTEM.INI f767752.exe File created C:\Windows\f76ca32 f767926.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f767752.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f767926.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76a841.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2308 f767752.exe 2308 f767752.exe 1976 f767926.exe 332 f76a841.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 2308 f767752.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 1976 f767926.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe Token: SeDebugPrivilege 332 f76a841.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2672 2892 rundll32.exe 30 PID 2892 wrote to memory of 2672 2892 rundll32.exe 30 PID 2892 wrote to memory of 2672 2892 rundll32.exe 30 PID 2892 wrote to memory of 2672 2892 rundll32.exe 30 PID 2892 wrote to memory of 2672 2892 rundll32.exe 30 PID 2892 wrote to memory of 2672 2892 rundll32.exe 30 PID 2892 wrote to memory of 2672 2892 rundll32.exe 30 PID 2672 wrote to memory of 2308 2672 rundll32.exe 31 PID 2672 wrote to memory of 2308 2672 rundll32.exe 31 PID 2672 wrote to memory of 2308 2672 rundll32.exe 31 PID 2672 wrote to memory of 2308 2672 rundll32.exe 31 PID 2308 wrote to memory of 1104 2308 f767752.exe 19 PID 2308 wrote to memory of 1168 2308 f767752.exe 20 PID 2308 wrote to memory of 1252 2308 f767752.exe 21 PID 2308 wrote to memory of 1348 2308 f767752.exe 23 PID 2308 wrote to memory of 2892 2308 f767752.exe 29 PID 2308 wrote to memory of 2672 2308 f767752.exe 30 PID 2308 wrote to memory of 2672 2308 f767752.exe 30 PID 2672 wrote to memory of 1976 2672 rundll32.exe 32 PID 2672 wrote to memory of 1976 2672 rundll32.exe 32 PID 2672 wrote to memory of 1976 2672 rundll32.exe 32 PID 2672 wrote to memory of 1976 2672 rundll32.exe 32 PID 2308 wrote to memory of 1104 2308 f767752.exe 19 PID 2308 wrote to memory of 1168 2308 f767752.exe 20 PID 2308 wrote to memory of 1252 2308 f767752.exe 21 PID 2308 wrote to memory of 1348 2308 f767752.exe 23 PID 2308 wrote to memory of 2892 2308 f767752.exe 29 PID 2308 wrote to memory of 1976 2308 f767752.exe 32 PID 2308 wrote to memory of 1976 2308 f767752.exe 32 PID 2672 wrote to memory of 332 2672 rundll32.exe 33 PID 2672 wrote to memory of 332 2672 rundll32.exe 33 PID 2672 wrote to memory of 332 2672 rundll32.exe 33 PID 2672 wrote to memory of 332 2672 rundll32.exe 33 PID 1976 wrote to memory of 1104 1976 f767926.exe 19 PID 1976 wrote to memory of 1168 1976 f767926.exe 20 PID 1976 wrote to memory of 1252 1976 f767926.exe 21 PID 1976 wrote to memory of 1348 1976 f767926.exe 23 PID 1976 wrote to memory of 332 1976 f767926.exe 33 PID 1976 wrote to memory of 332 1976 f767926.exe 33 PID 332 wrote to memory of 1104 332 f76a841.exe 19 PID 332 wrote to memory of 1168 332 f76a841.exe 20 PID 332 wrote to memory of 1252 332 f76a841.exe 21 PID 332 wrote to memory of 1348 332 f76a841.exe 23 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a841.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767752.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767926.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1252
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\f767752.exeC:\Users\Admin\AppData\Local\Temp\f767752.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\f767926.exeC:\Users\Admin\AppData\Local\Temp\f767926.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\f76a841.exeC:\Users\Admin\AppData\Local\Temp\f76a841.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:332
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1348
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD55a05ea47a7332c00c7d3c76f3fc7e889
SHA15b013beb2560f98df2a583635bb633bc8198c2c3
SHA2562791e62b76233e0ec73cbeffaf2fc10e00624816d95cbfc4472e9f6fd8c1f840
SHA5127509badb3b09a113aa4bc35e2e53e284d37029805473816ba53d711edec6cc2855a3f6aac28d4414b6dd8ff3bc85bfd55bdaba0edf5bfdaf28f76861120a72c8
-
Filesize
97KB
MD58d9158a452f25b00b23bf24c12aba973
SHA115f6e0d90369baf96915e63824e93505f9cd90f9
SHA2568cdc190d8c5f59844dae0893a10ae105ec03d198da026b157ca217fe29d9cb52
SHA5121a58a02b22bd6549be93f4613915557b8e7553cc2722e51e9af7ecbb88427f8c5eb156cc176fa1c40031cc16e5f2609336b6d846fc6a3120ec97d628259a0366