Analysis
-
max time kernel
97s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 01:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d993ebbe613070f022c8a8dd55b5289019178705bbd5e1bd7289a7921ce5b915N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
d993ebbe613070f022c8a8dd55b5289019178705bbd5e1bd7289a7921ce5b915N.dll
-
Size
120KB
-
MD5
799d3552efaf26235197881240893320
-
SHA1
150ee98dba41aad7bfe19bd6472e2125ae6fecaf
-
SHA256
d993ebbe613070f022c8a8dd55b5289019178705bbd5e1bd7289a7921ce5b915
-
SHA512
b631a1c738404dced4eabae20c27d1747793e7476e0e10b76d88d97ccba53b3225c99fef8e2455b697616603ada36bc2c5292031e1788810997c7cb9d2b56a69
-
SSDEEP
3072:G4u8HLdrNYDsVNug1jyymKQqWg2K8ERKV:G6HLdrNvl1mwWg2BRV
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bb70.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e5cc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb70.exe -
Executes dropped EXE 4 IoCs
pid Process 4256 e57bb70.exe 2324 e57bce7.exe 3920 e57e5cc.exe 3996 e57e5dc.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e5cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e5cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb70.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e5cc.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57bb70.exe File opened (read-only) \??\H: e57bb70.exe File opened (read-only) \??\I: e57bb70.exe File opened (read-only) \??\L: e57bb70.exe File opened (read-only) \??\E: e57e5cc.exe File opened (read-only) \??\H: e57e5cc.exe File opened (read-only) \??\I: e57e5cc.exe File opened (read-only) \??\J: e57e5cc.exe File opened (read-only) \??\E: e57bb70.exe File opened (read-only) \??\J: e57bb70.exe File opened (read-only) \??\K: e57bb70.exe File opened (read-only) \??\M: e57bb70.exe File opened (read-only) \??\G: e57e5cc.exe -
resource yara_rule behavioral2/memory/4256-6-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-8-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-25-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-30-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-32-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-33-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-35-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-34-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-57-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-58-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-59-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-60-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-62-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-64-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-66-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-73-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-75-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4256-74-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3920-103-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3920-115-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3920-159-0x00000000007A0000-0x000000000185A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57bb70.exe File created C:\Windows\e580d2a e57e5cc.exe File created C:\Windows\e57bbde e57bb70.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bce7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e5cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e5dc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4256 e57bb70.exe 4256 e57bb70.exe 4256 e57bb70.exe 4256 e57bb70.exe 3920 e57e5cc.exe 3920 e57e5cc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe Token: SeDebugPrivilege 4256 e57bb70.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3136 wrote to memory of 4388 3136 rundll32.exe 84 PID 3136 wrote to memory of 4388 3136 rundll32.exe 84 PID 3136 wrote to memory of 4388 3136 rundll32.exe 84 PID 4388 wrote to memory of 4256 4388 rundll32.exe 85 PID 4388 wrote to memory of 4256 4388 rundll32.exe 85 PID 4388 wrote to memory of 4256 4388 rundll32.exe 85 PID 4256 wrote to memory of 764 4256 e57bb70.exe 8 PID 4256 wrote to memory of 772 4256 e57bb70.exe 9 PID 4256 wrote to memory of 1012 4256 e57bb70.exe 13 PID 4256 wrote to memory of 2784 4256 e57bb70.exe 50 PID 4256 wrote to memory of 760 4256 e57bb70.exe 51 PID 4256 wrote to memory of 3100 4256 e57bb70.exe 52 PID 4256 wrote to memory of 3440 4256 e57bb70.exe 56 PID 4256 wrote to memory of 3552 4256 e57bb70.exe 57 PID 4256 wrote to memory of 3760 4256 e57bb70.exe 58 PID 4256 wrote to memory of 3872 4256 e57bb70.exe 59 PID 4256 wrote to memory of 3936 4256 e57bb70.exe 60 PID 4256 wrote to memory of 4032 4256 e57bb70.exe 61 PID 4256 wrote to memory of 2236 4256 e57bb70.exe 62 PID 4256 wrote to memory of 4188 4256 e57bb70.exe 64 PID 4256 wrote to memory of 4628 4256 e57bb70.exe 74 PID 4256 wrote to memory of 2716 4256 e57bb70.exe 77 PID 4256 wrote to memory of 4228 4256 e57bb70.exe 82 PID 4256 wrote to memory of 3136 4256 e57bb70.exe 83 PID 4256 wrote to memory of 4388 4256 e57bb70.exe 84 PID 4256 wrote to memory of 4388 4256 e57bb70.exe 84 PID 4388 wrote to memory of 2324 4388 rundll32.exe 86 PID 4388 wrote to memory of 2324 4388 rundll32.exe 86 PID 4388 wrote to memory of 2324 4388 rundll32.exe 86 PID 4256 wrote to memory of 764 4256 e57bb70.exe 8 PID 4256 wrote to memory of 772 4256 e57bb70.exe 9 PID 4256 wrote to memory of 1012 4256 e57bb70.exe 13 PID 4256 wrote to memory of 2784 4256 e57bb70.exe 50 PID 4256 wrote to memory of 760 4256 e57bb70.exe 51 PID 4256 wrote to memory of 3100 4256 e57bb70.exe 52 PID 4256 wrote to memory of 3440 4256 e57bb70.exe 56 PID 4256 wrote to memory of 3552 4256 e57bb70.exe 57 PID 4256 wrote to memory of 3760 4256 e57bb70.exe 58 PID 4256 wrote to memory of 3872 4256 e57bb70.exe 59 PID 4256 wrote to memory of 3936 4256 e57bb70.exe 60 PID 4256 wrote to memory of 4032 4256 e57bb70.exe 61 PID 4256 wrote to memory of 2236 4256 e57bb70.exe 62 PID 4256 wrote to memory of 4188 4256 e57bb70.exe 64 PID 4256 wrote to memory of 4628 4256 e57bb70.exe 74 PID 4256 wrote to memory of 2716 4256 e57bb70.exe 77 PID 4256 wrote to memory of 4228 4256 e57bb70.exe 82 PID 4256 wrote to memory of 3136 4256 e57bb70.exe 83 PID 4256 wrote to memory of 2324 4256 e57bb70.exe 86 PID 4256 wrote to memory of 2324 4256 e57bb70.exe 86 PID 4388 wrote to memory of 3920 4388 rundll32.exe 87 PID 4388 wrote to memory of 3920 4388 rundll32.exe 87 PID 4388 wrote to memory of 3920 4388 rundll32.exe 87 PID 4388 wrote to memory of 3996 4388 rundll32.exe 88 PID 4388 wrote to memory of 3996 4388 rundll32.exe 88 PID 4388 wrote to memory of 3996 4388 rundll32.exe 88 PID 3920 wrote to memory of 764 3920 e57e5cc.exe 8 PID 3920 wrote to memory of 772 3920 e57e5cc.exe 9 PID 3920 wrote to memory of 1012 3920 e57e5cc.exe 13 PID 3920 wrote to memory of 2784 3920 e57e5cc.exe 50 PID 3920 wrote to memory of 760 3920 e57e5cc.exe 51 PID 3920 wrote to memory of 3100 3920 e57e5cc.exe 52 PID 3920 wrote to memory of 3440 3920 e57e5cc.exe 56 PID 3920 wrote to memory of 3552 3920 e57e5cc.exe 57 PID 3920 wrote to memory of 3760 3920 e57e5cc.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e5cc.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:760
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d993ebbe613070f022c8a8dd55b5289019178705bbd5e1bd7289a7921ce5b915N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d993ebbe613070f022c8a8dd55b5289019178705bbd5e1bd7289a7921ce5b915N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\e57bb70.exeC:\Users\Admin\AppData\Local\Temp\e57bb70.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4256
-
-
C:\Users\Admin\AppData\Local\Temp\e57bce7.exeC:\Users\Admin\AppData\Local\Temp\e57bce7.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\e57e5cc.exeC:\Users\Admin\AppData\Local\Temp\e57e5cc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3920
-
-
C:\Users\Admin\AppData\Local\Temp\e57e5dc.exeC:\Users\Admin\AppData\Local\Temp\e57e5dc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2236
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4628
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2716
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4228
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d622eb36c799a34a7f54d0d3ba729b27
SHA15fddabd6f2c7782ddb4db5d08e1b9231c4cd81a7
SHA2561b654ff8c74bb239b2c30a91b0cbea02861975ba17d2a09f1a83d8f5205b087a
SHA512537decd6600f2126d294d867a27c99d14cb16d2ae1a0ba4b26646407763717facfaadfe2d933c50d15ea9bb8753995930d4df906b6b6ce8e0cd969a0f7655520
-
Filesize
257B
MD59e6d9f55ae296a135497a1722ddd79c3
SHA1bb120f03df7ef505a74c0f067dc280a32a1094a5
SHA256a7db34493c388eba57da9ba001ac217868cb8485442c8fe9ec82357f99d9ffd3
SHA51223f44c138a28e803f02633b9b7f999d2cef98e5c6bcd0fcf18d86ede2404f1714b147b4efc408180085122bf4d52cbf2e55870a568e12b9faf206d7a881f1709