Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 03:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
28a963f9ec554c902f8ec6e33b34b99db13a23a9ebdcf14093459da9b4ba8265N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
28a963f9ec554c902f8ec6e33b34b99db13a23a9ebdcf14093459da9b4ba8265N.dll
-
Size
120KB
-
MD5
f112073658e5d0e542527695f1261450
-
SHA1
b99bdac4e5a85e284dea2afaf4dfa8b51d0d0971
-
SHA256
28a963f9ec554c902f8ec6e33b34b99db13a23a9ebdcf14093459da9b4ba8265
-
SHA512
d4588abf50e4d61ecb850f9dacf17925e0f27a15e740d30f0031c1e6b50b1876f81b42f111a6c49ccdf97211d2720bca53c99fbd3651617e38cd64784ee39d6a
-
SSDEEP
3072:YwTO4enpqie8isWP/Ff3kPJnOMjzwgmm33csFE:nS4cPrG00I0pKE
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5799de.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5799de.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b45c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b45c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b45c.exe -
Executes dropped EXE 4 IoCs
pid Process 2428 e5799de.exe 1456 e579cfb.exe 312 e57b45c.exe 3684 e57b47b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5799de.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579cfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579cfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b45c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5799de.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b45c.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e5799de.exe File opened (read-only) \??\M: e5799de.exe File opened (read-only) \??\H: e5799de.exe File opened (read-only) \??\N: e5799de.exe File opened (read-only) \??\P: e5799de.exe File opened (read-only) \??\S: e5799de.exe File opened (read-only) \??\E: e5799de.exe File opened (read-only) \??\G: e5799de.exe File opened (read-only) \??\R: e5799de.exe File opened (read-only) \??\I: e5799de.exe File opened (read-only) \??\J: e5799de.exe File opened (read-only) \??\L: e5799de.exe File opened (read-only) \??\O: e5799de.exe File opened (read-only) \??\Q: e5799de.exe -
resource yara_rule behavioral2/memory/2428-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-13-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-15-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-21-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-22-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-14-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-42-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-43-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-58-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-60-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-61-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-63-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-77-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-80-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-83-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-84-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-86-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-88-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-91-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-93-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-94-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2428-102-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1456-132-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1456-146-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e5799de.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5799de.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5799de.exe File opened for modification C:\Program Files\7-Zip\7z.exe e5799de.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e579a5b e5799de.exe File opened for modification C:\Windows\SYSTEM.INI e5799de.exe File created C:\Windows\e57ec54 e579cfb.exe File created C:\Windows\e5802e9 e57b45c.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5799de.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579cfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b45c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b47b.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2428 e5799de.exe 2428 e5799de.exe 2428 e5799de.exe 2428 e5799de.exe 1456 e579cfb.exe 1456 e579cfb.exe 312 e57b45c.exe 312 e57b45c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe Token: SeDebugPrivilege 2428 e5799de.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 4884 540 rundll32.exe 83 PID 540 wrote to memory of 4884 540 rundll32.exe 83 PID 540 wrote to memory of 4884 540 rundll32.exe 83 PID 4884 wrote to memory of 2428 4884 rundll32.exe 84 PID 4884 wrote to memory of 2428 4884 rundll32.exe 84 PID 4884 wrote to memory of 2428 4884 rundll32.exe 84 PID 2428 wrote to memory of 776 2428 e5799de.exe 8 PID 2428 wrote to memory of 780 2428 e5799de.exe 9 PID 2428 wrote to memory of 384 2428 e5799de.exe 13 PID 2428 wrote to memory of 2964 2428 e5799de.exe 49 PID 2428 wrote to memory of 3000 2428 e5799de.exe 50 PID 2428 wrote to memory of 692 2428 e5799de.exe 52 PID 2428 wrote to memory of 3412 2428 e5799de.exe 56 PID 2428 wrote to memory of 3560 2428 e5799de.exe 57 PID 2428 wrote to memory of 3752 2428 e5799de.exe 58 PID 2428 wrote to memory of 3844 2428 e5799de.exe 59 PID 2428 wrote to memory of 3912 2428 e5799de.exe 60 PID 2428 wrote to memory of 4024 2428 e5799de.exe 61 PID 2428 wrote to memory of 3488 2428 e5799de.exe 62 PID 2428 wrote to memory of 3408 2428 e5799de.exe 74 PID 2428 wrote to memory of 2256 2428 e5799de.exe 76 PID 2428 wrote to memory of 232 2428 e5799de.exe 81 PID 2428 wrote to memory of 540 2428 e5799de.exe 82 PID 2428 wrote to memory of 4884 2428 e5799de.exe 83 PID 2428 wrote to memory of 4884 2428 e5799de.exe 83 PID 4884 wrote to memory of 1456 4884 rundll32.exe 85 PID 4884 wrote to memory of 1456 4884 rundll32.exe 85 PID 4884 wrote to memory of 1456 4884 rundll32.exe 85 PID 4884 wrote to memory of 312 4884 rundll32.exe 86 PID 4884 wrote to memory of 312 4884 rundll32.exe 86 PID 4884 wrote to memory of 312 4884 rundll32.exe 86 PID 4884 wrote to memory of 3684 4884 rundll32.exe 87 PID 4884 wrote to memory of 3684 4884 rundll32.exe 87 PID 4884 wrote to memory of 3684 4884 rundll32.exe 87 PID 2428 wrote to memory of 776 2428 e5799de.exe 8 PID 2428 wrote to memory of 780 2428 e5799de.exe 9 PID 2428 wrote to memory of 384 2428 e5799de.exe 13 PID 2428 wrote to memory of 2964 2428 e5799de.exe 49 PID 2428 wrote to memory of 3000 2428 e5799de.exe 50 PID 2428 wrote to memory of 692 2428 e5799de.exe 52 PID 2428 wrote to memory of 3412 2428 e5799de.exe 56 PID 2428 wrote to memory of 3560 2428 e5799de.exe 57 PID 2428 wrote to memory of 3752 2428 e5799de.exe 58 PID 2428 wrote to memory of 3844 2428 e5799de.exe 59 PID 2428 wrote to memory of 3912 2428 e5799de.exe 60 PID 2428 wrote to memory of 4024 2428 e5799de.exe 61 PID 2428 wrote to memory of 3488 2428 e5799de.exe 62 PID 2428 wrote to memory of 3408 2428 e5799de.exe 74 PID 2428 wrote to memory of 2256 2428 e5799de.exe 76 PID 2428 wrote to memory of 1456 2428 e5799de.exe 85 PID 2428 wrote to memory of 1456 2428 e5799de.exe 85 PID 2428 wrote to memory of 312 2428 e5799de.exe 86 PID 2428 wrote to memory of 312 2428 e5799de.exe 86 PID 2428 wrote to memory of 3684 2428 e5799de.exe 87 PID 2428 wrote to memory of 3684 2428 e5799de.exe 87 PID 1456 wrote to memory of 776 1456 e579cfb.exe 8 PID 1456 wrote to memory of 780 1456 e579cfb.exe 9 PID 1456 wrote to memory of 384 1456 e579cfb.exe 13 PID 1456 wrote to memory of 2964 1456 e579cfb.exe 49 PID 1456 wrote to memory of 3000 1456 e579cfb.exe 50 PID 1456 wrote to memory of 692 1456 e579cfb.exe 52 PID 1456 wrote to memory of 3412 1456 e579cfb.exe 56 PID 1456 wrote to memory of 3560 1456 e579cfb.exe 57 PID 1456 wrote to memory of 3752 1456 e579cfb.exe 58 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5799de.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b45c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3000
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:692
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28a963f9ec554c902f8ec6e33b34b99db13a23a9ebdcf14093459da9b4ba8265N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28a963f9ec554c902f8ec6e33b34b99db13a23a9ebdcf14093459da9b4ba8265N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\e5799de.exeC:\Users\Admin\AppData\Local\Temp\e5799de.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\e579cfb.exeC:\Users\Admin\AppData\Local\Temp\e579cfb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\e57b45c.exeC:\Users\Admin\AppData\Local\Temp\e57b45c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:312
-
-
C:\Users\Admin\AppData\Local\Temp\e57b47b.exeC:\Users\Admin\AppData\Local\Temp\e57b47b.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3488
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2256
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:232
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56d62a6529866abf7ddd208f56bce9c35
SHA1f35c87ff14528317cab2b711aa50280465f6bda3
SHA25681d296cde2ad078d11248bf02dbad7ff6b750040943462c5c2e4c6faf8d14f93
SHA512acfc6d33b71ff1ddcf740f2717699eecd3dba21915c3ba327ec22f36d68df6985e930e85ecdd7f545a9515d5ab22907ba369836c5cc58dfc5c1855c024f5978e
-
Filesize
257B
MD55a725d5ce09a57fc2928d36e4322f17d
SHA1c29f56e1d3dc3d335fe1c7ee645346d7e53681f1
SHA256453774acf124a99cc2e2c44fd22c492f06f555cda0d21992e3c65e75d55b8876
SHA512e827787aafa0dd0dbb8393a9f6faa1b1e2de745ec609dd9c429b53fb3baf78c6406c6b873937190cc24395b78138303e6e2e4266f6cedc581e3489a652f52f0a