Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 07:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4dcfdf0ce7d6da55cc1e3a3f14ea1f3b6084d21c3c5bf8e2025f1531d1e5d543N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
4dcfdf0ce7d6da55cc1e3a3f14ea1f3b6084d21c3c5bf8e2025f1531d1e5d543N.dll
-
Size
120KB
-
MD5
32dd03404f187fe85f6c28ce45f8f4f0
-
SHA1
0db8836a58f6aeea8b2c7ddab7f1d3683358fe94
-
SHA256
4dcfdf0ce7d6da55cc1e3a3f14ea1f3b6084d21c3c5bf8e2025f1531d1e5d543
-
SHA512
f4c1b4278f1c8e60af50a0266765371f986af78cccc163f2b4ab16dc486ea62cb32319c909d3170324ab1d721e6a1638fbdca8724576282dc1a1015aeca9526a
-
SSDEEP
3072:dAkg9E40udwMoHIdpVmuAvsNkU7LOlbYYX+kBfrC+HqMNoSl:dnbS0HIdnsvsd7qpYYXPVrrLeS
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d5ce.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d5ce.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ada5.exe -
Executes dropped EXE 3 IoCs
pid Process 3732 e57ac6c.exe 5060 e57ada5.exe 3932 e57d5ce.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d5ce.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d5ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac6c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d5ce.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57ac6c.exe File opened (read-only) \??\L: e57ac6c.exe File opened (read-only) \??\G: e57ac6c.exe File opened (read-only) \??\I: e57ac6c.exe File opened (read-only) \??\J: e57ac6c.exe File opened (read-only) \??\K: e57ac6c.exe File opened (read-only) \??\M: e57ac6c.exe File opened (read-only) \??\N: e57ac6c.exe File opened (read-only) \??\O: e57ac6c.exe File opened (read-only) \??\E: e57ac6c.exe -
resource yara_rule behavioral2/memory/3732-6-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-10-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-12-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-11-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-8-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-9-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-17-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-28-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-31-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-27-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-35-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-36-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-37-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-38-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-39-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-41-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-42-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-55-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-56-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-60-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-62-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-64-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-67-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-69-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-71-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/3732-72-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/5060-98-0x0000000000BC0000-0x0000000001C7A000-memory.dmp upx behavioral2/memory/3932-130-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57ac6c.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57ac6c.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57ac6c.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e57ad09 e57ac6c.exe File opened for modification C:\Windows\SYSTEM.INI e57ac6c.exe File created C:\Windows\e57fd2c e57ada5.exe File created C:\Windows\e58249a e57d5ce.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ac6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ada5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d5ce.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3732 e57ac6c.exe 3732 e57ac6c.exe 3732 e57ac6c.exe 3732 e57ac6c.exe 3932 e57d5ce.exe 3932 e57d5ce.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe Token: SeDebugPrivilege 3732 e57ac6c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4864 wrote to memory of 1296 4864 rundll32.exe 85 PID 4864 wrote to memory of 1296 4864 rundll32.exe 85 PID 4864 wrote to memory of 1296 4864 rundll32.exe 85 PID 1296 wrote to memory of 3732 1296 rundll32.exe 86 PID 1296 wrote to memory of 3732 1296 rundll32.exe 86 PID 1296 wrote to memory of 3732 1296 rundll32.exe 86 PID 3732 wrote to memory of 772 3732 e57ac6c.exe 8 PID 3732 wrote to memory of 788 3732 e57ac6c.exe 10 PID 3732 wrote to memory of 1020 3732 e57ac6c.exe 13 PID 3732 wrote to memory of 2640 3732 e57ac6c.exe 44 PID 3732 wrote to memory of 2656 3732 e57ac6c.exe 45 PID 3732 wrote to memory of 2804 3732 e57ac6c.exe 49 PID 3732 wrote to memory of 3528 3732 e57ac6c.exe 56 PID 3732 wrote to memory of 3640 3732 e57ac6c.exe 57 PID 3732 wrote to memory of 3828 3732 e57ac6c.exe 58 PID 3732 wrote to memory of 3916 3732 e57ac6c.exe 59 PID 3732 wrote to memory of 3980 3732 e57ac6c.exe 60 PID 3732 wrote to memory of 4080 3732 e57ac6c.exe 61 PID 3732 wrote to memory of 3184 3732 e57ac6c.exe 62 PID 3732 wrote to memory of 3748 3732 e57ac6c.exe 75 PID 3732 wrote to memory of 3612 3732 e57ac6c.exe 76 PID 3732 wrote to memory of 2012 3732 e57ac6c.exe 77 PID 3732 wrote to memory of 5016 3732 e57ac6c.exe 78 PID 3732 wrote to memory of 2300 3732 e57ac6c.exe 83 PID 3732 wrote to memory of 4864 3732 e57ac6c.exe 84 PID 3732 wrote to memory of 1296 3732 e57ac6c.exe 85 PID 3732 wrote to memory of 1296 3732 e57ac6c.exe 85 PID 1296 wrote to memory of 5060 1296 rundll32.exe 87 PID 1296 wrote to memory of 5060 1296 rundll32.exe 87 PID 1296 wrote to memory of 5060 1296 rundll32.exe 87 PID 3732 wrote to memory of 772 3732 e57ac6c.exe 8 PID 3732 wrote to memory of 788 3732 e57ac6c.exe 10 PID 3732 wrote to memory of 1020 3732 e57ac6c.exe 13 PID 3732 wrote to memory of 2640 3732 e57ac6c.exe 44 PID 3732 wrote to memory of 2656 3732 e57ac6c.exe 45 PID 3732 wrote to memory of 2804 3732 e57ac6c.exe 49 PID 3732 wrote to memory of 3528 3732 e57ac6c.exe 56 PID 3732 wrote to memory of 3640 3732 e57ac6c.exe 57 PID 3732 wrote to memory of 3828 3732 e57ac6c.exe 58 PID 3732 wrote to memory of 3916 3732 e57ac6c.exe 59 PID 3732 wrote to memory of 3980 3732 e57ac6c.exe 60 PID 3732 wrote to memory of 4080 3732 e57ac6c.exe 61 PID 3732 wrote to memory of 3184 3732 e57ac6c.exe 62 PID 3732 wrote to memory of 3748 3732 e57ac6c.exe 75 PID 3732 wrote to memory of 3612 3732 e57ac6c.exe 76 PID 3732 wrote to memory of 2012 3732 e57ac6c.exe 77 PID 3732 wrote to memory of 5016 3732 e57ac6c.exe 78 PID 3732 wrote to memory of 2300 3732 e57ac6c.exe 83 PID 3732 wrote to memory of 4864 3732 e57ac6c.exe 84 PID 3732 wrote to memory of 5060 3732 e57ac6c.exe 87 PID 3732 wrote to memory of 5060 3732 e57ac6c.exe 87 PID 1296 wrote to memory of 3932 1296 rundll32.exe 88 PID 1296 wrote to memory of 3932 1296 rundll32.exe 88 PID 1296 wrote to memory of 3932 1296 rundll32.exe 88 PID 3932 wrote to memory of 772 3932 e57d5ce.exe 8 PID 3932 wrote to memory of 788 3932 e57d5ce.exe 10 PID 3932 wrote to memory of 1020 3932 e57d5ce.exe 13 PID 3932 wrote to memory of 2640 3932 e57d5ce.exe 44 PID 3932 wrote to memory of 2656 3932 e57d5ce.exe 45 PID 3932 wrote to memory of 2804 3932 e57d5ce.exe 49 PID 3932 wrote to memory of 3528 3932 e57d5ce.exe 56 PID 3932 wrote to memory of 3640 3932 e57d5ce.exe 57 PID 3932 wrote to memory of 3828 3932 e57d5ce.exe 58 PID 3932 wrote to memory of 3916 3932 e57d5ce.exe 59 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac6c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ada5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d5ce.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2804
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4dcfdf0ce7d6da55cc1e3a3f14ea1f3b6084d21c3c5bf8e2025f1531d1e5d543N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4dcfdf0ce7d6da55cc1e3a3f14ea1f3b6084d21c3c5bf8e2025f1531d1e5d543N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\e57ac6c.exeC:\Users\Admin\AppData\Local\Temp\e57ac6c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\e57ada5.exeC:\Users\Admin\AppData\Local\Temp\e57ada5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\e57d5ce.exeC:\Users\Admin\AppData\Local\Temp\e57d5ce.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3932
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3184
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3612
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5016
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2300
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d612274d11c32dfc3347e5d75792631c
SHA152d9fce37dcb60c1ad4757d63f81d6aaca7e6e07
SHA256974017eb8995f59f0f80e18721492f5f0d6959b561f7e3284e7b2a7424e97c75
SHA51252d276279295eac60c27ce2444e932dd2a2b35a4e8099e4eb1d74a16655f0a9e6a8957bba9dbb14b4bd61ec848c2953863a5ca4fc7a6fded73317d1e820b1fc5
-
Filesize
257B
MD549fb45be3641349d084fb9f3f0b5ad22
SHA15f2e2b122691ef585ee4a5cf3a1c733012ac6835
SHA256d1f4e94c773a769844244fdd544a8eaf556e8e575109063f87270339061ff516
SHA51243c760002f09fe835ff6189ccce3dccea1d67ff9b39ec1dc6bc9c54dab995b3dde9a535a545747fc48fa6fdd75f601d30f26d41a1df7e0f685daae7ce01dd95f