Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 08:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f996b054365cbce6af60ffbccc080f6a433a85edfbe32cea007b88b19a809dcN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
9f996b054365cbce6af60ffbccc080f6a433a85edfbe32cea007b88b19a809dcN.dll
-
Size
120KB
-
MD5
80c73ea0ffcd305d04e7900f37b765f0
-
SHA1
17ececc4c9b8e4118c5d5d53a8fc4bb443473ac1
-
SHA256
9f996b054365cbce6af60ffbccc080f6a433a85edfbe32cea007b88b19a809dc
-
SHA512
72e8a81f24e51236fa7085d908f9959f1ea22e6d28860eecb6595674f682ce14bb4711f1d9b5ae0bc4264e361e274c3b6acf8ff5e8bc2bead0abc6fa7e3dbc9c
-
SSDEEP
3072:PCvnBRWoAAMs+c9oWNDf4/PUKPAqKj1zspZV:PW3MszoWVIcLjuV
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57974e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57974e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ba47.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57974e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ba47.exe -
Executes dropped EXE 4 IoCs
pid Process 1280 e57974e.exe 1184 e579971.exe 2876 e57ba28.exe 4728 e57ba47.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ba47.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57974e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ba47.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57974e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ba47.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57974e.exe File opened (read-only) \??\K: e57974e.exe File opened (read-only) \??\M: e57974e.exe File opened (read-only) \??\N: e57974e.exe File opened (read-only) \??\E: e57ba47.exe File opened (read-only) \??\G: e57ba47.exe File opened (read-only) \??\H: e57974e.exe File opened (read-only) \??\G: e57974e.exe File opened (read-only) \??\J: e57974e.exe File opened (read-only) \??\L: e57974e.exe File opened (read-only) \??\O: e57974e.exe File opened (read-only) \??\H: e57ba47.exe File opened (read-only) \??\E: e57974e.exe -
resource yara_rule behavioral2/memory/1280-19-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-17-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-28-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-32-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-20-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-18-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-8-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-40-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-56-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-70-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-72-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-73-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-75-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-76-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-80-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-83-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-84-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1280-87-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4728-123-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/4728-161-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e57974e.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57974e.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57974e.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5797ea e57974e.exe File opened for modification C:\Windows\SYSTEM.INI e57974e.exe File created C:\Windows\e57e908 e57ba47.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57974e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579971.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ba28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ba47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1280 e57974e.exe 1280 e57974e.exe 1280 e57974e.exe 1280 e57974e.exe 4728 e57ba47.exe 4728 e57ba47.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe Token: SeDebugPrivilege 1280 e57974e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 524 wrote to memory of 4656 524 rundll32.exe 83 PID 524 wrote to memory of 4656 524 rundll32.exe 83 PID 524 wrote to memory of 4656 524 rundll32.exe 83 PID 4656 wrote to memory of 1280 4656 rundll32.exe 84 PID 4656 wrote to memory of 1280 4656 rundll32.exe 84 PID 4656 wrote to memory of 1280 4656 rundll32.exe 84 PID 1280 wrote to memory of 760 1280 e57974e.exe 8 PID 1280 wrote to memory of 768 1280 e57974e.exe 9 PID 1280 wrote to memory of 316 1280 e57974e.exe 13 PID 1280 wrote to memory of 2476 1280 e57974e.exe 42 PID 1280 wrote to memory of 2492 1280 e57974e.exe 43 PID 1280 wrote to memory of 2616 1280 e57974e.exe 44 PID 1280 wrote to memory of 3492 1280 e57974e.exe 56 PID 1280 wrote to memory of 3656 1280 e57974e.exe 57 PID 1280 wrote to memory of 3840 1280 e57974e.exe 58 PID 1280 wrote to memory of 3932 1280 e57974e.exe 59 PID 1280 wrote to memory of 3992 1280 e57974e.exe 60 PID 1280 wrote to memory of 4076 1280 e57974e.exe 61 PID 1280 wrote to memory of 4164 1280 e57974e.exe 62 PID 1280 wrote to memory of 4544 1280 e57974e.exe 74 PID 1280 wrote to memory of 4260 1280 e57974e.exe 76 PID 1280 wrote to memory of 1944 1280 e57974e.exe 81 PID 1280 wrote to memory of 524 1280 e57974e.exe 82 PID 1280 wrote to memory of 4656 1280 e57974e.exe 83 PID 1280 wrote to memory of 4656 1280 e57974e.exe 83 PID 4656 wrote to memory of 1184 4656 rundll32.exe 85 PID 4656 wrote to memory of 1184 4656 rundll32.exe 85 PID 4656 wrote to memory of 1184 4656 rundll32.exe 85 PID 4656 wrote to memory of 2876 4656 rundll32.exe 86 PID 4656 wrote to memory of 2876 4656 rundll32.exe 86 PID 4656 wrote to memory of 2876 4656 rundll32.exe 86 PID 4656 wrote to memory of 4728 4656 rundll32.exe 87 PID 4656 wrote to memory of 4728 4656 rundll32.exe 87 PID 4656 wrote to memory of 4728 4656 rundll32.exe 87 PID 1280 wrote to memory of 760 1280 e57974e.exe 8 PID 1280 wrote to memory of 768 1280 e57974e.exe 9 PID 1280 wrote to memory of 316 1280 e57974e.exe 13 PID 1280 wrote to memory of 2476 1280 e57974e.exe 42 PID 1280 wrote to memory of 2492 1280 e57974e.exe 43 PID 1280 wrote to memory of 2616 1280 e57974e.exe 44 PID 1280 wrote to memory of 3492 1280 e57974e.exe 56 PID 1280 wrote to memory of 3656 1280 e57974e.exe 57 PID 1280 wrote to memory of 3840 1280 e57974e.exe 58 PID 1280 wrote to memory of 3932 1280 e57974e.exe 59 PID 1280 wrote to memory of 3992 1280 e57974e.exe 60 PID 1280 wrote to memory of 4076 1280 e57974e.exe 61 PID 1280 wrote to memory of 4164 1280 e57974e.exe 62 PID 1280 wrote to memory of 4544 1280 e57974e.exe 74 PID 1280 wrote to memory of 4260 1280 e57974e.exe 76 PID 1280 wrote to memory of 1184 1280 e57974e.exe 85 PID 1280 wrote to memory of 1184 1280 e57974e.exe 85 PID 1280 wrote to memory of 2876 1280 e57974e.exe 86 PID 1280 wrote to memory of 2876 1280 e57974e.exe 86 PID 1280 wrote to memory of 4728 1280 e57974e.exe 87 PID 1280 wrote to memory of 4728 1280 e57974e.exe 87 PID 1280 wrote to memory of 1380 1280 e57974e.exe 88 PID 4728 wrote to memory of 760 4728 e57ba47.exe 8 PID 4728 wrote to memory of 768 4728 e57ba47.exe 9 PID 4728 wrote to memory of 316 4728 e57ba47.exe 13 PID 4728 wrote to memory of 2476 4728 e57ba47.exe 42 PID 4728 wrote to memory of 2492 4728 e57ba47.exe 43 PID 4728 wrote to memory of 2616 4728 e57ba47.exe 44 PID 4728 wrote to memory of 3492 4728 e57ba47.exe 56 PID 4728 wrote to memory of 3656 4728 e57ba47.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ba47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57974e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2492
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2616
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9f996b054365cbce6af60ffbccc080f6a433a85edfbe32cea007b88b19a809dcN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9f996b054365cbce6af60ffbccc080f6a433a85edfbe32cea007b88b19a809dcN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\e57974e.exeC:\Users\Admin\AppData\Local\Temp\e57974e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1280
-
-
C:\Users\Admin\AppData\Local\Temp\e579971.exeC:\Users\Admin\AppData\Local\Temp\e579971.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\e57ba28.exeC:\Users\Admin\AppData\Local\Temp\e57ba28.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\e57ba47.exeC:\Users\Admin\AppData\Local\Temp\e57ba47.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4728
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3656
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3932
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4164
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4544
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4260
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1944
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1380
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d5eb20b07892a946b2fc4c7b54afcb0d
SHA10a52ab010e0aa3e2987297c29f4ab8e70fa6e8f3
SHA25603bf624afb936e88b47be3faaa3dd2e4159be80fbd5f14822a38cb9e2eec7a58
SHA512d5002530df8fbc3b9f93e61ab03c49170aa3c11a945fc7d041df4811c1c5cdc230e3052f5b37572129f80c5090c7dbc7bfec64ea1ca5a850b082e384ac7c7479
-
Filesize
257B
MD5705a2a3ee4243d2b805c34ba70fd47f4
SHA1db86d35aaaee79a541b2c400ca9f4bb317342453
SHA256cedbc355cb50e7d523693a5a8589e364bfe8312a3eff72b3f40f47a702c5453f
SHA5123d772f32e8a1b80b38ec7151c6e08c9b61b80ea2ccc36bc44f5f9f059c6ce692b849d4ee4ec667d01d8742b4306ffb41a547d66347813d766895e7fcf5d0fdd5