Analysis
-
max time kernel
37s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 08:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05aa9ee664e69fcf012d23f546b3f48c140b688c93c22a47cdae2a5121806abaN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
05aa9ee664e69fcf012d23f546b3f48c140b688c93c22a47cdae2a5121806abaN.dll
-
Size
120KB
-
MD5
0b803c458c6967d987b849a934426ff0
-
SHA1
c318baa55beeb298e4fe0282ca3e1616db2d9831
-
SHA256
05aa9ee664e69fcf012d23f546b3f48c140b688c93c22a47cdae2a5121806aba
-
SHA512
8f0e558cfc72104264779418f156aff4078813c4010fbcff4ee03d749d35e8259caa2667df2ae8109837e78aeed9811aefa70cd01cdf58d8e7a002d292a3563d
-
SSDEEP
3072:3bXdAKYuDJinnuBaAeVQc9JnO3MbzRGZEXg:3DdAKvDJinHJVvnEMMZEw
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b970.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b970.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f1fd.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b970.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b970.exe -
Executes dropped EXE 3 IoCs
pid Process 2212 f76b79c.exe 2900 f76b970.exe 2948 f76f1fd.exe -
Loads dropped DLL 6 IoCs
pid Process 1736 rundll32.exe 1736 rundll32.exe 1736 rundll32.exe 1736 rundll32.exe 1736 rundll32.exe 1736 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b79c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f1fd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f1fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b970.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b970.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f1fd.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f76b79c.exe File opened (read-only) \??\N: f76b79c.exe File opened (read-only) \??\T: f76b79c.exe File opened (read-only) \??\H: f76f1fd.exe File opened (read-only) \??\L: f76b79c.exe File opened (read-only) \??\R: f76b79c.exe File opened (read-only) \??\S: f76b79c.exe File opened (read-only) \??\G: f76f1fd.exe File opened (read-only) \??\I: f76b79c.exe File opened (read-only) \??\J: f76b79c.exe File opened (read-only) \??\M: f76b79c.exe File opened (read-only) \??\I: f76f1fd.exe File opened (read-only) \??\Q: f76b79c.exe File opened (read-only) \??\E: f76f1fd.exe File opened (read-only) \??\J: f76f1fd.exe File opened (read-only) \??\E: f76b79c.exe File opened (read-only) \??\G: f76b79c.exe File opened (read-only) \??\K: f76b79c.exe File opened (read-only) \??\O: f76b79c.exe File opened (read-only) \??\P: f76b79c.exe -
resource yara_rule behavioral1/memory/2212-14-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-21-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-17-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-16-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-23-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-24-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-20-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-19-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-18-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-40-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-22-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-64-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-63-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-65-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-67-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-66-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-69-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-70-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-71-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-72-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-75-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-76-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-92-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-93-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-95-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-97-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-101-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-100-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2212-150-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2900-176-0x00000000009B0000-0x0000000001A6A000-memory.dmp upx behavioral1/memory/2900-202-0x00000000009B0000-0x0000000001A6A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f76b819 f76b79c.exe File opened for modification C:\Windows\SYSTEM.INI f76b79c.exe File created C:\Windows\f770b95 f76b970.exe File created C:\Windows\f7721b4 f76f1fd.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b79c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b970.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f1fd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2212 f76b79c.exe 2212 f76b79c.exe 2900 f76b970.exe 2948 f76f1fd.exe 2948 f76f1fd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2212 f76b79c.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2900 f76b970.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe Token: SeDebugPrivilege 2948 f76f1fd.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1992 wrote to memory of 1736 1992 rundll32.exe 30 PID 1992 wrote to memory of 1736 1992 rundll32.exe 30 PID 1992 wrote to memory of 1736 1992 rundll32.exe 30 PID 1992 wrote to memory of 1736 1992 rundll32.exe 30 PID 1992 wrote to memory of 1736 1992 rundll32.exe 30 PID 1992 wrote to memory of 1736 1992 rundll32.exe 30 PID 1992 wrote to memory of 1736 1992 rundll32.exe 30 PID 1736 wrote to memory of 2212 1736 rundll32.exe 31 PID 1736 wrote to memory of 2212 1736 rundll32.exe 31 PID 1736 wrote to memory of 2212 1736 rundll32.exe 31 PID 1736 wrote to memory of 2212 1736 rundll32.exe 31 PID 2212 wrote to memory of 1100 2212 f76b79c.exe 19 PID 2212 wrote to memory of 1160 2212 f76b79c.exe 20 PID 2212 wrote to memory of 1188 2212 f76b79c.exe 21 PID 2212 wrote to memory of 1440 2212 f76b79c.exe 23 PID 2212 wrote to memory of 1992 2212 f76b79c.exe 29 PID 2212 wrote to memory of 1736 2212 f76b79c.exe 30 PID 2212 wrote to memory of 1736 2212 f76b79c.exe 30 PID 1736 wrote to memory of 2900 1736 rundll32.exe 32 PID 1736 wrote to memory of 2900 1736 rundll32.exe 32 PID 1736 wrote to memory of 2900 1736 rundll32.exe 32 PID 1736 wrote to memory of 2900 1736 rundll32.exe 32 PID 2212 wrote to memory of 1100 2212 f76b79c.exe 19 PID 2212 wrote to memory of 1160 2212 f76b79c.exe 20 PID 2212 wrote to memory of 1188 2212 f76b79c.exe 21 PID 2212 wrote to memory of 1440 2212 f76b79c.exe 23 PID 2212 wrote to memory of 1992 2212 f76b79c.exe 29 PID 2212 wrote to memory of 2900 2212 f76b79c.exe 32 PID 2212 wrote to memory of 2900 2212 f76b79c.exe 32 PID 1736 wrote to memory of 2948 1736 rundll32.exe 34 PID 1736 wrote to memory of 2948 1736 rundll32.exe 34 PID 1736 wrote to memory of 2948 1736 rundll32.exe 34 PID 1736 wrote to memory of 2948 1736 rundll32.exe 34 PID 2900 wrote to memory of 1100 2900 f76b970.exe 19 PID 2900 wrote to memory of 1160 2900 f76b970.exe 20 PID 2900 wrote to memory of 1188 2900 f76b970.exe 21 PID 2900 wrote to memory of 1440 2900 f76b970.exe 23 PID 2900 wrote to memory of 2948 2900 f76b970.exe 34 PID 2900 wrote to memory of 2948 2900 f76b970.exe 34 PID 2948 wrote to memory of 1100 2948 f76f1fd.exe 19 PID 2948 wrote to memory of 1160 2948 f76f1fd.exe 20 PID 2948 wrote to memory of 1188 2948 f76f1fd.exe 21 PID 2948 wrote to memory of 1440 2948 f76f1fd.exe 23 PID 2948 wrote to memory of 1100 2948 f76f1fd.exe 19 PID 2948 wrote to memory of 1160 2948 f76f1fd.exe 20 PID 2948 wrote to memory of 1188 2948 f76f1fd.exe 21 PID 2948 wrote to memory of 1440 2948 f76f1fd.exe 23 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b79c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b970.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f1fd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05aa9ee664e69fcf012d23f546b3f48c140b688c93c22a47cdae2a5121806abaN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05aa9ee664e69fcf012d23f546b3f48c140b688c93c22a47cdae2a5121806abaN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\f76b79c.exeC:\Users\Admin\AppData\Local\Temp\f76b79c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\f76b970.exeC:\Users\Admin\AppData\Local\Temp\f76b970.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2900
-
-
C:\Users\Admin\AppData\Local\Temp\f76f1fd.exeC:\Users\Admin\AppData\Local\Temp\f76f1fd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2948
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1440
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5a0437051c2ddc61b20db4f667cf504a5
SHA11b5b323cdbe6b378ad6540155bb337c06e2dc479
SHA25644f79dca5488736db0d2fbbfd7c6098d16d97bd9a3535d5f4f081bac166feba6
SHA512cbf436dbed78e8774045ebcf2383c469b0677f19e66db11188fb76766dd1b842efbccdb4306e242c2557b99db8f775feb01129b9f50673abc5419adffbfcb1e4
-
Filesize
97KB
MD5ba78315a1ca93faabf5cd65ae1d6f0e9
SHA15ced80dd8aa8e683beae366dba243fc48506e25b
SHA256e1877f3c7ced1e152e1685748ff31cb4c8692e0e56d8b9c24efe88dc253910c9
SHA512e89ac2d98fc950d29050e3a2c7ac6f9df8d25bd58f5c13ba6d53205501ae048a7d1a2b0b27546305d4661abe6195e3132e95b5118d78e037845b455ecf4b13e2