Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 08:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1396e434ab54c2abed881d42bdc937b109cbcc1ee41e72daf4b797288ac687d2N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
1396e434ab54c2abed881d42bdc937b109cbcc1ee41e72daf4b797288ac687d2N.dll
-
Size
120KB
-
MD5
d151334fccf5c0e6377315092b312520
-
SHA1
40bf2abe83422b09a2568ab23ee44f05da015f6d
-
SHA256
1396e434ab54c2abed881d42bdc937b109cbcc1ee41e72daf4b797288ac687d2
-
SHA512
4fb55ad56eec888921456fbf4c422d86c55d5667012fc4fd8e0b08c1f40d4ec4cf4cf4bbd674bceafd0df88f493c803cce91f2106bc2d9471290b7e758d35634
-
SSDEEP
1536:e2hDLqYtgmMemiIdy1Ri+fctRUs27DSZCTJDPsb0Ta/HvlUFfSvgNfpxu1qBNEB6:eGVUjSi+fM27uZAyrHvlUFfeg0kNEB6
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b621.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b621.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b621.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579ac9.exe -
Executes dropped EXE 3 IoCs
pid Process 1976 e579ac9.exe 4756 e579c6f.exe 3784 e57b621.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579ac9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b621.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b621.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579ac9.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e579ac9.exe File opened (read-only) \??\K: e579ac9.exe File opened (read-only) \??\N: e579ac9.exe File opened (read-only) \??\Q: e579ac9.exe File opened (read-only) \??\G: e57b621.exe File opened (read-only) \??\J: e579ac9.exe File opened (read-only) \??\L: e579ac9.exe File opened (read-only) \??\R: e579ac9.exe File opened (read-only) \??\S: e579ac9.exe File opened (read-only) \??\G: e579ac9.exe File opened (read-only) \??\P: e579ac9.exe File opened (read-only) \??\H: e579ac9.exe File opened (read-only) \??\I: e579ac9.exe File opened (read-only) \??\M: e579ac9.exe File opened (read-only) \??\O: e579ac9.exe File opened (read-only) \??\E: e57b621.exe -
resource yara_rule behavioral2/memory/1976-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-13-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-19-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-28-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-20-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-30-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-35-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-39-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-41-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-42-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-51-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-54-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-55-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-65-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-67-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-70-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-72-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-74-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-76-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-77-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-79-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-81-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-82-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-90-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/1976-86-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3784-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3784-154-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe e579ac9.exe File opened for modification C:\Program Files\7-Zip\7z.exe e579ac9.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e579ac9.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e579ac9.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579b36 e579ac9.exe File opened for modification C:\Windows\SYSTEM.INI e579ac9.exe File created C:\Windows\e57ebb8 e57b621.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579ac9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579c6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b621.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1976 e579ac9.exe 1976 e579ac9.exe 1976 e579ac9.exe 1976 e579ac9.exe 3784 e57b621.exe 3784 e57b621.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe Token: SeDebugPrivilege 1976 e579ac9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4780 wrote to memory of 1664 4780 rundll32.exe 83 PID 4780 wrote to memory of 1664 4780 rundll32.exe 83 PID 4780 wrote to memory of 1664 4780 rundll32.exe 83 PID 1664 wrote to memory of 1976 1664 rundll32.exe 84 PID 1664 wrote to memory of 1976 1664 rundll32.exe 84 PID 1664 wrote to memory of 1976 1664 rundll32.exe 84 PID 1976 wrote to memory of 804 1976 e579ac9.exe 9 PID 1976 wrote to memory of 808 1976 e579ac9.exe 10 PID 1976 wrote to memory of 372 1976 e579ac9.exe 13 PID 1976 wrote to memory of 2992 1976 e579ac9.exe 50 PID 1976 wrote to memory of 3016 1976 e579ac9.exe 52 PID 1976 wrote to memory of 624 1976 e579ac9.exe 53 PID 1976 wrote to memory of 3512 1976 e579ac9.exe 56 PID 1976 wrote to memory of 3644 1976 e579ac9.exe 57 PID 1976 wrote to memory of 3828 1976 e579ac9.exe 58 PID 1976 wrote to memory of 3924 1976 e579ac9.exe 59 PID 1976 wrote to memory of 3984 1976 e579ac9.exe 60 PID 1976 wrote to memory of 428 1976 e579ac9.exe 61 PID 1976 wrote to memory of 4212 1976 e579ac9.exe 62 PID 1976 wrote to memory of 2244 1976 e579ac9.exe 75 PID 1976 wrote to memory of 2644 1976 e579ac9.exe 76 PID 1976 wrote to memory of 1816 1976 e579ac9.exe 81 PID 1976 wrote to memory of 4780 1976 e579ac9.exe 82 PID 1976 wrote to memory of 1664 1976 e579ac9.exe 83 PID 1976 wrote to memory of 1664 1976 e579ac9.exe 83 PID 1664 wrote to memory of 4756 1664 rundll32.exe 85 PID 1664 wrote to memory of 4756 1664 rundll32.exe 85 PID 1664 wrote to memory of 4756 1664 rundll32.exe 85 PID 1664 wrote to memory of 3784 1664 rundll32.exe 88 PID 1664 wrote to memory of 3784 1664 rundll32.exe 88 PID 1664 wrote to memory of 3784 1664 rundll32.exe 88 PID 1976 wrote to memory of 804 1976 e579ac9.exe 9 PID 1976 wrote to memory of 808 1976 e579ac9.exe 10 PID 1976 wrote to memory of 372 1976 e579ac9.exe 13 PID 1976 wrote to memory of 2992 1976 e579ac9.exe 50 PID 1976 wrote to memory of 3016 1976 e579ac9.exe 52 PID 1976 wrote to memory of 624 1976 e579ac9.exe 53 PID 1976 wrote to memory of 3512 1976 e579ac9.exe 56 PID 1976 wrote to memory of 3644 1976 e579ac9.exe 57 PID 1976 wrote to memory of 3828 1976 e579ac9.exe 58 PID 1976 wrote to memory of 3924 1976 e579ac9.exe 59 PID 1976 wrote to memory of 3984 1976 e579ac9.exe 60 PID 1976 wrote to memory of 428 1976 e579ac9.exe 61 PID 1976 wrote to memory of 4212 1976 e579ac9.exe 62 PID 1976 wrote to memory of 2244 1976 e579ac9.exe 75 PID 1976 wrote to memory of 2644 1976 e579ac9.exe 76 PID 1976 wrote to memory of 4756 1976 e579ac9.exe 85 PID 1976 wrote to memory of 4756 1976 e579ac9.exe 85 PID 1976 wrote to memory of 3784 1976 e579ac9.exe 88 PID 1976 wrote to memory of 3784 1976 e579ac9.exe 88 PID 3784 wrote to memory of 804 3784 e57b621.exe 9 PID 3784 wrote to memory of 808 3784 e57b621.exe 10 PID 3784 wrote to memory of 372 3784 e57b621.exe 13 PID 3784 wrote to memory of 2992 3784 e57b621.exe 50 PID 3784 wrote to memory of 3016 3784 e57b621.exe 52 PID 3784 wrote to memory of 624 3784 e57b621.exe 53 PID 3784 wrote to memory of 3512 3784 e57b621.exe 56 PID 3784 wrote to memory of 3644 3784 e57b621.exe 57 PID 3784 wrote to memory of 3828 3784 e57b621.exe 58 PID 3784 wrote to memory of 3924 3784 e57b621.exe 59 PID 3784 wrote to memory of 3984 3784 e57b621.exe 60 PID 3784 wrote to memory of 428 3784 e57b621.exe 61 PID 3784 wrote to memory of 4212 3784 e57b621.exe 62 PID 3784 wrote to memory of 2244 3784 e57b621.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579ac9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b621.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:372
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3016
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:624
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1396e434ab54c2abed881d42bdc937b109cbcc1ee41e72daf4b797288ac687d2N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1396e434ab54c2abed881d42bdc937b109cbcc1ee41e72daf4b797288ac687d2N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\e579ac9.exeC:\Users\Admin\AppData\Local\Temp\e579ac9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\e579c6f.exeC:\Users\Admin\AppData\Local\Temp\e579c6f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\e57b621.exeC:\Users\Admin\AppData\Local\Temp\e57b621.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3784
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:428
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4212
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2244
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2644
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1816
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56de856a4b477b43841d6020322fd85b5
SHA1252c6a117587107cf095876e8f62a50513cfb7b5
SHA256514d8c75bd9ab1e887843cb036fe3f3aebf50715d5a130fc56c0958a8a39f53e
SHA5125fd2af5ce14fd866a797b5d447b4534129da125af934255697384715eb164ce13778caabecd431c8703cd316d0106b2727ee5b8ceee339ad1555c3ae8bd88627
-
Filesize
257B
MD5148c6aa56ef86baf4c499ff7d846e715
SHA1ea3006218e1de5589229a1c7d0d20d23250f6d74
SHA256883c36df878b7e51283deca34111b0aed99207a78f618f9b8b542a7d1e5411a9
SHA51266046d88e94ffdcacf0397d203f5de248ed5b71482f68f3beb6dc280ea6cd74e5056cc9c4b31815783b0f37f21a1b67b6329374cc62ef617e23312cb3175997a