Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 11:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a193bfdf1ba1c43595450ee9d344fcc236f449a7f9c74a60b3a0ed5c82c6cbdN.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
5a193bfdf1ba1c43595450ee9d344fcc236f449a7f9c74a60b3a0ed5c82c6cbdN.dll
-
Size
120KB
-
MD5
e9b784c506be3dd9074f357915570e00
-
SHA1
da8f9f5418e89d2bbf73cde3a4df0689b7b9d7a7
-
SHA256
5a193bfdf1ba1c43595450ee9d344fcc236f449a7f9c74a60b3a0ed5c82c6cbd
-
SHA512
5c70f121c27147736e61e205b90428bb1bd4a1be39c072367a3f3db0abfadf6c70fbb23914f43d87ccb5d4875f9bdabb402482b40f55bdff5679f4034f8bdaf7
-
SSDEEP
3072:cg7ImFD+rpmvXb9yF8ULv/No1Dtd93lt9:cID+ab9yF9C1DtPVt9
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577995.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579328.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577995.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579328.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579328.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5777c0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579328.exe -
Executes dropped EXE 3 IoCs
pid Process 4580 e5777c0.exe 432 e577995.exe 3252 e579328.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579328.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5777c0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5777c0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577995.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579328.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577995.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e5777c0.exe File opened (read-only) \??\H: e5777c0.exe File opened (read-only) \??\N: e5777c0.exe File opened (read-only) \??\O: e5777c0.exe File opened (read-only) \??\Q: e5777c0.exe File opened (read-only) \??\R: e5777c0.exe File opened (read-only) \??\E: e5777c0.exe File opened (read-only) \??\S: e5777c0.exe File opened (read-only) \??\P: e5777c0.exe File opened (read-only) \??\I: e5777c0.exe File opened (read-only) \??\J: e5777c0.exe File opened (read-only) \??\K: e5777c0.exe File opened (read-only) \??\L: e5777c0.exe File opened (read-only) \??\M: e5777c0.exe File opened (read-only) \??\T: e5777c0.exe -
resource yara_rule behavioral2/memory/4580-6-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-8-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-10-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-11-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-22-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-21-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-18-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-17-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-19-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-9-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-28-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-36-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-35-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-37-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-38-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-39-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-41-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-42-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-52-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-54-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-55-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-57-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-68-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-69-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-72-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-74-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-75-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-77-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-79-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-86-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-88-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-92-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/4580-95-0x0000000000850000-0x000000000190A000-memory.dmp upx behavioral2/memory/432-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/432-141-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5777c0.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5777c0.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5777c0.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5777c0.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e57e1a5 e579328.exe File created C:\Windows\e57781e e5777c0.exe File opened for modification C:\Windows\SYSTEM.INI e5777c0.exe File created C:\Windows\e57c89f e577995.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5777c0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577995.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579328.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4580 e5777c0.exe 4580 e5777c0.exe 4580 e5777c0.exe 4580 e5777c0.exe 432 e577995.exe 432 e577995.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe Token: SeDebugPrivilege 4580 e5777c0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3392 wrote to memory of 1784 3392 rundll32.exe 83 PID 3392 wrote to memory of 1784 3392 rundll32.exe 83 PID 3392 wrote to memory of 1784 3392 rundll32.exe 83 PID 1784 wrote to memory of 4580 1784 rundll32.exe 84 PID 1784 wrote to memory of 4580 1784 rundll32.exe 84 PID 1784 wrote to memory of 4580 1784 rundll32.exe 84 PID 4580 wrote to memory of 792 4580 e5777c0.exe 9 PID 4580 wrote to memory of 796 4580 e5777c0.exe 10 PID 4580 wrote to memory of 64 4580 e5777c0.exe 13 PID 4580 wrote to memory of 2564 4580 e5777c0.exe 44 PID 4580 wrote to memory of 2576 4580 e5777c0.exe 45 PID 4580 wrote to memory of 2788 4580 e5777c0.exe 48 PID 4580 wrote to memory of 3480 4580 e5777c0.exe 56 PID 4580 wrote to memory of 3604 4580 e5777c0.exe 57 PID 4580 wrote to memory of 3804 4580 e5777c0.exe 58 PID 4580 wrote to memory of 3900 4580 e5777c0.exe 59 PID 4580 wrote to memory of 3964 4580 e5777c0.exe 60 PID 4580 wrote to memory of 4044 4580 e5777c0.exe 61 PID 4580 wrote to memory of 4120 4580 e5777c0.exe 62 PID 4580 wrote to memory of 4604 4580 e5777c0.exe 74 PID 4580 wrote to memory of 2696 4580 e5777c0.exe 76 PID 4580 wrote to memory of 2944 4580 e5777c0.exe 81 PID 4580 wrote to memory of 3392 4580 e5777c0.exe 82 PID 4580 wrote to memory of 1784 4580 e5777c0.exe 83 PID 4580 wrote to memory of 1784 4580 e5777c0.exe 83 PID 1784 wrote to memory of 432 1784 rundll32.exe 85 PID 1784 wrote to memory of 432 1784 rundll32.exe 85 PID 1784 wrote to memory of 432 1784 rundll32.exe 85 PID 1784 wrote to memory of 3252 1784 rundll32.exe 89 PID 1784 wrote to memory of 3252 1784 rundll32.exe 89 PID 1784 wrote to memory of 3252 1784 rundll32.exe 89 PID 4580 wrote to memory of 792 4580 e5777c0.exe 9 PID 4580 wrote to memory of 796 4580 e5777c0.exe 10 PID 4580 wrote to memory of 64 4580 e5777c0.exe 13 PID 4580 wrote to memory of 2564 4580 e5777c0.exe 44 PID 4580 wrote to memory of 2576 4580 e5777c0.exe 45 PID 4580 wrote to memory of 2788 4580 e5777c0.exe 48 PID 4580 wrote to memory of 3480 4580 e5777c0.exe 56 PID 4580 wrote to memory of 3604 4580 e5777c0.exe 57 PID 4580 wrote to memory of 3804 4580 e5777c0.exe 58 PID 4580 wrote to memory of 3900 4580 e5777c0.exe 59 PID 4580 wrote to memory of 3964 4580 e5777c0.exe 60 PID 4580 wrote to memory of 4044 4580 e5777c0.exe 61 PID 4580 wrote to memory of 4120 4580 e5777c0.exe 62 PID 4580 wrote to memory of 4604 4580 e5777c0.exe 74 PID 4580 wrote to memory of 2696 4580 e5777c0.exe 76 PID 4580 wrote to memory of 432 4580 e5777c0.exe 85 PID 4580 wrote to memory of 432 4580 e5777c0.exe 85 PID 4580 wrote to memory of 3252 4580 e5777c0.exe 89 PID 4580 wrote to memory of 3252 4580 e5777c0.exe 89 PID 432 wrote to memory of 792 432 e577995.exe 9 PID 432 wrote to memory of 796 432 e577995.exe 10 PID 432 wrote to memory of 64 432 e577995.exe 13 PID 432 wrote to memory of 2564 432 e577995.exe 44 PID 432 wrote to memory of 2576 432 e577995.exe 45 PID 432 wrote to memory of 2788 432 e577995.exe 48 PID 432 wrote to memory of 3480 432 e577995.exe 56 PID 432 wrote to memory of 3604 432 e577995.exe 57 PID 432 wrote to memory of 3804 432 e577995.exe 58 PID 432 wrote to memory of 3900 432 e577995.exe 59 PID 432 wrote to memory of 3964 432 e577995.exe 60 PID 432 wrote to memory of 4044 432 e577995.exe 61 PID 432 wrote to memory of 4120 432 e577995.exe 62 PID 432 wrote to memory of 4604 432 e577995.exe 74 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5777c0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577995.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579328.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2788
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a193bfdf1ba1c43595450ee9d344fcc236f449a7f9c74a60b3a0ed5c82c6cbdN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a193bfdf1ba1c43595450ee9d344fcc236f449a7f9c74a60b3a0ed5c82c6cbdN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\e5777c0.exeC:\Users\Admin\AppData\Local\Temp\e5777c0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\e577995.exeC:\Users\Admin\AppData\Local\Temp\e577995.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\e579328.exeC:\Users\Admin\AppData\Local\Temp\e579328.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:3252
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3804
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3900
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4120
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2696
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2944
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f0b49357aeeafd8b753070e6dd67ba1b
SHA1466c8e9e0e46dac1c7e2706a31108f71546eb46d
SHA2563bcf5f4ac32732804aecb8f78e1d193f9a6e43128545977db54ab0c3649253b5
SHA512a72d9ba1753f4d434393e7e2ea90caa2a2caa1cd2c54174e443f7cb6af59782ba7ba0e7ec4c2f5ef80fe05ece3b8e2572fec708cbd5a8d1b5f452c2d0716ee4a
-
Filesize
257B
MD53e8347b8785e2496901670d4b2791247
SHA18cabbbedb546ad05ec09b9f055c28e3879de953d
SHA2560fecce2c1475bb09514d68bd128ec719cd59f990d313ea55b86fd173e06997fe
SHA512fabb7261a31b55c61100754bedafc02c38bbd0421f12faee900acc8a06eee8e44527c4896f99e6d9adf38d73cc2d3637f49817483a10ee2e0a55d7bc69a5dcc8