Analysis
-
max time kernel
33s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 11:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf32a968a28b761c8b2f3d303bf7ad4f038e8bc669bfae4e3a174ec06ad6ff67N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
cf32a968a28b761c8b2f3d303bf7ad4f038e8bc669bfae4e3a174ec06ad6ff67N.dll
-
Size
120KB
-
MD5
d15ac88644863bfe17b9945ece35b050
-
SHA1
4a11d087e00b66143f021f50e5f411020b6d033f
-
SHA256
cf32a968a28b761c8b2f3d303bf7ad4f038e8bc669bfae4e3a174ec06ad6ff67
-
SHA512
033507ccc4424d54c15150090a666b8cfbcac3becab1470a94a5b23df55719f8a4c49249f547ec5e5fa0bfe104af0c1be5bef4126c18f518100f231323c079c7
-
SSDEEP
3072:tklc/+1mesGUqifJVUgF1R9+6lMBQNXN:9/ROgUgSG
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e88b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e88b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b3cf.exe -
Executes dropped EXE 3 IoCs
pid Process 4188 e57b3cf.exe 4544 e57b5e2.exe 1976 e57e88b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b3cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e88b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e88b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b3cf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e88b.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57b3cf.exe File opened (read-only) \??\G: e57e88b.exe File opened (read-only) \??\I: e57e88b.exe File opened (read-only) \??\K: e57b3cf.exe File opened (read-only) \??\L: e57b3cf.exe File opened (read-only) \??\M: e57b3cf.exe File opened (read-only) \??\E: e57e88b.exe File opened (read-only) \??\E: e57b3cf.exe File opened (read-only) \??\H: e57b3cf.exe File opened (read-only) \??\I: e57b3cf.exe File opened (read-only) \??\J: e57b3cf.exe File opened (read-only) \??\H: e57e88b.exe -
resource yara_rule behavioral2/memory/4188-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-14-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-20-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-15-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-12-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-25-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-32-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-39-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-40-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-46-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-56-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-57-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-59-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-60-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-62-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-63-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-66-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4188-68-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/1976-96-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1976-103-0x00000000008E0000-0x000000000199A000-memory.dmp upx behavioral2/memory/1976-145-0x00000000008E0000-0x000000000199A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b43c e57b3cf.exe File opened for modification C:\Windows\SYSTEM.INI e57b3cf.exe File created C:\Windows\e580ff9 e57e88b.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b5e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e88b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b3cf.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4188 e57b3cf.exe 4188 e57b3cf.exe 4188 e57b3cf.exe 4188 e57b3cf.exe 1976 e57e88b.exe 1976 e57e88b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe Token: SeDebugPrivilege 4188 e57b3cf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 3292 3016 rundll32.exe 83 PID 3016 wrote to memory of 3292 3016 rundll32.exe 83 PID 3016 wrote to memory of 3292 3016 rundll32.exe 83 PID 3292 wrote to memory of 4188 3292 rundll32.exe 84 PID 3292 wrote to memory of 4188 3292 rundll32.exe 84 PID 3292 wrote to memory of 4188 3292 rundll32.exe 84 PID 4188 wrote to memory of 776 4188 e57b3cf.exe 8 PID 4188 wrote to memory of 784 4188 e57b3cf.exe 9 PID 4188 wrote to memory of 1020 4188 e57b3cf.exe 13 PID 4188 wrote to memory of 2712 4188 e57b3cf.exe 45 PID 4188 wrote to memory of 2784 4188 e57b3cf.exe 46 PID 4188 wrote to memory of 3004 4188 e57b3cf.exe 52 PID 4188 wrote to memory of 3520 4188 e57b3cf.exe 56 PID 4188 wrote to memory of 3632 4188 e57b3cf.exe 57 PID 4188 wrote to memory of 3832 4188 e57b3cf.exe 58 PID 4188 wrote to memory of 3936 4188 e57b3cf.exe 59 PID 4188 wrote to memory of 4048 4188 e57b3cf.exe 60 PID 4188 wrote to memory of 3624 4188 e57b3cf.exe 61 PID 4188 wrote to memory of 4228 4188 e57b3cf.exe 62 PID 4188 wrote to memory of 4684 4188 e57b3cf.exe 64 PID 4188 wrote to memory of 548 4188 e57b3cf.exe 76 PID 4188 wrote to memory of 3412 4188 e57b3cf.exe 81 PID 4188 wrote to memory of 3016 4188 e57b3cf.exe 82 PID 4188 wrote to memory of 3292 4188 e57b3cf.exe 83 PID 4188 wrote to memory of 3292 4188 e57b3cf.exe 83 PID 3292 wrote to memory of 4544 3292 rundll32.exe 85 PID 3292 wrote to memory of 4544 3292 rundll32.exe 85 PID 3292 wrote to memory of 4544 3292 rundll32.exe 85 PID 4188 wrote to memory of 776 4188 e57b3cf.exe 8 PID 4188 wrote to memory of 784 4188 e57b3cf.exe 9 PID 4188 wrote to memory of 1020 4188 e57b3cf.exe 13 PID 4188 wrote to memory of 2712 4188 e57b3cf.exe 45 PID 4188 wrote to memory of 2784 4188 e57b3cf.exe 46 PID 4188 wrote to memory of 3004 4188 e57b3cf.exe 52 PID 4188 wrote to memory of 3520 4188 e57b3cf.exe 56 PID 4188 wrote to memory of 3632 4188 e57b3cf.exe 57 PID 4188 wrote to memory of 3832 4188 e57b3cf.exe 58 PID 4188 wrote to memory of 3936 4188 e57b3cf.exe 59 PID 4188 wrote to memory of 4048 4188 e57b3cf.exe 60 PID 4188 wrote to memory of 3624 4188 e57b3cf.exe 61 PID 4188 wrote to memory of 4228 4188 e57b3cf.exe 62 PID 4188 wrote to memory of 4684 4188 e57b3cf.exe 64 PID 4188 wrote to memory of 548 4188 e57b3cf.exe 76 PID 4188 wrote to memory of 3412 4188 e57b3cf.exe 81 PID 4188 wrote to memory of 3016 4188 e57b3cf.exe 82 PID 4188 wrote to memory of 4544 4188 e57b3cf.exe 85 PID 4188 wrote to memory of 4544 4188 e57b3cf.exe 85 PID 3292 wrote to memory of 1976 3292 rundll32.exe 87 PID 3292 wrote to memory of 1976 3292 rundll32.exe 87 PID 3292 wrote to memory of 1976 3292 rundll32.exe 87 PID 1976 wrote to memory of 776 1976 e57e88b.exe 8 PID 1976 wrote to memory of 784 1976 e57e88b.exe 9 PID 1976 wrote to memory of 1020 1976 e57e88b.exe 13 PID 1976 wrote to memory of 2712 1976 e57e88b.exe 45 PID 1976 wrote to memory of 2784 1976 e57e88b.exe 46 PID 1976 wrote to memory of 3004 1976 e57e88b.exe 52 PID 1976 wrote to memory of 3520 1976 e57e88b.exe 56 PID 1976 wrote to memory of 3632 1976 e57e88b.exe 57 PID 1976 wrote to memory of 3832 1976 e57e88b.exe 58 PID 1976 wrote to memory of 3936 1976 e57e88b.exe 59 PID 1976 wrote to memory of 4048 1976 e57e88b.exe 60 PID 1976 wrote to memory of 3624 1976 e57e88b.exe 61 PID 1976 wrote to memory of 4228 1976 e57e88b.exe 62 PID 1976 wrote to memory of 4684 1976 e57e88b.exe 64 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b3cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e88b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2784
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3004
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf32a968a28b761c8b2f3d303bf7ad4f038e8bc669bfae4e3a174ec06ad6ff67N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf32a968a28b761c8b2f3d303bf7ad4f038e8bc669bfae4e3a174ec06ad6ff67N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\e57b3cf.exeC:\Users\Admin\AppData\Local\Temp\e57b3cf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4188
-
-
C:\Users\Admin\AppData\Local\Temp\e57b5e2.exeC:\Users\Admin\AppData\Local\Temp\e57b5e2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4544
-
-
C:\Users\Admin\AppData\Local\Temp\e57e88b.exeC:\Users\Admin\AppData\Local\Temp\e57e88b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1976
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4048
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3624
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4228
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4684
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:548
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3412
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD55342703905e9a664e5dffc2a7154f04e
SHA1cc053248f4e23d9aaef1e6f464a0761f0d83419f
SHA256f3866110484aa978373ab7806f2f64c147d54550ec58d386ba67726d69049285
SHA5125b96f1f02940a03ce3017fb161a6c59bac1919e7c4b83c9fa9199c6d6345e7472339fd3cd41190d3a9da6743ae7840b0d3f668c3ed9270e7dd8f06be42e178b1
-
Filesize
257B
MD5aaf1f9e061e8320111e98767f73ddc46
SHA15d9db4d651d1753579854e8d38581c8ee7b031fb
SHA25676ea9c8c5819d2110cfb58406a07a0a62cb9ba25049a12a85bb0f112301859e4
SHA51202fed492dab7a0b6911660737279f0ddab50ff52009cc7f95da123a9ac7f360ab78b84f4a7fb9f27d5712400e3298d705b30d45739ecf7395589973deab0a8b1