Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 13:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3N.dll
-
Size
120KB
-
MD5
25c6435d9b0074997c745a118d7369b0
-
SHA1
b51bfcf097915d96b3307a813c4eb3a17eefbbb7
-
SHA256
6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3
-
SHA512
37ce154807a9ef4d42ea151c5dc064fcd8930017fe79f8cf6c1d081a5a88e63fc5e7e50e619e1fdd82d22dd23e93cccd56fc27708623d1d861802b30fb4b4924
-
SSDEEP
3072:JnC2zgLPLXSqKxI1rmgBrsVgau7kSkk3a:JC2zgLzXS81qgBwqau7kG3a
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579971.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577dea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577dea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579971.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577dea.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579971.exe -
Executes dropped EXE 3 IoCs
pid Process 3900 e577dea.exe 1936 e577f03.exe 212 e579971.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579971.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579971.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e577dea.exe File opened (read-only) \??\H: e577dea.exe File opened (read-only) \??\O: e577dea.exe File opened (read-only) \??\E: e579971.exe File opened (read-only) \??\K: e577dea.exe File opened (read-only) \??\M: e577dea.exe File opened (read-only) \??\Q: e577dea.exe File opened (read-only) \??\G: e579971.exe File opened (read-only) \??\I: e577dea.exe File opened (read-only) \??\J: e577dea.exe File opened (read-only) \??\L: e577dea.exe File opened (read-only) \??\P: e577dea.exe File opened (read-only) \??\S: e577dea.exe File opened (read-only) \??\E: e577dea.exe File opened (read-only) \??\N: e577dea.exe File opened (read-only) \??\R: e577dea.exe -
resource yara_rule behavioral2/memory/3900-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-14-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-12-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-13-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-32-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-24-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-22-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-40-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-41-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-43-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-44-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-54-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-55-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-57-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-67-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-69-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-72-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-75-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-76-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-77-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-80-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-81-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-83-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-85-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/3900-86-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/212-127-0x0000000000B90000-0x0000000001C4A000-memory.dmp upx behavioral2/memory/212-154-0x0000000000B90000-0x0000000001C4A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e577dea.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e577dea.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e577dea.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e577dea.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e577e38 e577dea.exe File opened for modification C:\Windows\SYSTEM.INI e577dea.exe File created C:\Windows\e57ce4c e579971.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579971.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577dea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577f03.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3900 e577dea.exe 3900 e577dea.exe 3900 e577dea.exe 3900 e577dea.exe 212 e579971.exe 212 e579971.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe Token: SeDebugPrivilege 3900 e577dea.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 1476 1544 rundll32.exe 83 PID 1544 wrote to memory of 1476 1544 rundll32.exe 83 PID 1544 wrote to memory of 1476 1544 rundll32.exe 83 PID 1476 wrote to memory of 3900 1476 rundll32.exe 84 PID 1476 wrote to memory of 3900 1476 rundll32.exe 84 PID 1476 wrote to memory of 3900 1476 rundll32.exe 84 PID 3900 wrote to memory of 780 3900 e577dea.exe 8 PID 3900 wrote to memory of 776 3900 e577dea.exe 9 PID 3900 wrote to memory of 336 3900 e577dea.exe 13 PID 3900 wrote to memory of 2868 3900 e577dea.exe 49 PID 3900 wrote to memory of 2888 3900 e577dea.exe 50 PID 3900 wrote to memory of 2968 3900 e577dea.exe 51 PID 3900 wrote to memory of 3396 3900 e577dea.exe 56 PID 3900 wrote to memory of 3524 3900 e577dea.exe 57 PID 3900 wrote to memory of 3720 3900 e577dea.exe 58 PID 3900 wrote to memory of 3812 3900 e577dea.exe 59 PID 3900 wrote to memory of 3876 3900 e577dea.exe 60 PID 3900 wrote to memory of 3956 3900 e577dea.exe 61 PID 3900 wrote to memory of 432 3900 e577dea.exe 62 PID 3900 wrote to memory of 2556 3900 e577dea.exe 74 PID 3900 wrote to memory of 3288 3900 e577dea.exe 76 PID 3900 wrote to memory of 4908 3900 e577dea.exe 81 PID 3900 wrote to memory of 1544 3900 e577dea.exe 82 PID 3900 wrote to memory of 1476 3900 e577dea.exe 83 PID 3900 wrote to memory of 1476 3900 e577dea.exe 83 PID 1476 wrote to memory of 1936 1476 rundll32.exe 85 PID 1476 wrote to memory of 1936 1476 rundll32.exe 85 PID 1476 wrote to memory of 1936 1476 rundll32.exe 85 PID 1476 wrote to memory of 212 1476 rundll32.exe 89 PID 1476 wrote to memory of 212 1476 rundll32.exe 89 PID 1476 wrote to memory of 212 1476 rundll32.exe 89 PID 3900 wrote to memory of 780 3900 e577dea.exe 8 PID 3900 wrote to memory of 776 3900 e577dea.exe 9 PID 3900 wrote to memory of 336 3900 e577dea.exe 13 PID 3900 wrote to memory of 2868 3900 e577dea.exe 49 PID 3900 wrote to memory of 2888 3900 e577dea.exe 50 PID 3900 wrote to memory of 2968 3900 e577dea.exe 51 PID 3900 wrote to memory of 3396 3900 e577dea.exe 56 PID 3900 wrote to memory of 3524 3900 e577dea.exe 57 PID 3900 wrote to memory of 3720 3900 e577dea.exe 58 PID 3900 wrote to memory of 3812 3900 e577dea.exe 59 PID 3900 wrote to memory of 3876 3900 e577dea.exe 60 PID 3900 wrote to memory of 3956 3900 e577dea.exe 61 PID 3900 wrote to memory of 432 3900 e577dea.exe 62 PID 3900 wrote to memory of 2556 3900 e577dea.exe 74 PID 3900 wrote to memory of 3288 3900 e577dea.exe 76 PID 3900 wrote to memory of 1936 3900 e577dea.exe 85 PID 3900 wrote to memory of 1936 3900 e577dea.exe 85 PID 3900 wrote to memory of 212 3900 e577dea.exe 89 PID 3900 wrote to memory of 212 3900 e577dea.exe 89 PID 212 wrote to memory of 780 212 e579971.exe 8 PID 212 wrote to memory of 776 212 e579971.exe 9 PID 212 wrote to memory of 336 212 e579971.exe 13 PID 212 wrote to memory of 2868 212 e579971.exe 49 PID 212 wrote to memory of 2888 212 e579971.exe 50 PID 212 wrote to memory of 2968 212 e579971.exe 51 PID 212 wrote to memory of 3396 212 e579971.exe 56 PID 212 wrote to memory of 3524 212 e579971.exe 57 PID 212 wrote to memory of 3720 212 e579971.exe 58 PID 212 wrote to memory of 3812 212 e579971.exe 59 PID 212 wrote to memory of 3876 212 e579971.exe 60 PID 212 wrote to memory of 3956 212 e579971.exe 61 PID 212 wrote to memory of 432 212 e579971.exe 62 PID 212 wrote to memory of 2556 212 e579971.exe 74 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579971.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2888
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2968
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\e577dea.exeC:\Users\Admin\AppData\Local\Temp\e577dea.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\e577f03.exeC:\Users\Admin\AppData\Local\Temp\e577f03.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\e579971.exeC:\Users\Admin\AppData\Local\Temp\e579971.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:212
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3524
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:432
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2556
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3288
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4908
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD572ab4e4c05ba953be25a1a087a3dd0b2
SHA17be6725cf3bb491eb3de92dc6c1bdb72666ab77c
SHA2565352dc7e1c3cc2f1d775b8e3e21ca45399e61e52971bac221c8c34aca82672a1
SHA512c10c5b27a56241d19d0543c92c50db6db85b5d9fa11fb9d0124cb9af1cd010bf4c3b1f1ca0f60675a1f3c18bfbb31d10598e99ce82c38271d885052e1deffd1e
-
Filesize
257B
MD557eaace2a0ffbd1c77d96691a1f27900
SHA1f9205935a7256c63307601fc78567f132f345ba0
SHA25682bb588ba80c5c00a274767560930ad8373d1acbccebe92ad8506cf25ee49388
SHA512ca2636685f0a5771565193034645f3560ce87a002988edeb37f6d49429d267c837ece046c483e0e89a55723250650bdb4296b9f2b560e4642e4dd3e1bd1f5b54