Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 17:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61ecd949c3524eb9f90463a66a67ac74b0d1681f12b9856154610f40aeb0ade3N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
61ecd949c3524eb9f90463a66a67ac74b0d1681f12b9856154610f40aeb0ade3N.dll
-
Size
120KB
-
MD5
bf4ecb24fa84b516d7fea5dadd49cab0
-
SHA1
2d44904ce49daffb7b0cc778117f9037a444d44f
-
SHA256
61ecd949c3524eb9f90463a66a67ac74b0d1681f12b9856154610f40aeb0ade3
-
SHA512
0663247b49a6f3d4c3d0899eddcf15cd88cd1f3db517dc90935246b8eea2473d60bc12cbbda9ebdf9670b75e3757ef8d2aec7a5f95871ff4546d496c633ee381
-
SSDEEP
3072:MyIHzXTQpwFGh4U2IxQxvLy85UUvQqDfbiYEjiDqEy:BcQAGhXlxM5J9bIiGEy
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e687.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e687.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e687.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e687.exe -
Executes dropped EXE 3 IoCs
pid Process 2124 e57cb2f.exe 1948 e57cc97.exe 3152 e57e687.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cb2f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e687.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e687.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e687.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e57cb2f.exe File opened (read-only) \??\Q: e57cb2f.exe File opened (read-only) \??\H: e57cb2f.exe File opened (read-only) \??\M: e57cb2f.exe File opened (read-only) \??\T: e57cb2f.exe File opened (read-only) \??\G: e57cb2f.exe File opened (read-only) \??\L: e57cb2f.exe File opened (read-only) \??\N: e57cb2f.exe File opened (read-only) \??\P: e57cb2f.exe File opened (read-only) \??\S: e57cb2f.exe File opened (read-only) \??\E: e57e687.exe File opened (read-only) \??\E: e57cb2f.exe File opened (read-only) \??\I: e57cb2f.exe File opened (read-only) \??\J: e57cb2f.exe File opened (read-only) \??\O: e57cb2f.exe File opened (read-only) \??\R: e57cb2f.exe -
resource yara_rule behavioral2/memory/2124-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-18-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-19-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-29-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-34-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-27-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-8-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-35-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-39-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-41-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-42-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-51-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-54-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-55-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-57-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-66-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-71-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-72-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-75-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-76-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-78-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-79-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-80-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-81-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-87-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-88-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2124-94-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/3152-121-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/3152-157-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57cb2f.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57cb2f.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57cb2f.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57cb2f.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57cb2f.exe File created C:\Windows\e581c6c e57e687.exe File created C:\Windows\e57cb8d e57cb2f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cb2f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cc97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e687.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2124 e57cb2f.exe 2124 e57cb2f.exe 2124 e57cb2f.exe 2124 e57cb2f.exe 3152 e57e687.exe 3152 e57e687.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe Token: SeDebugPrivilege 2124 e57cb2f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2900 wrote to memory of 976 2900 rundll32.exe 83 PID 2900 wrote to memory of 976 2900 rundll32.exe 83 PID 2900 wrote to memory of 976 2900 rundll32.exe 83 PID 976 wrote to memory of 2124 976 rundll32.exe 84 PID 976 wrote to memory of 2124 976 rundll32.exe 84 PID 976 wrote to memory of 2124 976 rundll32.exe 84 PID 2124 wrote to memory of 776 2124 e57cb2f.exe 8 PID 2124 wrote to memory of 780 2124 e57cb2f.exe 9 PID 2124 wrote to memory of 316 2124 e57cb2f.exe 13 PID 2124 wrote to memory of 2612 2124 e57cb2f.exe 44 PID 2124 wrote to memory of 2636 2124 e57cb2f.exe 45 PID 2124 wrote to memory of 3008 2124 e57cb2f.exe 51 PID 2124 wrote to memory of 3632 2124 e57cb2f.exe 56 PID 2124 wrote to memory of 3756 2124 e57cb2f.exe 57 PID 2124 wrote to memory of 3928 2124 e57cb2f.exe 58 PID 2124 wrote to memory of 4028 2124 e57cb2f.exe 59 PID 2124 wrote to memory of 4092 2124 e57cb2f.exe 60 PID 2124 wrote to memory of 3068 2124 e57cb2f.exe 61 PID 2124 wrote to memory of 4180 2124 e57cb2f.exe 62 PID 2124 wrote to memory of 3408 2124 e57cb2f.exe 74 PID 2124 wrote to memory of 3256 2124 e57cb2f.exe 76 PID 2124 wrote to memory of 3332 2124 e57cb2f.exe 81 PID 2124 wrote to memory of 2900 2124 e57cb2f.exe 82 PID 2124 wrote to memory of 976 2124 e57cb2f.exe 83 PID 2124 wrote to memory of 976 2124 e57cb2f.exe 83 PID 976 wrote to memory of 1948 976 rundll32.exe 85 PID 976 wrote to memory of 1948 976 rundll32.exe 85 PID 976 wrote to memory of 1948 976 rundll32.exe 85 PID 976 wrote to memory of 3152 976 rundll32.exe 87 PID 976 wrote to memory of 3152 976 rundll32.exe 87 PID 976 wrote to memory of 3152 976 rundll32.exe 87 PID 2124 wrote to memory of 776 2124 e57cb2f.exe 8 PID 2124 wrote to memory of 780 2124 e57cb2f.exe 9 PID 2124 wrote to memory of 316 2124 e57cb2f.exe 13 PID 2124 wrote to memory of 2612 2124 e57cb2f.exe 44 PID 2124 wrote to memory of 2636 2124 e57cb2f.exe 45 PID 2124 wrote to memory of 3008 2124 e57cb2f.exe 51 PID 2124 wrote to memory of 3632 2124 e57cb2f.exe 56 PID 2124 wrote to memory of 3756 2124 e57cb2f.exe 57 PID 2124 wrote to memory of 3928 2124 e57cb2f.exe 58 PID 2124 wrote to memory of 4028 2124 e57cb2f.exe 59 PID 2124 wrote to memory of 4092 2124 e57cb2f.exe 60 PID 2124 wrote to memory of 3068 2124 e57cb2f.exe 61 PID 2124 wrote to memory of 4180 2124 e57cb2f.exe 62 PID 2124 wrote to memory of 3408 2124 e57cb2f.exe 74 PID 2124 wrote to memory of 3256 2124 e57cb2f.exe 76 PID 2124 wrote to memory of 1948 2124 e57cb2f.exe 85 PID 2124 wrote to memory of 1948 2124 e57cb2f.exe 85 PID 2124 wrote to memory of 3152 2124 e57cb2f.exe 87 PID 2124 wrote to memory of 3152 2124 e57cb2f.exe 87 PID 3152 wrote to memory of 776 3152 e57e687.exe 8 PID 3152 wrote to memory of 780 3152 e57e687.exe 9 PID 3152 wrote to memory of 316 3152 e57e687.exe 13 PID 3152 wrote to memory of 2612 3152 e57e687.exe 44 PID 3152 wrote to memory of 2636 3152 e57e687.exe 45 PID 3152 wrote to memory of 3008 3152 e57e687.exe 51 PID 3152 wrote to memory of 3632 3152 e57e687.exe 56 PID 3152 wrote to memory of 3756 3152 e57e687.exe 57 PID 3152 wrote to memory of 3928 3152 e57e687.exe 58 PID 3152 wrote to memory of 4028 3152 e57e687.exe 59 PID 3152 wrote to memory of 4092 3152 e57e687.exe 60 PID 3152 wrote to memory of 3068 3152 e57e687.exe 61 PID 3152 wrote to memory of 4180 3152 e57e687.exe 62 PID 3152 wrote to memory of 3408 3152 e57e687.exe 74 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cb2f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e687.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2636
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3008
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3632
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61ecd949c3524eb9f90463a66a67ac74b0d1681f12b9856154610f40aeb0ade3N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61ecd949c3524eb9f90463a66a67ac74b0d1681f12b9856154610f40aeb0ade3N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\e57cb2f.exeC:\Users\Admin\AppData\Local\Temp\e57cb2f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\e57cc97.exeC:\Users\Admin\AppData\Local\Temp\e57cc97.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Users\Admin\AppData\Local\Temp\e57e687.exeC:\Users\Admin\AppData\Local\Temp\e57e687.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3152
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3756
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4092
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4180
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3256
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3332
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD54f640461fa79075b0ed41d39ea15bc2e
SHA14bd48f2d926be5d2bdcd0375c5a2a805dd4c409d
SHA2563300e32b56937fa0376cf5b91e5b4b372af0f720ee510deb8e8705b0eac6ec52
SHA51286b4cc1bf796d84d310473b0c607faf20b7fcc7b79b0f16bff5cdb0c4477417a07a78639eb89b3dff7726bdd2e8ea610c57cab9a24dcc9d70925d9d271adf77a
-
Filesize
256B
MD5315927fe50e0aa3b249554cec5b52860
SHA1d8162a6d8e3d2c4d2b617246e59c010fd9a84890
SHA2565fb82a5fb6822c6e07f223a0d4a15100cb3c4b9884767eea549cdca16d17791b
SHA5120c06def21f27ab73b26d8af96a057e71eaddfe55f041eed96a1fe49b41851a76077e15e64216f306906e3d5ecca77e119c7eef5d6e2c168b206bcf0523892fe3