Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 18:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba69dcf3d16a5073f337793f87f11ad8c6512da7edac33bb6f4216d6c1c3fc9aN.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
ba69dcf3d16a5073f337793f87f11ad8c6512da7edac33bb6f4216d6c1c3fc9aN.dll
-
Size
120KB
-
MD5
f3343ec7567bb798e6168f380a6cca70
-
SHA1
03e1a2f2f9ddffb33f0a5fe0d9822b508157674a
-
SHA256
ba69dcf3d16a5073f337793f87f11ad8c6512da7edac33bb6f4216d6c1c3fc9a
-
SHA512
221e7366c493fc924d10fb381cf6a9a6aff7d2245af85e0d2e082869eb0b5f7f871318444215302e0b5c5fa62d3540836f73e3d636a8c5b948a00a337f777a19
-
SSDEEP
3072:mrzjmn2XzoaVBe7eyEa4EahUy00Nvlv5q:mrzjmn2Xo+Z300NB5
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a354.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a037.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a037.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a354.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d60d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d60d.exe -
Executes dropped EXE 4 IoCs
pid Process 4860 e57a037.exe 3464 e57a354.exe 524 e57d580.exe 3280 e57d60d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a037.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a354.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d60d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d60d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d60d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d60d.exe -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57a037.exe File opened (read-only) \??\K: e57a037.exe File opened (read-only) \??\L: e57a037.exe File opened (read-only) \??\E: e57a037.exe File opened (read-only) \??\G: e57a037.exe File opened (read-only) \??\H: e57a037.exe File opened (read-only) \??\I: e57a037.exe -
resource yara_rule behavioral2/memory/4860-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-14-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-15-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-16-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-45-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-54-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-60-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-61-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-63-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-67-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4860-73-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3464-94-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/3464-90-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/3464-92-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/3464-96-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/3464-93-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/3464-95-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/3464-133-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e57f5ca e57a354.exe File created C:\Windows\e581e70 e57d60d.exe File created C:\Windows\e57a0c4 e57a037.exe File opened for modification C:\Windows\SYSTEM.INI e57a037.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a037.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a354.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d580.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d60d.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4860 e57a037.exe 4860 e57a037.exe 4860 e57a037.exe 4860 e57a037.exe 3464 e57a354.exe 3464 e57a354.exe 3280 e57d60d.exe 3280 e57d60d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe Token: SeDebugPrivilege 4860 e57a037.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4744 wrote to memory of 1524 4744 rundll32.exe 82 PID 4744 wrote to memory of 1524 4744 rundll32.exe 82 PID 4744 wrote to memory of 1524 4744 rundll32.exe 82 PID 1524 wrote to memory of 4860 1524 rundll32.exe 83 PID 1524 wrote to memory of 4860 1524 rundll32.exe 83 PID 1524 wrote to memory of 4860 1524 rundll32.exe 83 PID 4860 wrote to memory of 780 4860 e57a037.exe 8 PID 4860 wrote to memory of 788 4860 e57a037.exe 9 PID 4860 wrote to memory of 336 4860 e57a037.exe 13 PID 4860 wrote to memory of 2684 4860 e57a037.exe 44 PID 4860 wrote to memory of 2696 4860 e57a037.exe 45 PID 4860 wrote to memory of 2908 4860 e57a037.exe 51 PID 4860 wrote to memory of 3436 4860 e57a037.exe 56 PID 4860 wrote to memory of 3572 4860 e57a037.exe 57 PID 4860 wrote to memory of 3752 4860 e57a037.exe 58 PID 4860 wrote to memory of 3848 4860 e57a037.exe 59 PID 4860 wrote to memory of 3916 4860 e57a037.exe 60 PID 4860 wrote to memory of 4008 4860 e57a037.exe 61 PID 4860 wrote to memory of 4232 4860 e57a037.exe 62 PID 4860 wrote to memory of 2416 4860 e57a037.exe 75 PID 4860 wrote to memory of 1268 4860 e57a037.exe 76 PID 4860 wrote to memory of 4744 4860 e57a037.exe 81 PID 4860 wrote to memory of 1524 4860 e57a037.exe 82 PID 4860 wrote to memory of 1524 4860 e57a037.exe 82 PID 1524 wrote to memory of 3464 1524 rundll32.exe 84 PID 1524 wrote to memory of 3464 1524 rundll32.exe 84 PID 1524 wrote to memory of 3464 1524 rundll32.exe 84 PID 4860 wrote to memory of 780 4860 e57a037.exe 8 PID 4860 wrote to memory of 788 4860 e57a037.exe 9 PID 4860 wrote to memory of 336 4860 e57a037.exe 13 PID 4860 wrote to memory of 2684 4860 e57a037.exe 44 PID 4860 wrote to memory of 2696 4860 e57a037.exe 45 PID 4860 wrote to memory of 2908 4860 e57a037.exe 51 PID 4860 wrote to memory of 3436 4860 e57a037.exe 56 PID 4860 wrote to memory of 3572 4860 e57a037.exe 57 PID 4860 wrote to memory of 3752 4860 e57a037.exe 58 PID 4860 wrote to memory of 3848 4860 e57a037.exe 59 PID 4860 wrote to memory of 3916 4860 e57a037.exe 60 PID 4860 wrote to memory of 4008 4860 e57a037.exe 61 PID 4860 wrote to memory of 4232 4860 e57a037.exe 62 PID 4860 wrote to memory of 2416 4860 e57a037.exe 75 PID 4860 wrote to memory of 1268 4860 e57a037.exe 76 PID 4860 wrote to memory of 4744 4860 e57a037.exe 81 PID 4860 wrote to memory of 3464 4860 e57a037.exe 84 PID 4860 wrote to memory of 3464 4860 e57a037.exe 84 PID 1524 wrote to memory of 524 1524 rundll32.exe 85 PID 1524 wrote to memory of 524 1524 rundll32.exe 85 PID 1524 wrote to memory of 524 1524 rundll32.exe 85 PID 1524 wrote to memory of 3280 1524 rundll32.exe 86 PID 1524 wrote to memory of 3280 1524 rundll32.exe 86 PID 1524 wrote to memory of 3280 1524 rundll32.exe 86 PID 3464 wrote to memory of 780 3464 e57a354.exe 8 PID 3464 wrote to memory of 788 3464 e57a354.exe 9 PID 3464 wrote to memory of 336 3464 e57a354.exe 13 PID 3464 wrote to memory of 2684 3464 e57a354.exe 44 PID 3464 wrote to memory of 2696 3464 e57a354.exe 45 PID 3464 wrote to memory of 2908 3464 e57a354.exe 51 PID 3464 wrote to memory of 3436 3464 e57a354.exe 56 PID 3464 wrote to memory of 3572 3464 e57a354.exe 57 PID 3464 wrote to memory of 3752 3464 e57a354.exe 58 PID 3464 wrote to memory of 3848 3464 e57a354.exe 59 PID 3464 wrote to memory of 3916 3464 e57a354.exe 60 PID 3464 wrote to memory of 4008 3464 e57a354.exe 61 PID 3464 wrote to memory of 4232 3464 e57a354.exe 62 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a037.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a354.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d60d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2696
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2908
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ba69dcf3d16a5073f337793f87f11ad8c6512da7edac33bb6f4216d6c1c3fc9aN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ba69dcf3d16a5073f337793f87f11ad8c6512da7edac33bb6f4216d6c1c3fc9aN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\e57a037.exeC:\Users\Admin\AppData\Local\Temp\e57a037.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4860
-
-
C:\Users\Admin\AppData\Local\Temp\e57a354.exeC:\Users\Admin\AppData\Local\Temp\e57a354.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3464
-
-
C:\Users\Admin\AppData\Local\Temp\e57d580.exeC:\Users\Admin\AppData\Local\Temp\e57d580.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:524
-
-
C:\Users\Admin\AppData\Local\Temp\e57d60d.exeC:\Users\Admin\AppData\Local\Temp\e57d60d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3280
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4232
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2416
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1268
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56d66791547072847ad75abcbca176a71
SHA1c20ae6f2a602bc70bbcdafe4fcaf5dd12e14ca38
SHA256c13640e5cd2030cdf70d7c2eedc679526fec1a2f050277716f7a75d6c1e9ad72
SHA512eb6a9d2deb80da0fc54ed631bc6cf16bec7c26c18517d6d31a8728c5079612903f56c966d75063c56d5d48bec1bf30c14ad0544102d6eb78dfb3206b8b6b21dc
-
Filesize
257B
MD54e2954f686c7de9fe7293cba3c4e479a
SHA136d357b7f4f0d3ad196a12515162a7fd2dbc22f7
SHA2569b6e97e0e8498bdd851d47d74e79d7fb1b0f682e7f7c0c322db6b2e7abe6942e
SHA512d77407e57566f3b241ad1ca3377958d8d9f05c062aa5be195cb061faffec84f2908398b16bbd053949e1c7be5990210d64b9779876f3718c0de8b6ae56f4ec85