Analysis
-
max time kernel
95s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 20:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929.dll
-
Size
120KB
-
MD5
67b73e214f278a2c9bb410182dc90445
-
SHA1
5e40715459970e32871167e6653fc8f5dcf7fa75
-
SHA256
2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929
-
SHA512
f05b89e951f744ea3623e4dd6b1f62b42f4b638fa1f077ea2695aa6fb84fd8bc1f875c0b0124bb6a10337502e1ac907c371c80d9f828de8013c0e54dc3be3d47
-
SSDEEP
1536:Oo1T9ou2Dfyv0z45xilWqgqALTmF+m1ZZsZ4/fk1s32cr:j9duHqw2LybrysG
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f80c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f80c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f80c.exe -
Executes dropped EXE 4 IoCs
pid Process 4544 e57c8ce.exe 4476 e57ca64.exe 2836 e57f80c.exe 4732 e57f82b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f80c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f80c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f80c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f80c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f80c.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: e57c8ce.exe File opened (read-only) \??\N: e57c8ce.exe File opened (read-only) \??\H: e57f80c.exe File opened (read-only) \??\I: e57f80c.exe File opened (read-only) \??\J: e57f80c.exe File opened (read-only) \??\E: e57c8ce.exe File opened (read-only) \??\K: e57c8ce.exe File opened (read-only) \??\J: e57c8ce.exe File opened (read-only) \??\L: e57c8ce.exe File opened (read-only) \??\G: e57f80c.exe File opened (read-only) \??\H: e57c8ce.exe File opened (read-only) \??\I: e57c8ce.exe File opened (read-only) \??\G: e57c8ce.exe File opened (read-only) \??\E: e57f80c.exe -
resource yara_rule behavioral2/memory/4544-6-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-9-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-8-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-10-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-17-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-32-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-28-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-34-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-11-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-33-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-35-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-36-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-37-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-38-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-39-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-45-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-57-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-61-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-62-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-64-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-66-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-67-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-69-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-71-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4544-73-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/2836-108-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2836-157-0x00000000007C0000-0x000000000187A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57c8ce.exe File created C:\Windows\e581f6a e57f80c.exe File created C:\Windows\e57c95b e57c8ce.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c8ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ca64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f80c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f82b.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4544 e57c8ce.exe 4544 e57c8ce.exe 4544 e57c8ce.exe 4544 e57c8ce.exe 2836 e57f80c.exe 2836 e57f80c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe Token: SeDebugPrivilege 4544 e57c8ce.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 3604 1736 rundll32.exe 83 PID 1736 wrote to memory of 3604 1736 rundll32.exe 83 PID 1736 wrote to memory of 3604 1736 rundll32.exe 83 PID 3604 wrote to memory of 4544 3604 rundll32.exe 84 PID 3604 wrote to memory of 4544 3604 rundll32.exe 84 PID 3604 wrote to memory of 4544 3604 rundll32.exe 84 PID 4544 wrote to memory of 792 4544 e57c8ce.exe 9 PID 4544 wrote to memory of 800 4544 e57c8ce.exe 10 PID 4544 wrote to memory of 420 4544 e57c8ce.exe 13 PID 4544 wrote to memory of 2596 4544 e57c8ce.exe 44 PID 4544 wrote to memory of 2644 4544 e57c8ce.exe 45 PID 4544 wrote to memory of 2808 4544 e57c8ce.exe 48 PID 4544 wrote to memory of 3520 4544 e57c8ce.exe 56 PID 4544 wrote to memory of 3648 4544 e57c8ce.exe 57 PID 4544 wrote to memory of 3824 4544 e57c8ce.exe 58 PID 4544 wrote to memory of 3916 4544 e57c8ce.exe 59 PID 4544 wrote to memory of 3992 4544 e57c8ce.exe 60 PID 4544 wrote to memory of 4072 4544 e57c8ce.exe 61 PID 4544 wrote to memory of 3576 4544 e57c8ce.exe 62 PID 4544 wrote to memory of 396 4544 e57c8ce.exe 64 PID 4544 wrote to memory of 672 4544 e57c8ce.exe 76 PID 4544 wrote to memory of 2372 4544 e57c8ce.exe 81 PID 4544 wrote to memory of 1736 4544 e57c8ce.exe 82 PID 4544 wrote to memory of 3604 4544 e57c8ce.exe 83 PID 4544 wrote to memory of 3604 4544 e57c8ce.exe 83 PID 3604 wrote to memory of 4476 3604 rundll32.exe 85 PID 3604 wrote to memory of 4476 3604 rundll32.exe 85 PID 3604 wrote to memory of 4476 3604 rundll32.exe 85 PID 4544 wrote to memory of 792 4544 e57c8ce.exe 9 PID 4544 wrote to memory of 800 4544 e57c8ce.exe 10 PID 4544 wrote to memory of 420 4544 e57c8ce.exe 13 PID 4544 wrote to memory of 2596 4544 e57c8ce.exe 44 PID 4544 wrote to memory of 2644 4544 e57c8ce.exe 45 PID 4544 wrote to memory of 2808 4544 e57c8ce.exe 48 PID 4544 wrote to memory of 3520 4544 e57c8ce.exe 56 PID 4544 wrote to memory of 3648 4544 e57c8ce.exe 57 PID 4544 wrote to memory of 3824 4544 e57c8ce.exe 58 PID 4544 wrote to memory of 3916 4544 e57c8ce.exe 59 PID 4544 wrote to memory of 3992 4544 e57c8ce.exe 60 PID 4544 wrote to memory of 4072 4544 e57c8ce.exe 61 PID 4544 wrote to memory of 3576 4544 e57c8ce.exe 62 PID 4544 wrote to memory of 396 4544 e57c8ce.exe 64 PID 4544 wrote to memory of 672 4544 e57c8ce.exe 76 PID 4544 wrote to memory of 2372 4544 e57c8ce.exe 81 PID 4544 wrote to memory of 1736 4544 e57c8ce.exe 82 PID 4544 wrote to memory of 4476 4544 e57c8ce.exe 85 PID 4544 wrote to memory of 4476 4544 e57c8ce.exe 85 PID 3604 wrote to memory of 2836 3604 rundll32.exe 87 PID 3604 wrote to memory of 2836 3604 rundll32.exe 87 PID 3604 wrote to memory of 2836 3604 rundll32.exe 87 PID 3604 wrote to memory of 4732 3604 rundll32.exe 88 PID 3604 wrote to memory of 4732 3604 rundll32.exe 88 PID 3604 wrote to memory of 4732 3604 rundll32.exe 88 PID 2836 wrote to memory of 792 2836 e57f80c.exe 9 PID 2836 wrote to memory of 800 2836 e57f80c.exe 10 PID 2836 wrote to memory of 420 2836 e57f80c.exe 13 PID 2836 wrote to memory of 2596 2836 e57f80c.exe 44 PID 2836 wrote to memory of 2644 2836 e57f80c.exe 45 PID 2836 wrote to memory of 2808 2836 e57f80c.exe 48 PID 2836 wrote to memory of 3520 2836 e57f80c.exe 56 PID 2836 wrote to memory of 3648 2836 e57f80c.exe 57 PID 2836 wrote to memory of 3824 2836 e57f80c.exe 58 PID 2836 wrote to memory of 3916 2836 e57f80c.exe 59 PID 2836 wrote to memory of 3992 2836 e57f80c.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f80c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:420
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2644
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2808
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\e57c8ce.exeC:\Users\Admin\AppData\Local\Temp\e57c8ce.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4544
-
-
C:\Users\Admin\AppData\Local\Temp\e57ca64.exeC:\Users\Admin\AppData\Local\Temp\e57ca64.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4476
-
-
C:\Users\Admin\AppData\Local\Temp\e57f80c.exeC:\Users\Admin\AppData\Local\Temp\e57f80c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\e57f82b.exeC:\Users\Admin\AppData\Local\Temp\e57f82b.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:396
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:672
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57eae9a38d328aadc21719fcc8c917a68
SHA125e570dfbf42a3575f19f2604c7f2207082714f5
SHA256e98c61325414abaa72ae39893582b51b57d2ea837ea100f2a7a4290b5ec8c70b
SHA512ddb924ac52ff635d273372b94a5e0a8cebdb16e358d593f9ae3c439c2529c22762a024920140b3a64ba9481264c25907767c36fe83c93641a977b87ce55ac2c8
-
Filesize
257B
MD5cd3572aef47a79a4e0c24fc345d8457a
SHA1a247afaab756c6dd66c9e9736bec4f4b8a7c8ace
SHA2566d6b9a19e68b89782dbf5630373841dd48cbd9ceb681709ea74adfe423063e1b
SHA5124af2a8cf779a1b9917597130f3cf35c486c30890cf82f7ceb6d14ab5fa3f830e03f12abb4e00793524fc445f4d7d0cf4390f0cb9495e0e3b8a98e56807e4e950