Analysis
-
max time kernel
96s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 20:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929.dll
-
Size
120KB
-
MD5
67b73e214f278a2c9bb410182dc90445
-
SHA1
5e40715459970e32871167e6653fc8f5dcf7fa75
-
SHA256
2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929
-
SHA512
f05b89e951f744ea3623e4dd6b1f62b42f4b638fa1f077ea2695aa6fb84fd8bc1f875c0b0124bb6a10337502e1ac907c371c80d9f828de8013c0e54dc3be3d47
-
SSDEEP
1536:Oo1T9ou2Dfyv0z45xilWqgqALTmF+m1ZZsZ4/fk1s32cr:j9duHqw2LybrysG
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e5ad.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e5ad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b9f9.exe -
Executes dropped EXE 3 IoCs
pid Process 1980 e57b9f9.exe 4000 e57bb22.exe 4308 e57e5ad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e5ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b9f9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e5ad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e5ad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b9f9.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e57b9f9.exe File opened (read-only) \??\M: e57b9f9.exe File opened (read-only) \??\E: e57e5ad.exe File opened (read-only) \??\G: e57e5ad.exe File opened (read-only) \??\H: e57e5ad.exe File opened (read-only) \??\J: e57e5ad.exe File opened (read-only) \??\I: e57e5ad.exe File opened (read-only) \??\E: e57b9f9.exe File opened (read-only) \??\G: e57b9f9.exe File opened (read-only) \??\H: e57b9f9.exe File opened (read-only) \??\I: e57b9f9.exe File opened (read-only) \??\J: e57b9f9.exe File opened (read-only) \??\K: e57b9f9.exe -
resource yara_rule behavioral2/memory/1980-6-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-11-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-9-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-10-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-8-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-25-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-26-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-32-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-12-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-27-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-31-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-36-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-37-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-38-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-39-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-40-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-54-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-56-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-57-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-60-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-61-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-62-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-65-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-66-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/1980-68-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/4308-92-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4308-144-0x0000000000860000-0x000000000191A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57ba67 e57b9f9.exe File opened for modification C:\Windows\SYSTEM.INI e57b9f9.exe File created C:\Windows\e58126a e57e5ad.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e5ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b9f9.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1980 e57b9f9.exe 1980 e57b9f9.exe 1980 e57b9f9.exe 1980 e57b9f9.exe 4308 e57e5ad.exe 4308 e57e5ad.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe Token: SeDebugPrivilege 1980 e57b9f9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4764 3164 rundll32.exe 82 PID 3164 wrote to memory of 4764 3164 rundll32.exe 82 PID 3164 wrote to memory of 4764 3164 rundll32.exe 82 PID 4764 wrote to memory of 1980 4764 rundll32.exe 83 PID 4764 wrote to memory of 1980 4764 rundll32.exe 83 PID 4764 wrote to memory of 1980 4764 rundll32.exe 83 PID 1980 wrote to memory of 776 1980 e57b9f9.exe 8 PID 1980 wrote to memory of 784 1980 e57b9f9.exe 9 PID 1980 wrote to memory of 336 1980 e57b9f9.exe 13 PID 1980 wrote to memory of 2652 1980 e57b9f9.exe 44 PID 1980 wrote to memory of 2680 1980 e57b9f9.exe 45 PID 1980 wrote to memory of 2776 1980 e57b9f9.exe 47 PID 1980 wrote to memory of 3536 1980 e57b9f9.exe 56 PID 1980 wrote to memory of 3652 1980 e57b9f9.exe 57 PID 1980 wrote to memory of 3828 1980 e57b9f9.exe 58 PID 1980 wrote to memory of 3920 1980 e57b9f9.exe 59 PID 1980 wrote to memory of 3984 1980 e57b9f9.exe 60 PID 1980 wrote to memory of 4076 1980 e57b9f9.exe 61 PID 1980 wrote to memory of 4124 1980 e57b9f9.exe 62 PID 1980 wrote to memory of 3836 1980 e57b9f9.exe 73 PID 1980 wrote to memory of 3200 1980 e57b9f9.exe 75 PID 1980 wrote to memory of 1384 1980 e57b9f9.exe 80 PID 1980 wrote to memory of 3164 1980 e57b9f9.exe 81 PID 1980 wrote to memory of 4764 1980 e57b9f9.exe 82 PID 1980 wrote to memory of 4764 1980 e57b9f9.exe 82 PID 4764 wrote to memory of 4000 4764 rundll32.exe 84 PID 4764 wrote to memory of 4000 4764 rundll32.exe 84 PID 4764 wrote to memory of 4000 4764 rundll32.exe 84 PID 1980 wrote to memory of 776 1980 e57b9f9.exe 8 PID 1980 wrote to memory of 784 1980 e57b9f9.exe 9 PID 1980 wrote to memory of 336 1980 e57b9f9.exe 13 PID 1980 wrote to memory of 2652 1980 e57b9f9.exe 44 PID 1980 wrote to memory of 2680 1980 e57b9f9.exe 45 PID 1980 wrote to memory of 2776 1980 e57b9f9.exe 47 PID 1980 wrote to memory of 3536 1980 e57b9f9.exe 56 PID 1980 wrote to memory of 3652 1980 e57b9f9.exe 57 PID 1980 wrote to memory of 3828 1980 e57b9f9.exe 58 PID 1980 wrote to memory of 3920 1980 e57b9f9.exe 59 PID 1980 wrote to memory of 3984 1980 e57b9f9.exe 60 PID 1980 wrote to memory of 4076 1980 e57b9f9.exe 61 PID 1980 wrote to memory of 4124 1980 e57b9f9.exe 62 PID 1980 wrote to memory of 3836 1980 e57b9f9.exe 73 PID 1980 wrote to memory of 3200 1980 e57b9f9.exe 75 PID 1980 wrote to memory of 1384 1980 e57b9f9.exe 80 PID 1980 wrote to memory of 3164 1980 e57b9f9.exe 81 PID 1980 wrote to memory of 4000 1980 e57b9f9.exe 84 PID 1980 wrote to memory of 4000 1980 e57b9f9.exe 84 PID 4764 wrote to memory of 4308 4764 rundll32.exe 85 PID 4764 wrote to memory of 4308 4764 rundll32.exe 85 PID 4764 wrote to memory of 4308 4764 rundll32.exe 85 PID 4308 wrote to memory of 776 4308 e57e5ad.exe 8 PID 4308 wrote to memory of 784 4308 e57e5ad.exe 9 PID 4308 wrote to memory of 336 4308 e57e5ad.exe 13 PID 4308 wrote to memory of 2652 4308 e57e5ad.exe 44 PID 4308 wrote to memory of 2680 4308 e57e5ad.exe 45 PID 4308 wrote to memory of 2776 4308 e57e5ad.exe 47 PID 4308 wrote to memory of 3536 4308 e57e5ad.exe 56 PID 4308 wrote to memory of 3652 4308 e57e5ad.exe 57 PID 4308 wrote to memory of 3828 4308 e57e5ad.exe 58 PID 4308 wrote to memory of 3920 4308 e57e5ad.exe 59 PID 4308 wrote to memory of 3984 4308 e57e5ad.exe 60 PID 4308 wrote to memory of 4076 4308 e57e5ad.exe 61 PID 4308 wrote to memory of 4124 4308 e57e5ad.exe 62 PID 4308 wrote to memory of 3836 4308 e57e5ad.exe 73 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b9f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e5ad.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3536
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2bcf823d7aaa757b5bf0a00bb815f0921db21aa8245b7a8c252a834fae80e929.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\e57b9f9.exeC:\Users\Admin\AppData\Local\Temp\e57b9f9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\e57bb22.exeC:\Users\Admin\AppData\Local\Temp\e57bb22.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\e57e5ad.exeC:\Users\Admin\AppData\Local\Temp\e57e5ad.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4308
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3652
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3200
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1384
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57eae9a38d328aadc21719fcc8c917a68
SHA125e570dfbf42a3575f19f2604c7f2207082714f5
SHA256e98c61325414abaa72ae39893582b51b57d2ea837ea100f2a7a4290b5ec8c70b
SHA512ddb924ac52ff635d273372b94a5e0a8cebdb16e358d593f9ae3c439c2529c22762a024920140b3a64ba9481264c25907767c36fe83c93641a977b87ce55ac2c8
-
Filesize
257B
MD50420efb5719a3de6ea2b432a1ea7d1c7
SHA1921629ed8dccfd08f74ed68ad30b42e8713fbe2f
SHA2564eb8c551f0c816afeeb6edae344639c8076a1b42feb9b679e029443312986f32
SHA512259013c422129cf8d63d8e2bfb5adbb289e415a27862fd15892934ad058ee4e6f8985ee621cc6dfb2f29debec4b1567ad40691f5a7345db74891b2b5e56efa43