Analysis
-
max time kernel
96s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 23:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
766ad1604235763431c502e7b5ad0aa3b0f35753dc4dee0b655b385d59ed878a.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
766ad1604235763431c502e7b5ad0aa3b0f35753dc4dee0b655b385d59ed878a.dll
-
Size
120KB
-
MD5
8990526710c4a5468b85a54a3e7cde6c
-
SHA1
1cc39153a8badde651f62158ac2cb3433ad6afd8
-
SHA256
766ad1604235763431c502e7b5ad0aa3b0f35753dc4dee0b655b385d59ed878a
-
SHA512
e23a118bfbf20a62dc92811cd7dd0c54eda1ad9afc3e1e60ec484b06ced399ac2fd671cd96b33385064abc0a32bb721c058129a71c0494d628ad6d6301321d53
-
SSDEEP
1536:vx94sbeY6niLzwOZlDbhV7DcxTQsnjzdgOktz3CMd0DPUDKdGVIKLymIrjzs2VK2:vxeKeY6niowaVjPI7CPbUD8GHLg
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578e94.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578e94.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aa0b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578e94.exe -
Executes dropped EXE 4 IoCs
pid Process 2664 e578e94.exe 4216 e578f9d.exe 2860 e57a9fb.exe 764 e57aa0b.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aa0b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578e94.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aa0b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aa0b.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: e578e94.exe File opened (read-only) \??\T: e578e94.exe File opened (read-only) \??\H: e578e94.exe File opened (read-only) \??\I: e578e94.exe File opened (read-only) \??\N: e578e94.exe File opened (read-only) \??\R: e578e94.exe File opened (read-only) \??\E: e57aa0b.exe File opened (read-only) \??\G: e578e94.exe File opened (read-only) \??\K: e578e94.exe File opened (read-only) \??\P: e578e94.exe File opened (read-only) \??\S: e578e94.exe File opened (read-only) \??\G: e57aa0b.exe File opened (read-only) \??\J: e578e94.exe File opened (read-only) \??\M: e578e94.exe File opened (read-only) \??\Q: e578e94.exe File opened (read-only) \??\E: e578e94.exe File opened (read-only) \??\L: e578e94.exe -
resource yara_rule behavioral2/memory/2664-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-26-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-31-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-13-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-32-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-34-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-41-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-53-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-58-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-59-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-73-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-74-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-77-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-79-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-82-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-83-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-86-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-87-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-88-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-89-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-91-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2664-99-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/764-132-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/764-167-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e578e94.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e578e94.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e578e94.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e578e94.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e578ef2 e578e94.exe File opened for modification C:\Windows\SYSTEM.INI e578e94.exe File created C:\Windows\e57ded7 e57aa0b.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578e94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578f9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a9fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57aa0b.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2664 e578e94.exe 2664 e578e94.exe 2664 e578e94.exe 2664 e578e94.exe 764 e57aa0b.exe 764 e57aa0b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe Token: SeDebugPrivilege 2664 e578e94.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1384 wrote to memory of 1716 1384 rundll32.exe 84 PID 1384 wrote to memory of 1716 1384 rundll32.exe 84 PID 1384 wrote to memory of 1716 1384 rundll32.exe 84 PID 1716 wrote to memory of 2664 1716 rundll32.exe 85 PID 1716 wrote to memory of 2664 1716 rundll32.exe 85 PID 1716 wrote to memory of 2664 1716 rundll32.exe 85 PID 2664 wrote to memory of 780 2664 e578e94.exe 8 PID 2664 wrote to memory of 788 2664 e578e94.exe 9 PID 2664 wrote to memory of 384 2664 e578e94.exe 13 PID 2664 wrote to memory of 2876 2664 e578e94.exe 50 PID 2664 wrote to memory of 2892 2664 e578e94.exe 51 PID 2664 wrote to memory of 3028 2664 e578e94.exe 52 PID 2664 wrote to memory of 3444 2664 e578e94.exe 56 PID 2664 wrote to memory of 3556 2664 e578e94.exe 57 PID 2664 wrote to memory of 3756 2664 e578e94.exe 58 PID 2664 wrote to memory of 3856 2664 e578e94.exe 59 PID 2664 wrote to memory of 3916 2664 e578e94.exe 60 PID 2664 wrote to memory of 4004 2664 e578e94.exe 61 PID 2664 wrote to memory of 3460 2664 e578e94.exe 62 PID 2664 wrote to memory of 3088 2664 e578e94.exe 75 PID 2664 wrote to memory of 3340 2664 e578e94.exe 76 PID 2664 wrote to memory of 676 2664 e578e94.exe 77 PID 2664 wrote to memory of 3864 2664 e578e94.exe 82 PID 2664 wrote to memory of 1384 2664 e578e94.exe 83 PID 2664 wrote to memory of 1716 2664 e578e94.exe 84 PID 2664 wrote to memory of 1716 2664 e578e94.exe 84 PID 1716 wrote to memory of 4216 1716 rundll32.exe 86 PID 1716 wrote to memory of 4216 1716 rundll32.exe 86 PID 1716 wrote to memory of 4216 1716 rundll32.exe 86 PID 1716 wrote to memory of 2860 1716 rundll32.exe 88 PID 1716 wrote to memory of 2860 1716 rundll32.exe 88 PID 1716 wrote to memory of 2860 1716 rundll32.exe 88 PID 1716 wrote to memory of 764 1716 rundll32.exe 89 PID 1716 wrote to memory of 764 1716 rundll32.exe 89 PID 1716 wrote to memory of 764 1716 rundll32.exe 89 PID 2664 wrote to memory of 780 2664 e578e94.exe 8 PID 2664 wrote to memory of 788 2664 e578e94.exe 9 PID 2664 wrote to memory of 384 2664 e578e94.exe 13 PID 2664 wrote to memory of 2876 2664 e578e94.exe 50 PID 2664 wrote to memory of 2892 2664 e578e94.exe 51 PID 2664 wrote to memory of 3028 2664 e578e94.exe 52 PID 2664 wrote to memory of 3444 2664 e578e94.exe 56 PID 2664 wrote to memory of 3556 2664 e578e94.exe 57 PID 2664 wrote to memory of 3756 2664 e578e94.exe 58 PID 2664 wrote to memory of 3856 2664 e578e94.exe 59 PID 2664 wrote to memory of 3916 2664 e578e94.exe 60 PID 2664 wrote to memory of 4004 2664 e578e94.exe 61 PID 2664 wrote to memory of 3460 2664 e578e94.exe 62 PID 2664 wrote to memory of 3088 2664 e578e94.exe 75 PID 2664 wrote to memory of 3340 2664 e578e94.exe 76 PID 2664 wrote to memory of 676 2664 e578e94.exe 77 PID 2664 wrote to memory of 4216 2664 e578e94.exe 86 PID 2664 wrote to memory of 4216 2664 e578e94.exe 86 PID 2664 wrote to memory of 2860 2664 e578e94.exe 88 PID 2664 wrote to memory of 2860 2664 e578e94.exe 88 PID 2664 wrote to memory of 764 2664 e578e94.exe 89 PID 2664 wrote to memory of 764 2664 e578e94.exe 89 PID 764 wrote to memory of 780 764 e57aa0b.exe 8 PID 764 wrote to memory of 788 764 e57aa0b.exe 9 PID 764 wrote to memory of 384 764 e57aa0b.exe 13 PID 764 wrote to memory of 2876 764 e57aa0b.exe 50 PID 764 wrote to memory of 2892 764 e57aa0b.exe 51 PID 764 wrote to memory of 3028 764 e57aa0b.exe 52 PID 764 wrote to memory of 3444 764 e57aa0b.exe 56 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578e94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aa0b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2892
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3028
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\766ad1604235763431c502e7b5ad0aa3b0f35753dc4dee0b655b385d59ed878a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\766ad1604235763431c502e7b5ad0aa3b0f35753dc4dee0b655b385d59ed878a.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\e578e94.exeC:\Users\Admin\AppData\Local\Temp\e578e94.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\e578f9d.exeC:\Users\Admin\AppData\Local\Temp\e578f9d.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\e57a9fb.exeC:\Users\Admin\AppData\Local\Temp\e57a9fb.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\e57aa0b.exeC:\Users\Admin\AppData\Local\Temp\e57aa0b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:764
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3460
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3340
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:676
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD51e2200eda22ce95e1bba8e22dacb113f
SHA1b8a7fa8f5ea71961107136d482a9f07339cc6b9f
SHA256d3e86257de23499dea3a3d70c66f1450840179ca5728dcecaacc53dccc4d8f3f
SHA512d878c686083674c3ad4deb34ba5ae99dfd80b539c25d4f355d71d83b99f5bd3bc4a6e28f7083c4694039f7ab60edd0de4f87b52d77f4253addabcd71624bd3d9
-
Filesize
256B
MD5e6715099e4affcbaf0bbd935aa8eceed
SHA12d9c7c4005febd1c723cb6232954d3924ca654b2
SHA25605664bc709348fcee8cef6fa328527bfc48df015b8dc802dce25eb29f2a6219b
SHA5124e8b1aa6f3a749bb1eac418bc60b7da6a9f159ea64db241fa67ce046ac60d636b9cd35a22fe29d1adc66987b03231fdebbfdfa33abd4424c2873f3caab85b109