Analysis
-
max time kernel
31s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 01:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
082dbf376175e714a33842341a4a63b303922d9fdeaac1008759c24397a721f6N.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
120 seconds
General
-
Target
082dbf376175e714a33842341a4a63b303922d9fdeaac1008759c24397a721f6N.dll
-
Size
120KB
-
MD5
7138b6eb9c4f042fe1c9d71dc04a1350
-
SHA1
4e936bf9c767f1a6bb8b0e11104a0472f7ce8997
-
SHA256
082dbf376175e714a33842341a4a63b303922d9fdeaac1008759c24397a721f6
-
SHA512
d5527df3322906c3d7f0bb444cb567977f9a8b83f5f6c25d5a0da036bb953c9276f834025cc742d6c946e2de527416e0d080fbc4fa41c526d79d6f7c5f41a99c
-
SSDEEP
1536:0w/lXQuuIMscQcJkC9Q0U28N7AVNHLHwzQYA/SeItvtBbWUzLhmNb:0elXQubj09JyAVtLHwzQY+dI/xzY
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d939.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d939.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d939.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d939.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d939.exe -
Executes dropped EXE 4 IoCs
pid Process 1884 e57abb1.exe 2824 e57ad38.exe 2556 e57d939.exe 3188 e57d949.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57abb1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57abb1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d939.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: e57abb1.exe File opened (read-only) \??\E: e57d939.exe File opened (read-only) \??\J: e57d939.exe File opened (read-only) \??\G: e57abb1.exe File opened (read-only) \??\H: e57abb1.exe File opened (read-only) \??\J: e57abb1.exe File opened (read-only) \??\I: e57d939.exe File opened (read-only) \??\E: e57abb1.exe File opened (read-only) \??\I: e57abb1.exe File opened (read-only) \??\K: e57abb1.exe File opened (read-only) \??\L: e57abb1.exe File opened (read-only) \??\M: e57abb1.exe File opened (read-only) \??\G: e57d939.exe File opened (read-only) \??\H: e57d939.exe -
resource yara_rule behavioral2/memory/1884-8-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-11-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-23-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-13-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-32-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-24-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-26-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-10-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-12-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-9-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-36-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-37-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-38-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-39-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-40-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-46-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-61-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-62-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-64-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-66-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-67-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-68-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-71-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-74-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1884-77-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2556-116-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/2556-160-0x0000000000730000-0x00000000017EA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57abb1.exe File created C:\Windows\e580088 e57d939.exe File created C:\Windows\e57ac0f e57abb1.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57abb1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ad38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d939.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d949.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1884 e57abb1.exe 1884 e57abb1.exe 1884 e57abb1.exe 1884 e57abb1.exe 2556 e57d939.exe 2556 e57d939.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe Token: SeDebugPrivilege 1884 e57abb1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 5076 2136 rundll32.exe 84 PID 2136 wrote to memory of 5076 2136 rundll32.exe 84 PID 2136 wrote to memory of 5076 2136 rundll32.exe 84 PID 5076 wrote to memory of 1884 5076 rundll32.exe 85 PID 5076 wrote to memory of 1884 5076 rundll32.exe 85 PID 5076 wrote to memory of 1884 5076 rundll32.exe 85 PID 1884 wrote to memory of 784 1884 e57abb1.exe 8 PID 1884 wrote to memory of 792 1884 e57abb1.exe 9 PID 1884 wrote to memory of 316 1884 e57abb1.exe 13 PID 1884 wrote to memory of 2648 1884 e57abb1.exe 44 PID 1884 wrote to memory of 2672 1884 e57abb1.exe 45 PID 1884 wrote to memory of 2744 1884 e57abb1.exe 47 PID 1884 wrote to memory of 3508 1884 e57abb1.exe 56 PID 1884 wrote to memory of 3684 1884 e57abb1.exe 57 PID 1884 wrote to memory of 3864 1884 e57abb1.exe 58 PID 1884 wrote to memory of 3960 1884 e57abb1.exe 59 PID 1884 wrote to memory of 4024 1884 e57abb1.exe 60 PID 1884 wrote to memory of 1000 1884 e57abb1.exe 61 PID 1884 wrote to memory of 3944 1884 e57abb1.exe 62 PID 1884 wrote to memory of 4620 1884 e57abb1.exe 64 PID 1884 wrote to memory of 2304 1884 e57abb1.exe 76 PID 1884 wrote to memory of 808 1884 e57abb1.exe 77 PID 1884 wrote to memory of 3484 1884 e57abb1.exe 82 PID 1884 wrote to memory of 2136 1884 e57abb1.exe 83 PID 1884 wrote to memory of 5076 1884 e57abb1.exe 84 PID 1884 wrote to memory of 5076 1884 e57abb1.exe 84 PID 5076 wrote to memory of 2824 5076 rundll32.exe 86 PID 5076 wrote to memory of 2824 5076 rundll32.exe 86 PID 5076 wrote to memory of 2824 5076 rundll32.exe 86 PID 1884 wrote to memory of 784 1884 e57abb1.exe 8 PID 1884 wrote to memory of 792 1884 e57abb1.exe 9 PID 1884 wrote to memory of 316 1884 e57abb1.exe 13 PID 1884 wrote to memory of 2648 1884 e57abb1.exe 44 PID 1884 wrote to memory of 2672 1884 e57abb1.exe 45 PID 1884 wrote to memory of 2744 1884 e57abb1.exe 47 PID 1884 wrote to memory of 3508 1884 e57abb1.exe 56 PID 1884 wrote to memory of 3684 1884 e57abb1.exe 57 PID 1884 wrote to memory of 3864 1884 e57abb1.exe 58 PID 1884 wrote to memory of 3960 1884 e57abb1.exe 59 PID 1884 wrote to memory of 4024 1884 e57abb1.exe 60 PID 1884 wrote to memory of 1000 1884 e57abb1.exe 61 PID 1884 wrote to memory of 3944 1884 e57abb1.exe 62 PID 1884 wrote to memory of 4620 1884 e57abb1.exe 64 PID 1884 wrote to memory of 2304 1884 e57abb1.exe 76 PID 1884 wrote to memory of 808 1884 e57abb1.exe 77 PID 1884 wrote to memory of 3484 1884 e57abb1.exe 82 PID 1884 wrote to memory of 2136 1884 e57abb1.exe 83 PID 1884 wrote to memory of 2824 1884 e57abb1.exe 86 PID 1884 wrote to memory of 2824 1884 e57abb1.exe 86 PID 5076 wrote to memory of 2556 5076 rundll32.exe 88 PID 5076 wrote to memory of 2556 5076 rundll32.exe 88 PID 5076 wrote to memory of 2556 5076 rundll32.exe 88 PID 5076 wrote to memory of 3188 5076 rundll32.exe 89 PID 5076 wrote to memory of 3188 5076 rundll32.exe 89 PID 5076 wrote to memory of 3188 5076 rundll32.exe 89 PID 2556 wrote to memory of 784 2556 e57d939.exe 8 PID 2556 wrote to memory of 792 2556 e57d939.exe 9 PID 2556 wrote to memory of 316 2556 e57d939.exe 13 PID 2556 wrote to memory of 2648 2556 e57d939.exe 44 PID 2556 wrote to memory of 2672 2556 e57d939.exe 45 PID 2556 wrote to memory of 2744 2556 e57d939.exe 47 PID 2556 wrote to memory of 3508 2556 e57d939.exe 56 PID 2556 wrote to memory of 3684 2556 e57d939.exe 57 PID 2556 wrote to memory of 3864 2556 e57d939.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57abb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d939.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2744
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\082dbf376175e714a33842341a4a63b303922d9fdeaac1008759c24397a721f6N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\082dbf376175e714a33842341a4a63b303922d9fdeaac1008759c24397a721f6N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\e57abb1.exeC:\Users\Admin\AppData\Local\Temp\e57abb1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\e57ad38.exeC:\Users\Admin\AppData\Local\Temp\e57ad38.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\e57d939.exeC:\Users\Admin\AppData\Local\Temp\e57d939.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\e57d949.exeC:\Users\Admin\AppData\Local\Temp\e57d949.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3188
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3684
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4620
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2304
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:808
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3484
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e51cae7068908222d2ea66841c635b06
SHA1d359c14f6236373f906440b708dd33df225cd6cd
SHA256023687a9b337ff16142fd2d8cb43ce07abd4e3cc244aaf8c45d8268d4cbcdc13
SHA512f7414f469a5755738f51a15f1ba4b81ba0218e91ed633b304acf894cfb9094f47070e16e2d9dc9c736a08b51f5b19860c3aefd29c8be59e69ef90c426387c483
-
Filesize
257B
MD5020d9b577822e943770ad142cd989555
SHA19a7d44562ef2c10e3c4f4fb430ec9b846bd05017
SHA256c8ce4dc83b93e0c5b89ddb959776923ad7f74d82e68ac54322d2403a9b76e04a
SHA51292d52177d3f82e39da4e2b2f589f883dd8f2bcccfb222eab488ad54cf72e913adb4c41fb02aeb2ca7e4d53628451ba97aa09dbb9bc5566223e4de8748a56431e