Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 03:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5880ab2ee457bcf10ad3f4ea56319a05e06391975753e9d4e0be748fab6ee1c9N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
5880ab2ee457bcf10ad3f4ea56319a05e06391975753e9d4e0be748fab6ee1c9N.dll
-
Size
120KB
-
MD5
df5c0c149597da0c3f381f99477d9580
-
SHA1
fa49072965237ed6a285de689b7a36dbdfad3a3d
-
SHA256
5880ab2ee457bcf10ad3f4ea56319a05e06391975753e9d4e0be748fab6ee1c9
-
SHA512
b1ac261c1041cd1e8323090fc4c3d1eac7680ce09d0eb9fa188392fdc77a252f702fb7ead683ea0c37a6556421d2602b3c2dcc0b24e24a806ef055f3268517f0
-
SSDEEP
3072:bxrqZzLskmmOzCf1Pnn4khqb7yih1AHhjJGDx:bxrq316nxADG
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c8af.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8af.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c8af.exe -
Executes dropped EXE 4 IoCs
pid Process 2352 e57ac0f.exe 2704 e57ad57.exe 2904 e57c890.exe 664 e57c8af.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac0f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac0f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c8af.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac0f.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57ac0f.exe File opened (read-only) \??\I: e57ac0f.exe File opened (read-only) \??\J: e57ac0f.exe File opened (read-only) \??\M: e57ac0f.exe File opened (read-only) \??\G: e57c8af.exe File opened (read-only) \??\E: e57c8af.exe File opened (read-only) \??\E: e57ac0f.exe File opened (read-only) \??\K: e57ac0f.exe File opened (read-only) \??\L: e57ac0f.exe File opened (read-only) \??\N: e57ac0f.exe File opened (read-only) \??\O: e57ac0f.exe File opened (read-only) \??\Q: e57ac0f.exe File opened (read-only) \??\H: e57ac0f.exe File opened (read-only) \??\P: e57ac0f.exe File opened (read-only) \??\R: e57ac0f.exe -
resource yara_rule behavioral2/memory/2352-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-33-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-24-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-23-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-20-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-34-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-41-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-57-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-59-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-61-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-78-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-79-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-82-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-83-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-85-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-87-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-88-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-90-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-94-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2352-96-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/664-135-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx behavioral2/memory/664-167-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e57ac0f.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57ac0f.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57ac0f.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57ac0f.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57ac9b e57ac0f.exe File opened for modification C:\Windows\SYSTEM.INI e57ac0f.exe File created C:\Windows\e57fd3c e57c8af.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ac0f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ad57.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c890.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c8af.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2352 e57ac0f.exe 2352 e57ac0f.exe 2352 e57ac0f.exe 2352 e57ac0f.exe 664 e57c8af.exe 664 e57c8af.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe Token: SeDebugPrivilege 2352 e57ac0f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4864 wrote to memory of 1296 4864 rundll32.exe 85 PID 4864 wrote to memory of 1296 4864 rundll32.exe 85 PID 4864 wrote to memory of 1296 4864 rundll32.exe 85 PID 1296 wrote to memory of 2352 1296 rundll32.exe 86 PID 1296 wrote to memory of 2352 1296 rundll32.exe 86 PID 1296 wrote to memory of 2352 1296 rundll32.exe 86 PID 2352 wrote to memory of 772 2352 e57ac0f.exe 8 PID 2352 wrote to memory of 788 2352 e57ac0f.exe 10 PID 2352 wrote to memory of 1020 2352 e57ac0f.exe 13 PID 2352 wrote to memory of 2640 2352 e57ac0f.exe 44 PID 2352 wrote to memory of 2656 2352 e57ac0f.exe 45 PID 2352 wrote to memory of 2804 2352 e57ac0f.exe 49 PID 2352 wrote to memory of 3528 2352 e57ac0f.exe 56 PID 2352 wrote to memory of 3640 2352 e57ac0f.exe 57 PID 2352 wrote to memory of 3828 2352 e57ac0f.exe 58 PID 2352 wrote to memory of 3916 2352 e57ac0f.exe 59 PID 2352 wrote to memory of 3980 2352 e57ac0f.exe 60 PID 2352 wrote to memory of 4080 2352 e57ac0f.exe 61 PID 2352 wrote to memory of 3184 2352 e57ac0f.exe 62 PID 2352 wrote to memory of 3748 2352 e57ac0f.exe 75 PID 2352 wrote to memory of 3612 2352 e57ac0f.exe 76 PID 2352 wrote to memory of 2012 2352 e57ac0f.exe 77 PID 2352 wrote to memory of 5016 2352 e57ac0f.exe 78 PID 2352 wrote to memory of 4044 2352 e57ac0f.exe 83 PID 2352 wrote to memory of 4864 2352 e57ac0f.exe 84 PID 2352 wrote to memory of 1296 2352 e57ac0f.exe 85 PID 2352 wrote to memory of 1296 2352 e57ac0f.exe 85 PID 1296 wrote to memory of 2704 1296 rundll32.exe 87 PID 1296 wrote to memory of 2704 1296 rundll32.exe 87 PID 1296 wrote to memory of 2704 1296 rundll32.exe 87 PID 1296 wrote to memory of 2904 1296 rundll32.exe 88 PID 1296 wrote to memory of 2904 1296 rundll32.exe 88 PID 1296 wrote to memory of 2904 1296 rundll32.exe 88 PID 1296 wrote to memory of 664 1296 rundll32.exe 89 PID 1296 wrote to memory of 664 1296 rundll32.exe 89 PID 1296 wrote to memory of 664 1296 rundll32.exe 89 PID 2352 wrote to memory of 772 2352 e57ac0f.exe 8 PID 2352 wrote to memory of 788 2352 e57ac0f.exe 10 PID 2352 wrote to memory of 1020 2352 e57ac0f.exe 13 PID 2352 wrote to memory of 2640 2352 e57ac0f.exe 44 PID 2352 wrote to memory of 2656 2352 e57ac0f.exe 45 PID 2352 wrote to memory of 2804 2352 e57ac0f.exe 49 PID 2352 wrote to memory of 3528 2352 e57ac0f.exe 56 PID 2352 wrote to memory of 3640 2352 e57ac0f.exe 57 PID 2352 wrote to memory of 3828 2352 e57ac0f.exe 58 PID 2352 wrote to memory of 3916 2352 e57ac0f.exe 59 PID 2352 wrote to memory of 3980 2352 e57ac0f.exe 60 PID 2352 wrote to memory of 4080 2352 e57ac0f.exe 61 PID 2352 wrote to memory of 3184 2352 e57ac0f.exe 62 PID 2352 wrote to memory of 3748 2352 e57ac0f.exe 75 PID 2352 wrote to memory of 3612 2352 e57ac0f.exe 76 PID 2352 wrote to memory of 2012 2352 e57ac0f.exe 77 PID 2352 wrote to memory of 5016 2352 e57ac0f.exe 78 PID 2352 wrote to memory of 2704 2352 e57ac0f.exe 87 PID 2352 wrote to memory of 2704 2352 e57ac0f.exe 87 PID 2352 wrote to memory of 2904 2352 e57ac0f.exe 88 PID 2352 wrote to memory of 2904 2352 e57ac0f.exe 88 PID 2352 wrote to memory of 664 2352 e57ac0f.exe 89 PID 2352 wrote to memory of 664 2352 e57ac0f.exe 89 PID 664 wrote to memory of 772 664 e57c8af.exe 8 PID 664 wrote to memory of 788 664 e57c8af.exe 10 PID 664 wrote to memory of 1020 664 e57c8af.exe 13 PID 664 wrote to memory of 2640 664 e57c8af.exe 44 PID 664 wrote to memory of 2656 664 e57c8af.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8af.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2804
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5880ab2ee457bcf10ad3f4ea56319a05e06391975753e9d4e0be748fab6ee1c9N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5880ab2ee457bcf10ad3f4ea56319a05e06391975753e9d4e0be748fab6ee1c9N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\e57ac0f.exeC:\Users\Admin\AppData\Local\Temp\e57ac0f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\e57ad57.exeC:\Users\Admin\AppData\Local\Temp\e57ad57.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\e57c890.exeC:\Users\Admin\AppData\Local\Temp\e57c890.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\e57c8af.exeC:\Users\Admin\AppData\Local\Temp\e57c8af.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:664
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3184
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3612
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5016
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4044
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD588067442deaaa41519b2e466526871d6
SHA19ae21d76351c3efb609f35a66cbf33b1aaa3e203
SHA25678afcf920506ee1b62d377ffbf6841f26e3f4988b3412a4f9bf726983e427db8
SHA51286ea01cfc605a35284929ddd89ee9027c6a7b0842e50f03f1e05d9a34ddf4a3409eb670fbd2c6184d671f61eb6653ae98e0b24c2e00423cde959cd75b7c3e6aa
-
Filesize
257B
MD5b85758b8f0da46abd4e98f5bc3dd31a1
SHA1b738622f690c4d236582bf401f576c9051e4913a
SHA25659dde7afcfaf731ff8be6e2f2eeb9e51be448dabcc0e12f4e6fcea493a4fc299
SHA5129f9be11bcb90526b6cd7c45e8540ed0dc5709bfe96ee86fe7cb21b2a3cfc0f32fc8d496e8c9f0d1b750b720d21e2373eccea59273da3afb2f29d4fe9a61f669f