Analysis
-
max time kernel
98s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 04:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
701e3194584d15675642dcac81bdb22c82c4d57d97534b1df24842f270cd3e0eN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
701e3194584d15675642dcac81bdb22c82c4d57d97534b1df24842f270cd3e0eN.dll
-
Size
120KB
-
MD5
dd37af411eb28cbab24f761e75299df0
-
SHA1
92c9eca0f19a9f383e91418d8ab659fe759def9f
-
SHA256
701e3194584d15675642dcac81bdb22c82c4d57d97534b1df24842f270cd3e0e
-
SHA512
410f5afe7bb1207095d69d53255696c3c61aa59427cdaca716de99842f3d551aec1de121290a8febe2d755972911b64763c760c574ea11a880e21b3d64f3e8fe
-
SSDEEP
1536:uwx9OwQmXUI7vsLOrJlCmnyQ15HKKBC+n2JDjF+w4zY9fmvkpYqARKQxvWLaYcZZ:xmWXUS19VKxJZ+w4zYwvkf6xxvTYO93
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c94b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580a0d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e580a0d.exe -
Executes dropped EXE 4 IoCs
pid Process 3932 e57c94b.exe 3748 e57cbdb.exe 2844 e580a0d.exe 4912 e580a5b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c94b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e580a0d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e580a0d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e580a0d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580a0d.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57c94b.exe File opened (read-only) \??\G: e57c94b.exe File opened (read-only) \??\H: e57c94b.exe File opened (read-only) \??\I: e57c94b.exe -
resource yara_rule behavioral2/memory/3932-6-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-8-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-11-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-12-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-9-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-13-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-10-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-25-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-30-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-19-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-35-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-36-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-37-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-38-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-41-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-43-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-46-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-58-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-60-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-61-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/3932-63-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/2844-93-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-91-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-102-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-94-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-89-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-96-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-90-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-92-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-88-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-86-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2844-126-0x0000000000860000-0x000000000191A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c9c8 e57c94b.exe File opened for modification C:\Windows\SYSTEM.INI e57c94b.exe File created C:\Windows\e58315c e580a0d.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e580a0d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e580a5b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c94b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cbdb.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3932 e57c94b.exe 3932 e57c94b.exe 3932 e57c94b.exe 3932 e57c94b.exe 2844 e580a0d.exe 2844 e580a0d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe Token: SeDebugPrivilege 3932 e57c94b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 216 wrote to memory of 3304 216 rundll32.exe 82 PID 216 wrote to memory of 3304 216 rundll32.exe 82 PID 216 wrote to memory of 3304 216 rundll32.exe 82 PID 3304 wrote to memory of 3932 3304 rundll32.exe 83 PID 3304 wrote to memory of 3932 3304 rundll32.exe 83 PID 3304 wrote to memory of 3932 3304 rundll32.exe 83 PID 3932 wrote to memory of 772 3932 e57c94b.exe 8 PID 3932 wrote to memory of 780 3932 e57c94b.exe 9 PID 3932 wrote to memory of 336 3932 e57c94b.exe 13 PID 3932 wrote to memory of 2996 3932 e57c94b.exe 50 PID 3932 wrote to memory of 3060 3932 e57c94b.exe 52 PID 3932 wrote to memory of 3168 3932 e57c94b.exe 53 PID 3932 wrote to memory of 3548 3932 e57c94b.exe 56 PID 3932 wrote to memory of 3676 3932 e57c94b.exe 57 PID 3932 wrote to memory of 3880 3932 e57c94b.exe 58 PID 3932 wrote to memory of 3968 3932 e57c94b.exe 59 PID 3932 wrote to memory of 4036 3932 e57c94b.exe 60 PID 3932 wrote to memory of 1112 3932 e57c94b.exe 61 PID 3932 wrote to memory of 4180 3932 e57c94b.exe 62 PID 3932 wrote to memory of 2600 3932 e57c94b.exe 74 PID 3932 wrote to memory of 4464 3932 e57c94b.exe 76 PID 3932 wrote to memory of 216 3932 e57c94b.exe 81 PID 3932 wrote to memory of 3304 3932 e57c94b.exe 82 PID 3932 wrote to memory of 3304 3932 e57c94b.exe 82 PID 3304 wrote to memory of 3748 3304 rundll32.exe 84 PID 3304 wrote to memory of 3748 3304 rundll32.exe 84 PID 3304 wrote to memory of 3748 3304 rundll32.exe 84 PID 3932 wrote to memory of 772 3932 e57c94b.exe 8 PID 3932 wrote to memory of 780 3932 e57c94b.exe 9 PID 3932 wrote to memory of 336 3932 e57c94b.exe 13 PID 3932 wrote to memory of 2996 3932 e57c94b.exe 50 PID 3932 wrote to memory of 3060 3932 e57c94b.exe 52 PID 3932 wrote to memory of 3168 3932 e57c94b.exe 53 PID 3932 wrote to memory of 3548 3932 e57c94b.exe 56 PID 3932 wrote to memory of 3676 3932 e57c94b.exe 57 PID 3932 wrote to memory of 3880 3932 e57c94b.exe 58 PID 3932 wrote to memory of 3968 3932 e57c94b.exe 59 PID 3932 wrote to memory of 4036 3932 e57c94b.exe 60 PID 3932 wrote to memory of 1112 3932 e57c94b.exe 61 PID 3932 wrote to memory of 4180 3932 e57c94b.exe 62 PID 3932 wrote to memory of 2600 3932 e57c94b.exe 74 PID 3932 wrote to memory of 4464 3932 e57c94b.exe 76 PID 3932 wrote to memory of 216 3932 e57c94b.exe 81 PID 3932 wrote to memory of 3748 3932 e57c94b.exe 84 PID 3932 wrote to memory of 3748 3932 e57c94b.exe 84 PID 3304 wrote to memory of 2844 3304 rundll32.exe 85 PID 3304 wrote to memory of 2844 3304 rundll32.exe 85 PID 3304 wrote to memory of 2844 3304 rundll32.exe 85 PID 3304 wrote to memory of 4912 3304 rundll32.exe 86 PID 3304 wrote to memory of 4912 3304 rundll32.exe 86 PID 3304 wrote to memory of 4912 3304 rundll32.exe 86 PID 2844 wrote to memory of 772 2844 e580a0d.exe 8 PID 2844 wrote to memory of 780 2844 e580a0d.exe 9 PID 2844 wrote to memory of 336 2844 e580a0d.exe 13 PID 2844 wrote to memory of 2996 2844 e580a0d.exe 50 PID 2844 wrote to memory of 3060 2844 e580a0d.exe 52 PID 2844 wrote to memory of 3168 2844 e580a0d.exe 53 PID 2844 wrote to memory of 3548 2844 e580a0d.exe 56 PID 2844 wrote to memory of 3676 2844 e580a0d.exe 57 PID 2844 wrote to memory of 3880 2844 e580a0d.exe 58 PID 2844 wrote to memory of 3968 2844 e580a0d.exe 59 PID 2844 wrote to memory of 4036 2844 e580a0d.exe 60 PID 2844 wrote to memory of 1112 2844 e580a0d.exe 61 PID 2844 wrote to memory of 4180 2844 e580a0d.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c94b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580a0d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3060
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3548
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\701e3194584d15675642dcac81bdb22c82c4d57d97534b1df24842f270cd3e0eN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\701e3194584d15675642dcac81bdb22c82c4d57d97534b1df24842f270cd3e0eN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\e57c94b.exeC:\Users\Admin\AppData\Local\Temp\e57c94b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\e57cbdb.exeC:\Users\Admin\AppData\Local\Temp\e57cbdb.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3748
-
-
C:\Users\Admin\AppData\Local\Temp\e580a0d.exeC:\Users\Admin\AppData\Local\Temp\e580a0d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\e580a5b.exeC:\Users\Admin\AppData\Local\Temp\e580a5b.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4912
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3676
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3880
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4036
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4180
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2600
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4464
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD59fec485583baadc957d7852ac4548870
SHA1a5eb27d64cbb256f66eb0ffb7bd23702b4552f96
SHA25604c12761c574da774b26e9d8961c4eaa8cf3dc7eb372c9cf5cfeaa7e809bafdd
SHA5126437afa625111475afa10680bac77cf89bbc190cf0f16964ab4f70f2fd90cf07c03d85f955c1268721b7cee8ef485a81ac2ea763ff52c023c1fde9d6e436e33e
-
Filesize
257B
MD5ce961461198c303be52c71f5d61a78f8
SHA1152925b535f9edd3a635e95e15e205f6750d1cd4
SHA2569dbf450d0f0e59205c158542baee1843abd7595e3e16615c7ccd02fc70984d81
SHA5127e08235f58203db91c061546d848b4bbf09843a4d115abba96d95628593e1ffc584266630bdcf9ba53376fc559315033d7fe23cfd06883d5eade3b4999f942a2