Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 04:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6ec162d21f1395071ea6ecc01703e06f49af364ba549d258fe59a389ad625c2.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
b6ec162d21f1395071ea6ecc01703e06f49af364ba549d258fe59a389ad625c2.dll
-
Size
120KB
-
MD5
7e24df6abedc806b0a28ee9bebd99060
-
SHA1
792e4090f46d747d599679c66c4e3184cd258c53
-
SHA256
b6ec162d21f1395071ea6ecc01703e06f49af364ba549d258fe59a389ad625c2
-
SHA512
0ed21168f2925fdcd2f6fc84acabea773c8726f8dfaca73c4fb7cd7df5c71f808c0c87a49a0d9583f9c0420911da5dde0dc6810811967d8d52a8ef3930f50001
-
SSDEEP
3072:VkhYKY/qKHgSL5njZrGNkC5pwKHTy+ckztD7cospJ:7K6qgV5jZrOllH9RztD7sJ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b602.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b602.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b602.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57948f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57948f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57948f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b602.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b602.exe -
Executes dropped EXE 3 IoCs
pid Process 3256 e57948f.exe 3956 e579693.exe 2416 e57b602.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b602.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b602.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b602.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b602.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b602.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57948f.exe File opened (read-only) \??\E: e57948f.exe File opened (read-only) \??\H: e57948f.exe File opened (read-only) \??\M: e57948f.exe File opened (read-only) \??\O: e57948f.exe File opened (read-only) \??\Q: e57948f.exe File opened (read-only) \??\I: e57948f.exe File opened (read-only) \??\K: e57948f.exe File opened (read-only) \??\P: e57948f.exe File opened (read-only) \??\E: e57b602.exe File opened (read-only) \??\H: e57b602.exe File opened (read-only) \??\G: e57948f.exe File opened (read-only) \??\L: e57948f.exe File opened (read-only) \??\N: e57948f.exe File opened (read-only) \??\G: e57b602.exe -
resource yara_rule behavioral2/memory/3256-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-14-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-33-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-27-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-26-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-41-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-50-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-51-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-62-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-63-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-69-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-71-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-74-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-79-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3256-83-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2416-120-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/2416-150-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57948f.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57948f.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57948f.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57955a e57948f.exe File opened for modification C:\Windows\SYSTEM.INI e57948f.exe File created C:\Windows\e57e5dc e57b602.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57948f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579693.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3256 e57948f.exe 3256 e57948f.exe 3256 e57948f.exe 3256 e57948f.exe 2416 e57b602.exe 2416 e57b602.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe Token: SeDebugPrivilege 3256 e57948f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 2800 3164 rundll32.exe 83 PID 3164 wrote to memory of 2800 3164 rundll32.exe 83 PID 3164 wrote to memory of 2800 3164 rundll32.exe 83 PID 2800 wrote to memory of 3256 2800 rundll32.exe 84 PID 2800 wrote to memory of 3256 2800 rundll32.exe 84 PID 2800 wrote to memory of 3256 2800 rundll32.exe 84 PID 3256 wrote to memory of 792 3256 e57948f.exe 9 PID 3256 wrote to memory of 796 3256 e57948f.exe 10 PID 3256 wrote to memory of 332 3256 e57948f.exe 13 PID 3256 wrote to memory of 3092 3256 e57948f.exe 51 PID 3256 wrote to memory of 3132 3256 e57948f.exe 52 PID 3256 wrote to memory of 3172 3256 e57948f.exe 53 PID 3256 wrote to memory of 3472 3256 e57948f.exe 56 PID 3256 wrote to memory of 3592 3256 e57948f.exe 57 PID 3256 wrote to memory of 3772 3256 e57948f.exe 58 PID 3256 wrote to memory of 3868 3256 e57948f.exe 59 PID 3256 wrote to memory of 3964 3256 e57948f.exe 60 PID 3256 wrote to memory of 4048 3256 e57948f.exe 61 PID 3256 wrote to memory of 4140 3256 e57948f.exe 62 PID 3256 wrote to memory of 4504 3256 e57948f.exe 64 PID 3256 wrote to memory of 2960 3256 e57948f.exe 76 PID 3256 wrote to memory of 1484 3256 e57948f.exe 81 PID 3256 wrote to memory of 3164 3256 e57948f.exe 82 PID 3256 wrote to memory of 2800 3256 e57948f.exe 83 PID 3256 wrote to memory of 2800 3256 e57948f.exe 83 PID 2800 wrote to memory of 3956 2800 rundll32.exe 85 PID 2800 wrote to memory of 3956 2800 rundll32.exe 85 PID 2800 wrote to memory of 3956 2800 rundll32.exe 85 PID 2800 wrote to memory of 2416 2800 rundll32.exe 93 PID 2800 wrote to memory of 2416 2800 rundll32.exe 93 PID 2800 wrote to memory of 2416 2800 rundll32.exe 93 PID 3256 wrote to memory of 792 3256 e57948f.exe 9 PID 3256 wrote to memory of 796 3256 e57948f.exe 10 PID 3256 wrote to memory of 332 3256 e57948f.exe 13 PID 3256 wrote to memory of 3092 3256 e57948f.exe 51 PID 3256 wrote to memory of 3132 3256 e57948f.exe 52 PID 3256 wrote to memory of 3172 3256 e57948f.exe 53 PID 3256 wrote to memory of 3472 3256 e57948f.exe 56 PID 3256 wrote to memory of 3592 3256 e57948f.exe 57 PID 3256 wrote to memory of 3772 3256 e57948f.exe 58 PID 3256 wrote to memory of 3868 3256 e57948f.exe 59 PID 3256 wrote to memory of 3964 3256 e57948f.exe 60 PID 3256 wrote to memory of 4048 3256 e57948f.exe 61 PID 3256 wrote to memory of 4140 3256 e57948f.exe 62 PID 3256 wrote to memory of 4504 3256 e57948f.exe 64 PID 3256 wrote to memory of 2960 3256 e57948f.exe 76 PID 3256 wrote to memory of 3956 3256 e57948f.exe 85 PID 3256 wrote to memory of 3956 3256 e57948f.exe 85 PID 3256 wrote to memory of 2416 3256 e57948f.exe 93 PID 3256 wrote to memory of 2416 3256 e57948f.exe 93 PID 2416 wrote to memory of 792 2416 e57b602.exe 9 PID 2416 wrote to memory of 796 2416 e57b602.exe 10 PID 2416 wrote to memory of 332 2416 e57b602.exe 13 PID 2416 wrote to memory of 3092 2416 e57b602.exe 51 PID 2416 wrote to memory of 3132 2416 e57b602.exe 52 PID 2416 wrote to memory of 3172 2416 e57b602.exe 53 PID 2416 wrote to memory of 3472 2416 e57b602.exe 56 PID 2416 wrote to memory of 3592 2416 e57b602.exe 57 PID 2416 wrote to memory of 3772 2416 e57b602.exe 58 PID 2416 wrote to memory of 3868 2416 e57b602.exe 59 PID 2416 wrote to memory of 3964 2416 e57b602.exe 60 PID 2416 wrote to memory of 4048 2416 e57b602.exe 61 PID 2416 wrote to memory of 4140 2416 e57b602.exe 62 PID 2416 wrote to memory of 4504 2416 e57b602.exe 64 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57948f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b602.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3132
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b6ec162d21f1395071ea6ecc01703e06f49af364ba549d258fe59a389ad625c2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b6ec162d21f1395071ea6ecc01703e06f49af364ba549d258fe59a389ad625c2.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\e57948f.exeC:\Users\Admin\AppData\Local\Temp\e57948f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3256
-
-
C:\Users\Admin\AppData\Local\Temp\e579693.exeC:\Users\Admin\AppData\Local\Temp\e579693.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\e57b602.exeC:\Users\Admin\AppData\Local\Temp\e57b602.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4048
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4504
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2960
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1484
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e8e07f3999dae4ad98092301c1b51d50
SHA1a4f83e49df4483bfbbed1ec0b681b00bc6d9c393
SHA25620cc0c93f7d5190fd3a7e4814d0ef917690d598339206ccd13a66bf86aa30768
SHA5128169ba4c15b7104b876e35435dca3b70ef2e5b876f0db31bc0e46ba7e2b315563a1f6130befa4f0e57f6bbdd799ba1e5484d489f7e5f63a09e99a43f36fee226
-
Filesize
257B
MD5a19628701abed61870049396769b0ee3
SHA12f149d523b123821971f10a4d90bc6b38108ba35
SHA256b16b11429ee7f6a2094064859d218dc8b1796c28dbb3bcee5dba971281b3602b
SHA512b3ba4e97c62bef6f8f91df57005983e321b2c5d5eb63e6c23f7dd39f5fd8b246cc5f1537808fec0d1759a7809c3d56df7e989d24debef92dff3182d03a054166