Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
21694467b484097b1b298a49d6f3520f35a34a7c2b7bc60f9d136735a8796d80.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
21694467b484097b1b298a49d6f3520f35a34a7c2b7bc60f9d136735a8796d80.dll
-
Size
120KB
-
MD5
92287a9a1cac341859a35f178364b470
-
SHA1
969f2034c9ebc63c57d53cb7f0682c8e30f37dd7
-
SHA256
21694467b484097b1b298a49d6f3520f35a34a7c2b7bc60f9d136735a8796d80
-
SHA512
ecfed980ce20416c904e22f21c7e8fd4dbca52cbf0262af05fb8d4c9034d3fd58ce95ceaf2663f47b4973b0511012f9c79aa884c407ee2d80740884ec0a6ce4e
-
SSDEEP
3072:xhxM7F4kEEmU1rhi0oMaJrQ1aOxsbw22ANTNazzDaU:xs7Wfu11i0UJrQBx/22mazzWU
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578d3c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b2f4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578d3c.exe -
Executes dropped EXE 4 IoCs
pid Process 4324 e578d3c.exe 1368 e578ea3.exe 5016 e57b2c5.exe 4556 e57b2f4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578d3c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578d3c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b2f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b2f4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b2f4.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e578d3c.exe File opened (read-only) \??\J: e578d3c.exe File opened (read-only) \??\M: e578d3c.exe File opened (read-only) \??\O: e578d3c.exe File opened (read-only) \??\P: e578d3c.exe File opened (read-only) \??\E: e578d3c.exe File opened (read-only) \??\K: e578d3c.exe File opened (read-only) \??\H: e57b2f4.exe File opened (read-only) \??\G: e578d3c.exe File opened (read-only) \??\L: e578d3c.exe File opened (read-only) \??\E: e57b2f4.exe File opened (read-only) \??\G: e57b2f4.exe File opened (read-only) \??\I: e57b2f4.exe File opened (read-only) \??\H: e578d3c.exe File opened (read-only) \??\N: e578d3c.exe -
resource yara_rule behavioral2/memory/4324-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-17-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-32-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-30-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-41-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-54-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-70-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-72-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-73-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-75-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-76-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-79-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-81-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-84-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-85-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4324-87-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4556-130-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4556-165-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e578d3c.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e578d3c.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e578d3c.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e578da9 e578d3c.exe File opened for modification C:\Windows\SYSTEM.INI e578d3c.exe File created C:\Windows\e57ddec e57b2f4.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b2c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b2f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578d3c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578ea3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4324 e578d3c.exe 4324 e578d3c.exe 4324 e578d3c.exe 4324 e578d3c.exe 4556 e57b2f4.exe 4556 e57b2f4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe Token: SeDebugPrivilege 4324 e578d3c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3812 wrote to memory of 5080 3812 rundll32.exe 83 PID 3812 wrote to memory of 5080 3812 rundll32.exe 83 PID 3812 wrote to memory of 5080 3812 rundll32.exe 83 PID 5080 wrote to memory of 4324 5080 rundll32.exe 84 PID 5080 wrote to memory of 4324 5080 rundll32.exe 84 PID 5080 wrote to memory of 4324 5080 rundll32.exe 84 PID 4324 wrote to memory of 780 4324 e578d3c.exe 8 PID 4324 wrote to memory of 788 4324 e578d3c.exe 9 PID 4324 wrote to memory of 376 4324 e578d3c.exe 13 PID 4324 wrote to memory of 2652 4324 e578d3c.exe 44 PID 4324 wrote to memory of 2668 4324 e578d3c.exe 45 PID 4324 wrote to memory of 2780 4324 e578d3c.exe 47 PID 4324 wrote to memory of 3440 4324 e578d3c.exe 56 PID 4324 wrote to memory of 3572 4324 e578d3c.exe 57 PID 4324 wrote to memory of 3748 4324 e578d3c.exe 58 PID 4324 wrote to memory of 3840 4324 e578d3c.exe 59 PID 4324 wrote to memory of 3912 4324 e578d3c.exe 60 PID 4324 wrote to memory of 4000 4324 e578d3c.exe 61 PID 4324 wrote to memory of 3596 4324 e578d3c.exe 62 PID 4324 wrote to memory of 3248 4324 e578d3c.exe 75 PID 4324 wrote to memory of 2192 4324 e578d3c.exe 76 PID 4324 wrote to memory of 4932 4324 e578d3c.exe 81 PID 4324 wrote to memory of 3812 4324 e578d3c.exe 82 PID 4324 wrote to memory of 5080 4324 e578d3c.exe 83 PID 4324 wrote to memory of 5080 4324 e578d3c.exe 83 PID 5080 wrote to memory of 1368 5080 rundll32.exe 85 PID 5080 wrote to memory of 1368 5080 rundll32.exe 85 PID 5080 wrote to memory of 1368 5080 rundll32.exe 85 PID 5080 wrote to memory of 5016 5080 rundll32.exe 86 PID 5080 wrote to memory of 5016 5080 rundll32.exe 86 PID 5080 wrote to memory of 5016 5080 rundll32.exe 86 PID 5080 wrote to memory of 4556 5080 rundll32.exe 87 PID 5080 wrote to memory of 4556 5080 rundll32.exe 87 PID 5080 wrote to memory of 4556 5080 rundll32.exe 87 PID 4324 wrote to memory of 780 4324 e578d3c.exe 8 PID 4324 wrote to memory of 788 4324 e578d3c.exe 9 PID 4324 wrote to memory of 376 4324 e578d3c.exe 13 PID 4324 wrote to memory of 2652 4324 e578d3c.exe 44 PID 4324 wrote to memory of 2668 4324 e578d3c.exe 45 PID 4324 wrote to memory of 2780 4324 e578d3c.exe 47 PID 4324 wrote to memory of 3440 4324 e578d3c.exe 56 PID 4324 wrote to memory of 3572 4324 e578d3c.exe 57 PID 4324 wrote to memory of 3748 4324 e578d3c.exe 58 PID 4324 wrote to memory of 3840 4324 e578d3c.exe 59 PID 4324 wrote to memory of 3912 4324 e578d3c.exe 60 PID 4324 wrote to memory of 4000 4324 e578d3c.exe 61 PID 4324 wrote to memory of 3596 4324 e578d3c.exe 62 PID 4324 wrote to memory of 3248 4324 e578d3c.exe 75 PID 4324 wrote to memory of 2192 4324 e578d3c.exe 76 PID 4324 wrote to memory of 4932 4324 e578d3c.exe 81 PID 4324 wrote to memory of 1368 4324 e578d3c.exe 85 PID 4324 wrote to memory of 1368 4324 e578d3c.exe 85 PID 4324 wrote to memory of 5016 4324 e578d3c.exe 86 PID 4324 wrote to memory of 5016 4324 e578d3c.exe 86 PID 4324 wrote to memory of 4556 4324 e578d3c.exe 87 PID 4324 wrote to memory of 4556 4324 e578d3c.exe 87 PID 4556 wrote to memory of 780 4556 e57b2f4.exe 8 PID 4556 wrote to memory of 788 4556 e57b2f4.exe 9 PID 4556 wrote to memory of 376 4556 e57b2f4.exe 13 PID 4556 wrote to memory of 2652 4556 e57b2f4.exe 44 PID 4556 wrote to memory of 2668 4556 e57b2f4.exe 45 PID 4556 wrote to memory of 2780 4556 e57b2f4.exe 47 PID 4556 wrote to memory of 3440 4556 e57b2f4.exe 56 PID 4556 wrote to memory of 3572 4556 e57b2f4.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578d3c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b2f4.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2668
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2780
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21694467b484097b1b298a49d6f3520f35a34a7c2b7bc60f9d136735a8796d80.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21694467b484097b1b298a49d6f3520f35a34a7c2b7bc60f9d136735a8796d80.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\e578d3c.exeC:\Users\Admin\AppData\Local\Temp\e578d3c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4324
-
-
C:\Users\Admin\AppData\Local\Temp\e578ea3.exeC:\Users\Admin\AppData\Local\Temp\e578ea3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\e57b2c5.exeC:\Users\Admin\AppData\Local\Temp\e57b2c5.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\e57b2f4.exeC:\Users\Admin\AppData\Local\Temp\e57b2f4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4556
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3596
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3248
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2192
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4932
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57fdf4b8826c95b1d9674be9af78af846
SHA11a36928fb197b236a97c16a6b17cb6232382be1b
SHA256788d80237eeb15415fcb6b6967dc8480df50faad7c49b1f003f61df394a5b147
SHA51243098f470e211ec318ebe94c13bee99493f4d5a14d309f5a7b4b0bc89988befde4a760ffaa777712641cb78c025a0dfe2befab07901c58398bc07430890d6a9a
-
Filesize
257B
MD52f9f838faa0964975ec2d9bb99ed2736
SHA171bbd672b4fe3c4a7a086a6562e761b57248da13
SHA2567eee559728d8c78f5d5d1f2ccd74537c2074603bcbbdb2c9c8ec35659991d1c5
SHA5122cd928ed7e5c712992ecc1bf8d4f5d98ebf4626b7afb4e49b824ba956eadd77b6f2043b1c44a5557dc2a5aa94392e1c9f14e1dcdfb865cce40a7126b1452e73b