Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 08:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb55194a5e36e41897fee6f0f0b98dfffdc6632aa318d0c69efde2e66336ec7c.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
cb55194a5e36e41897fee6f0f0b98dfffdc6632aa318d0c69efde2e66336ec7c.dll
-
Size
120KB
-
MD5
8f25387010996e0423a3cc38b4de8542
-
SHA1
472e7825409a4c76e266b035dd8a63acf2fe40d7
-
SHA256
cb55194a5e36e41897fee6f0f0b98dfffdc6632aa318d0c69efde2e66336ec7c
-
SHA512
981d22c59ba30d11a0c6fd86669a2044ed3d792bf4ad25d2b140bf2f64426b4165bd4c08a21e01fd2193346d488b95f4d84db86a1c4bc4c7c6742f881325b91f
-
SSDEEP
1536:lSnLvJP8TvwjrAF6B2Xms/J9CuHXFw6ESkgBJk8DiAzOcJxltuxYAYZIKSWMRNcz:MLasHq6QwHSj9OybuxYnWXRNcz
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b100.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b100.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d8fb.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d8fb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d8fb.exe -
Executes dropped EXE 4 IoCs
pid Process 5056 e57b100.exe 4832 e57b2a6.exe 4540 e57d8eb.exe 5008 e57d8fb.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d8fb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d8fb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d8fb.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57d8fb.exe File opened (read-only) \??\J: e57b100.exe File opened (read-only) \??\K: e57b100.exe File opened (read-only) \??\N: e57b100.exe File opened (read-only) \??\E: e57d8fb.exe File opened (read-only) \??\G: e57b100.exe File opened (read-only) \??\H: e57b100.exe File opened (read-only) \??\I: e57b100.exe File opened (read-only) \??\L: e57b100.exe File opened (read-only) \??\M: e57b100.exe File opened (read-only) \??\G: e57d8fb.exe File opened (read-only) \??\H: e57d8fb.exe File opened (read-only) \??\E: e57b100.exe File opened (read-only) \??\I: e57d8fb.exe -
resource yara_rule behavioral2/memory/5056-6-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-8-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-10-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-9-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-26-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-18-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-33-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-17-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-11-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-34-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-35-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-36-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-37-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-38-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-39-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-65-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-68-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-69-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-71-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-72-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-74-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-75-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-78-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-82-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5056-83-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/5008-124-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/5008-161-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57b100.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57b100.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57b100.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57b100.exe File created C:\Windows\e5801ff e57d8fb.exe File created C:\Windows\e57b17d e57b100.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b2a6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d8eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d8fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b100.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5056 e57b100.exe 5056 e57b100.exe 5056 e57b100.exe 5056 e57b100.exe 5008 e57d8fb.exe 5008 e57d8fb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe Token: SeDebugPrivilege 5056 e57b100.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 4440 4812 rundll32.exe 84 PID 4812 wrote to memory of 4440 4812 rundll32.exe 84 PID 4812 wrote to memory of 4440 4812 rundll32.exe 84 PID 4440 wrote to memory of 5056 4440 rundll32.exe 85 PID 4440 wrote to memory of 5056 4440 rundll32.exe 85 PID 4440 wrote to memory of 5056 4440 rundll32.exe 85 PID 5056 wrote to memory of 784 5056 e57b100.exe 8 PID 5056 wrote to memory of 792 5056 e57b100.exe 9 PID 5056 wrote to memory of 388 5056 e57b100.exe 13 PID 5056 wrote to memory of 696 5056 e57b100.exe 50 PID 5056 wrote to memory of 3092 5056 e57b100.exe 51 PID 5056 wrote to memory of 3132 5056 e57b100.exe 52 PID 5056 wrote to memory of 3452 5056 e57b100.exe 56 PID 5056 wrote to memory of 3572 5056 e57b100.exe 57 PID 5056 wrote to memory of 3768 5056 e57b100.exe 58 PID 5056 wrote to memory of 3892 5056 e57b100.exe 59 PID 5056 wrote to memory of 3984 5056 e57b100.exe 60 PID 5056 wrote to memory of 4076 5056 e57b100.exe 61 PID 5056 wrote to memory of 3856 5056 e57b100.exe 62 PID 5056 wrote to memory of 740 5056 e57b100.exe 64 PID 5056 wrote to memory of 2132 5056 e57b100.exe 74 PID 5056 wrote to memory of 4488 5056 e57b100.exe 77 PID 5056 wrote to memory of 4996 5056 e57b100.exe 82 PID 5056 wrote to memory of 4812 5056 e57b100.exe 83 PID 5056 wrote to memory of 4440 5056 e57b100.exe 84 PID 5056 wrote to memory of 4440 5056 e57b100.exe 84 PID 4440 wrote to memory of 4832 4440 rundll32.exe 86 PID 4440 wrote to memory of 4832 4440 rundll32.exe 86 PID 4440 wrote to memory of 4832 4440 rundll32.exe 86 PID 4440 wrote to memory of 4540 4440 rundll32.exe 91 PID 4440 wrote to memory of 4540 4440 rundll32.exe 91 PID 4440 wrote to memory of 4540 4440 rundll32.exe 91 PID 4440 wrote to memory of 5008 4440 rundll32.exe 92 PID 4440 wrote to memory of 5008 4440 rundll32.exe 92 PID 4440 wrote to memory of 5008 4440 rundll32.exe 92 PID 5056 wrote to memory of 784 5056 e57b100.exe 8 PID 5056 wrote to memory of 792 5056 e57b100.exe 9 PID 5056 wrote to memory of 388 5056 e57b100.exe 13 PID 5056 wrote to memory of 696 5056 e57b100.exe 50 PID 5056 wrote to memory of 3092 5056 e57b100.exe 51 PID 5056 wrote to memory of 3132 5056 e57b100.exe 52 PID 5056 wrote to memory of 3452 5056 e57b100.exe 56 PID 5056 wrote to memory of 3572 5056 e57b100.exe 57 PID 5056 wrote to memory of 3768 5056 e57b100.exe 58 PID 5056 wrote to memory of 3892 5056 e57b100.exe 59 PID 5056 wrote to memory of 3984 5056 e57b100.exe 60 PID 5056 wrote to memory of 4076 5056 e57b100.exe 61 PID 5056 wrote to memory of 3856 5056 e57b100.exe 62 PID 5056 wrote to memory of 740 5056 e57b100.exe 64 PID 5056 wrote to memory of 2132 5056 e57b100.exe 74 PID 5056 wrote to memory of 4488 5056 e57b100.exe 77 PID 5056 wrote to memory of 4996 5056 e57b100.exe 82 PID 5056 wrote to memory of 4832 5056 e57b100.exe 86 PID 5056 wrote to memory of 4832 5056 e57b100.exe 86 PID 5056 wrote to memory of 4540 5056 e57b100.exe 91 PID 5056 wrote to memory of 4540 5056 e57b100.exe 91 PID 5056 wrote to memory of 5008 5056 e57b100.exe 92 PID 5056 wrote to memory of 5008 5056 e57b100.exe 92 PID 5008 wrote to memory of 784 5008 e57d8fb.exe 8 PID 5008 wrote to memory of 792 5008 e57d8fb.exe 9 PID 5008 wrote to memory of 388 5008 e57d8fb.exe 13 PID 5008 wrote to memory of 696 5008 e57d8fb.exe 50 PID 5008 wrote to memory of 3092 5008 e57d8fb.exe 51 PID 5008 wrote to memory of 3132 5008 e57d8fb.exe 52 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d8fb.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3092
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3132
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb55194a5e36e41897fee6f0f0b98dfffdc6632aa318d0c69efde2e66336ec7c.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb55194a5e36e41897fee6f0f0b98dfffdc6632aa318d0c69efde2e66336ec7c.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\e57b100.exeC:\Users\Admin\AppData\Local\Temp\e57b100.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5056
-
-
C:\Users\Admin\AppData\Local\Temp\e57b2a6.exeC:\Users\Admin\AppData\Local\Temp\e57b2a6.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832
-
-
C:\Users\Admin\AppData\Local\Temp\e57d8eb.exeC:\Users\Admin\AppData\Local\Temp\e57d8eb.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\e57d8fb.exeC:\Users\Admin\AppData\Local\Temp\e57d8fb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5008
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:740
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2132
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4488
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4996
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5848b46947f31096e3d20273e361a7725
SHA16ab3fcade97127726f6c29871c7381f423336d08
SHA2562d00bb51eb84693260566755d14e3b3bdb83a5c76be0bb8c37ee4a565bd4d889
SHA51205d566623cc5646503a65843f867b1f59ff5b8c74def8e38848c29a2bcb4987dad5395c6f5b83a75d3527c5cfe7a9aa9c2a20de48b82ef72c7b0d82d204a39e8
-
Filesize
257B
MD5543cdfc05b37b31f268e45db3d9db4f8
SHA189f7972e01ba11b8d7ea8fa126cf1ed3c22deaf7
SHA256f5ecfeec64ef580cebb17fb981a7a7eddcab55614018067e96c138148e98f6da
SHA512be2d54b0fad30ebaa83adcaae49ae07b5fa582da809537d24e9ca64810cf26022de1985ccb84a3b539b67cef1e37ae574c67fc423e5b47b52574cc2cb6c39a43