Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 13:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8de5357a70e466de907605c3d3eb98de34a5fb6b34a0c163378ca1ed5878f05bN.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
8de5357a70e466de907605c3d3eb98de34a5fb6b34a0c163378ca1ed5878f05bN.dll
-
Size
120KB
-
MD5
f2d47f6dafa106b3af783201a803f4f0
-
SHA1
fee0e7e1a4a7530754079d6ca4f59e8926420d5f
-
SHA256
8de5357a70e466de907605c3d3eb98de34a5fb6b34a0c163378ca1ed5878f05b
-
SHA512
274866b9c70b9e11cd38fe5135358cfbb43bdebcf6266e57cb794f8c63adc94d76d189873c362aa5a91c9bb7630ebcd982417689f13751cf5f8e4c3a9afbdb5b
-
SSDEEP
1536:6NOBmW/5lqc6pyH6DghV9CYCAViO9d+ImHEg6AcQw1G5L62nPdoJU/24Jjr:rLhlqcGpMqdAV7+ImHp6lh1Q68yJ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a856.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578c32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578c32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a856.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578c32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a856.exe -
Executes dropped EXE 4 IoCs
pid Process 3680 e578c32.exe 4704 e578f01.exe 4076 e57a836.exe 3240 e57a856.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a856.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a856.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578c32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578c32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a856.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e578c32.exe File opened (read-only) \??\O: e578c32.exe File opened (read-only) \??\M: e578c32.exe File opened (read-only) \??\Q: e578c32.exe File opened (read-only) \??\E: e57a856.exe File opened (read-only) \??\I: e578c32.exe File opened (read-only) \??\J: e578c32.exe File opened (read-only) \??\L: e578c32.exe File opened (read-only) \??\N: e578c32.exe File opened (read-only) \??\S: e578c32.exe File opened (read-only) \??\G: e578c32.exe File opened (read-only) \??\H: e578c32.exe File opened (read-only) \??\K: e578c32.exe File opened (read-only) \??\P: e578c32.exe File opened (read-only) \??\R: e578c32.exe -
resource yara_rule behavioral2/memory/3680-6-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-10-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-11-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-17-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-21-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-22-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-20-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-18-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-9-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-8-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-19-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-36-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-37-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-38-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-39-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-40-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-42-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-43-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-56-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-59-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-60-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-62-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-76-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-80-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-81-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-83-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-84-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-86-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-88-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-91-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-92-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3680-98-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3240-126-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/3240-164-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e578c32.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e578c32.exe File opened for modification C:\Program Files\7-Zip\7z.exe e578c32.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e578c32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e578caf e578c32.exe File opened for modification C:\Windows\SYSTEM.INI e578c32.exe File created C:\Windows\e57de4a e57a856.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578c32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578f01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a836.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a856.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3680 e578c32.exe 3680 e578c32.exe 3680 e578c32.exe 3680 e578c32.exe 3240 e57a856.exe 3240 e57a856.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe Token: SeDebugPrivilege 3680 e578c32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4636 wrote to memory of 548 4636 rundll32.exe 84 PID 4636 wrote to memory of 548 4636 rundll32.exe 84 PID 4636 wrote to memory of 548 4636 rundll32.exe 84 PID 548 wrote to memory of 3680 548 rundll32.exe 85 PID 548 wrote to memory of 3680 548 rundll32.exe 85 PID 548 wrote to memory of 3680 548 rundll32.exe 85 PID 3680 wrote to memory of 792 3680 e578c32.exe 9 PID 3680 wrote to memory of 800 3680 e578c32.exe 10 PID 3680 wrote to memory of 384 3680 e578c32.exe 13 PID 3680 wrote to memory of 2816 3680 e578c32.exe 51 PID 3680 wrote to memory of 668 3680 e578c32.exe 52 PID 3680 wrote to memory of 3144 3680 e578c32.exe 53 PID 3680 wrote to memory of 3444 3680 e578c32.exe 56 PID 3680 wrote to memory of 3556 3680 e578c32.exe 57 PID 3680 wrote to memory of 3744 3680 e578c32.exe 58 PID 3680 wrote to memory of 3836 3680 e578c32.exe 59 PID 3680 wrote to memory of 3904 3680 e578c32.exe 60 PID 3680 wrote to memory of 3992 3680 e578c32.exe 61 PID 3680 wrote to memory of 4156 3680 e578c32.exe 62 PID 3680 wrote to memory of 2428 3680 e578c32.exe 75 PID 3680 wrote to memory of 3248 3680 e578c32.exe 76 PID 3680 wrote to memory of 4508 3680 e578c32.exe 77 PID 3680 wrote to memory of 232 3680 e578c32.exe 82 PID 3680 wrote to memory of 4636 3680 e578c32.exe 83 PID 3680 wrote to memory of 548 3680 e578c32.exe 84 PID 3680 wrote to memory of 548 3680 e578c32.exe 84 PID 548 wrote to memory of 4704 548 rundll32.exe 86 PID 548 wrote to memory of 4704 548 rundll32.exe 86 PID 548 wrote to memory of 4704 548 rundll32.exe 86 PID 548 wrote to memory of 4076 548 rundll32.exe 90 PID 548 wrote to memory of 4076 548 rundll32.exe 90 PID 548 wrote to memory of 4076 548 rundll32.exe 90 PID 548 wrote to memory of 3240 548 rundll32.exe 91 PID 548 wrote to memory of 3240 548 rundll32.exe 91 PID 548 wrote to memory of 3240 548 rundll32.exe 91 PID 3680 wrote to memory of 792 3680 e578c32.exe 9 PID 3680 wrote to memory of 800 3680 e578c32.exe 10 PID 3680 wrote to memory of 384 3680 e578c32.exe 13 PID 3680 wrote to memory of 2816 3680 e578c32.exe 51 PID 3680 wrote to memory of 668 3680 e578c32.exe 52 PID 3680 wrote to memory of 3144 3680 e578c32.exe 53 PID 3680 wrote to memory of 3444 3680 e578c32.exe 56 PID 3680 wrote to memory of 3556 3680 e578c32.exe 57 PID 3680 wrote to memory of 3744 3680 e578c32.exe 58 PID 3680 wrote to memory of 3836 3680 e578c32.exe 59 PID 3680 wrote to memory of 3904 3680 e578c32.exe 60 PID 3680 wrote to memory of 3992 3680 e578c32.exe 61 PID 3680 wrote to memory of 4156 3680 e578c32.exe 62 PID 3680 wrote to memory of 2428 3680 e578c32.exe 75 PID 3680 wrote to memory of 3248 3680 e578c32.exe 76 PID 3680 wrote to memory of 4508 3680 e578c32.exe 77 PID 3680 wrote to memory of 4704 3680 e578c32.exe 86 PID 3680 wrote to memory of 4704 3680 e578c32.exe 86 PID 3680 wrote to memory of 4076 3680 e578c32.exe 90 PID 3680 wrote to memory of 4076 3680 e578c32.exe 90 PID 3680 wrote to memory of 3240 3680 e578c32.exe 91 PID 3680 wrote to memory of 3240 3680 e578c32.exe 91 PID 3240 wrote to memory of 792 3240 e57a856.exe 9 PID 3240 wrote to memory of 800 3240 e57a856.exe 10 PID 3240 wrote to memory of 384 3240 e57a856.exe 13 PID 3240 wrote to memory of 2816 3240 e57a856.exe 51 PID 3240 wrote to memory of 668 3240 e57a856.exe 52 PID 3240 wrote to memory of 3144 3240 e57a856.exe 53 PID 3240 wrote to memory of 3444 3240 e57a856.exe 56 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578c32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a856.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:668
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3144
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8de5357a70e466de907605c3d3eb98de34a5fb6b34a0c163378ca1ed5878f05bN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8de5357a70e466de907605c3d3eb98de34a5fb6b34a0c163378ca1ed5878f05bN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\e578c32.exeC:\Users\Admin\AppData\Local\Temp\e578c32.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3680
-
-
C:\Users\Admin\AppData\Local\Temp\e578f01.exeC:\Users\Admin\AppData\Local\Temp\e578f01.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4704
-
-
C:\Users\Admin\AppData\Local\Temp\e57a836.exeC:\Users\Admin\AppData\Local\Temp\e57a836.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4076
-
-
C:\Users\Admin\AppData\Local\Temp\e57a856.exeC:\Users\Admin\AppData\Local\Temp\e57a856.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3240
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2428
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3248
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4508
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:232
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58352daf5ec53cf7b1354195a68cfdad5
SHA1091be40443c0132932fd2726f757997ae930215e
SHA2561858bcbfc23a93e8abcf881f594e525588e9dc2857b1403467306ad35944b378
SHA512e6e0d2e55b7485f215890b808be80ab08b37e44ff7162ee2f86633f7ef19e9b81ef82a4101482ddbff42810368dedebb1ca42b70e74032011bd1ac506ffcc743
-
Filesize
257B
MD529631914aaa97a12402aa19a235ef505
SHA1d6b38510076d3c43f8150f4e1bd3a60803fba72a
SHA2567694c3050e92db9a085c472d383f1fbfeaadab8824d2fe7e67c5ed6a0609efb4
SHA5127d8e71c27514b984cc99cf66f4590be46040c653d0c2c333583d811dc566940c3517d2179dc2bd9b2f93bb63698347c62c9e829415288062bdda9794cdc8e09d