Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 19:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll
-
Size
120KB
-
MD5
9dc96332f0429dcdf0d5cf740a199d1d
-
SHA1
ae161f31ffd151782ac230f2d284cefa37a7d893
-
SHA256
ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e
-
SHA512
4eb806fe37abe922c7140247dc6ebf05b2ea86e318219910ac85cf77e280ca4fb5c22a636520c4b062df6a4cb5427b096c6e7431efa91d3a9d53489698d6b491
-
SSDEEP
1536:nteWGbTI21kNVKvLOLgtznu/qT5syoj4oygV26nUOVUtsSkqV4PVIDrhC:nubE2a7ZUwqT+bEHgVvUaa463w
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7728c5.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7728c5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7728c5.exe -
Executes dropped EXE 3 IoCs
pid Process 2748 f76f7d6.exe 2656 f76f9ba.exe 2348 f7728c5.exe -
Loads dropped DLL 6 IoCs
pid Process 2316 rundll32.exe 2316 rundll32.exe 2316 rundll32.exe 2316 rundll32.exe 2316 rundll32.exe 2316 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f7d6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f9ba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7728c5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f7d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f9ba.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f7728c5.exe File opened (read-only) \??\G: f7728c5.exe File opened (read-only) \??\E: f76f7d6.exe File opened (read-only) \??\G: f76f7d6.exe File opened (read-only) \??\K: f76f7d6.exe File opened (read-only) \??\L: f76f7d6.exe File opened (read-only) \??\J: f7728c5.exe File opened (read-only) \??\I: f76f7d6.exe File opened (read-only) \??\M: f76f7d6.exe File opened (read-only) \??\N: f76f7d6.exe File opened (read-only) \??\I: f7728c5.exe File opened (read-only) \??\H: f76f7d6.exe File opened (read-only) \??\H: f7728c5.exe File opened (read-only) \??\J: f76f7d6.exe -
resource yara_rule behavioral1/memory/2748-14-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-17-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-21-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-23-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-24-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-22-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-20-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-19-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-18-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-16-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-62-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-63-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-64-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-65-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-66-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-68-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-86-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-100-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-101-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-105-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-109-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-112-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-113-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2748-136-0x0000000000560000-0x000000000161A000-memory.dmp upx behavioral1/memory/2656-162-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/2656-179-0x0000000000930000-0x00000000019EA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f775032 f7728c5.exe File created C:\Windows\f76f872 f76f7d6.exe File opened for modification C:\Windows\SYSTEM.INI f76f7d6.exe File created C:\Windows\f774837 f76f9ba.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f7d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f9ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7728c5.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2748 f76f7d6.exe 2748 f76f7d6.exe 2656 f76f9ba.exe 2348 f7728c5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2748 f76f7d6.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2656 f76f9ba.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe Token: SeDebugPrivilege 2348 f7728c5.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2316 2272 rundll32.exe 30 PID 2272 wrote to memory of 2316 2272 rundll32.exe 30 PID 2272 wrote to memory of 2316 2272 rundll32.exe 30 PID 2272 wrote to memory of 2316 2272 rundll32.exe 30 PID 2272 wrote to memory of 2316 2272 rundll32.exe 30 PID 2272 wrote to memory of 2316 2272 rundll32.exe 30 PID 2272 wrote to memory of 2316 2272 rundll32.exe 30 PID 2316 wrote to memory of 2748 2316 rundll32.exe 31 PID 2316 wrote to memory of 2748 2316 rundll32.exe 31 PID 2316 wrote to memory of 2748 2316 rundll32.exe 31 PID 2316 wrote to memory of 2748 2316 rundll32.exe 31 PID 2748 wrote to memory of 1064 2748 f76f7d6.exe 18 PID 2748 wrote to memory of 1112 2748 f76f7d6.exe 19 PID 2748 wrote to memory of 1152 2748 f76f7d6.exe 20 PID 2748 wrote to memory of 1472 2748 f76f7d6.exe 25 PID 2748 wrote to memory of 2272 2748 f76f7d6.exe 29 PID 2748 wrote to memory of 2316 2748 f76f7d6.exe 30 PID 2748 wrote to memory of 2316 2748 f76f7d6.exe 30 PID 2316 wrote to memory of 2656 2316 rundll32.exe 32 PID 2316 wrote to memory of 2656 2316 rundll32.exe 32 PID 2316 wrote to memory of 2656 2316 rundll32.exe 32 PID 2316 wrote to memory of 2656 2316 rundll32.exe 32 PID 2748 wrote to memory of 1064 2748 f76f7d6.exe 18 PID 2748 wrote to memory of 1112 2748 f76f7d6.exe 19 PID 2748 wrote to memory of 1152 2748 f76f7d6.exe 20 PID 2748 wrote to memory of 1472 2748 f76f7d6.exe 25 PID 2748 wrote to memory of 2272 2748 f76f7d6.exe 29 PID 2748 wrote to memory of 2656 2748 f76f7d6.exe 32 PID 2748 wrote to memory of 2656 2748 f76f7d6.exe 32 PID 2316 wrote to memory of 2348 2316 rundll32.exe 33 PID 2316 wrote to memory of 2348 2316 rundll32.exe 33 PID 2316 wrote to memory of 2348 2316 rundll32.exe 33 PID 2316 wrote to memory of 2348 2316 rundll32.exe 33 PID 2656 wrote to memory of 1064 2656 f76f9ba.exe 18 PID 2656 wrote to memory of 1112 2656 f76f9ba.exe 19 PID 2656 wrote to memory of 1152 2656 f76f9ba.exe 20 PID 2656 wrote to memory of 1472 2656 f76f9ba.exe 25 PID 2656 wrote to memory of 2348 2656 f76f9ba.exe 33 PID 2656 wrote to memory of 2348 2656 f76f9ba.exe 33 PID 2348 wrote to memory of 1064 2348 f7728c5.exe 18 PID 2348 wrote to memory of 1112 2348 f7728c5.exe 19 PID 2348 wrote to memory of 1152 2348 f7728c5.exe 20 PID 2348 wrote to memory of 1472 2348 f7728c5.exe 25 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f9ba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7728c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f7d6.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1112
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1152
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\f76f7d6.exeC:\Users\Admin\AppData\Local\Temp\f76f7d6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\f76f9ba.exeC:\Users\Admin\AppData\Local\Temp\f76f9ba.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\f7728c5.exeC:\Users\Admin\AppData\Local\Temp\f7728c5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2348
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1472
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57a9f23db544b655b415b2d03244c245b
SHA1c1df12d309f332801b40a8fe1f229dc455b8e138
SHA2568460ffeffa1070169b26cdb8b0551eddea30e0a6ef3a29dd060eaa68a9629e29
SHA512f919b4c173fe250f78f6493763efa0dbc333b7ca7e557875f687778563fb99251e70798d823a8ce86c21deff9a4ec0d8a6860ef1c1ba44020793d683e919164e
-
Filesize
257B
MD5139f605a5286db136b40a74bbc65654f
SHA1564e869f600207130d18a2f9534d663d2cf67a18
SHA2563be875e080d45238e834413c146f87c2c61b30918b17adf65b8842f007ebdcdf
SHA512b0774e4b35817dcbeb8b48dec281e1451f73fddff904b7e527e97b7e04ba62a9aeff9f490d7d16ee63a130b13c52a998dcfbeb129cef6b86a9e8459362565fd7