Analysis
-
max time kernel
99s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 19:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll
-
Size
120KB
-
MD5
9dc96332f0429dcdf0d5cf740a199d1d
-
SHA1
ae161f31ffd151782ac230f2d284cefa37a7d893
-
SHA256
ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e
-
SHA512
4eb806fe37abe922c7140247dc6ebf05b2ea86e318219910ac85cf77e280ca4fb5c22a636520c4b062df6a4cb5427b096c6e7431efa91d3a9d53489698d6b491
-
SSDEEP
1536:nteWGbTI21kNVKvLOLgtznu/qT5syoj4oygV26nUOVUtsSkqV4PVIDrhC:nubE2a7ZUwqT+bEHgVvUaa463w
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c2d3.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c2d3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c2d3.exe -
Executes dropped EXE 3 IoCs
pid Process 628 e57a0e3.exe 5084 e57a24b.exe 4432 e57c2d3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a0e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a0e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c2d3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c2d3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c2d3.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57a0e3.exe File opened (read-only) \??\L: e57a0e3.exe File opened (read-only) \??\N: e57a0e3.exe File opened (read-only) \??\H: e57c2d3.exe File opened (read-only) \??\O: e57a0e3.exe File opened (read-only) \??\E: e57c2d3.exe File opened (read-only) \??\E: e57a0e3.exe File opened (read-only) \??\G: e57a0e3.exe File opened (read-only) \??\H: e57a0e3.exe File opened (read-only) \??\I: e57a0e3.exe File opened (read-only) \??\K: e57a0e3.exe File opened (read-only) \??\M: e57a0e3.exe File opened (read-only) \??\G: e57c2d3.exe -
resource yara_rule behavioral2/memory/628-10-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-8-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-9-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-12-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-25-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-35-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-34-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-19-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-11-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-14-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-37-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-36-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-38-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-39-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-40-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-50-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-59-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-61-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-63-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-65-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-66-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-67-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-70-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-72-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-77-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/628-78-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/4432-113-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/4432-147-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57a0e3.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a0e3.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57a0e3.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a141 e57a0e3.exe File opened for modification C:\Windows\SYSTEM.INI e57a0e3.exe File created C:\Windows\e57f1f1 e57c2d3.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a0e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a24b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c2d3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 628 e57a0e3.exe 628 e57a0e3.exe 628 e57a0e3.exe 628 e57a0e3.exe 4432 e57c2d3.exe 4432 e57c2d3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe Token: SeDebugPrivilege 628 e57a0e3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 4416 1608 rundll32.exe 82 PID 1608 wrote to memory of 4416 1608 rundll32.exe 82 PID 1608 wrote to memory of 4416 1608 rundll32.exe 82 PID 4416 wrote to memory of 628 4416 rundll32.exe 83 PID 4416 wrote to memory of 628 4416 rundll32.exe 83 PID 4416 wrote to memory of 628 4416 rundll32.exe 83 PID 628 wrote to memory of 784 628 e57a0e3.exe 8 PID 628 wrote to memory of 792 628 e57a0e3.exe 9 PID 628 wrote to memory of 340 628 e57a0e3.exe 13 PID 628 wrote to memory of 2652 628 e57a0e3.exe 44 PID 628 wrote to memory of 2660 628 e57a0e3.exe 45 PID 628 wrote to memory of 2804 628 e57a0e3.exe 47 PID 628 wrote to memory of 3548 628 e57a0e3.exe 56 PID 628 wrote to memory of 3680 628 e57a0e3.exe 57 PID 628 wrote to memory of 3876 628 e57a0e3.exe 58 PID 628 wrote to memory of 3968 628 e57a0e3.exe 59 PID 628 wrote to memory of 4076 628 e57a0e3.exe 60 PID 628 wrote to memory of 772 628 e57a0e3.exe 61 PID 628 wrote to memory of 4196 628 e57a0e3.exe 62 PID 628 wrote to memory of 2328 628 e57a0e3.exe 64 PID 628 wrote to memory of 1644 628 e57a0e3.exe 76 PID 628 wrote to memory of 1608 628 e57a0e3.exe 81 PID 628 wrote to memory of 4416 628 e57a0e3.exe 82 PID 628 wrote to memory of 4416 628 e57a0e3.exe 82 PID 4416 wrote to memory of 5084 4416 rundll32.exe 84 PID 4416 wrote to memory of 5084 4416 rundll32.exe 84 PID 4416 wrote to memory of 5084 4416 rundll32.exe 84 PID 4416 wrote to memory of 4432 4416 rundll32.exe 85 PID 4416 wrote to memory of 4432 4416 rundll32.exe 85 PID 4416 wrote to memory of 4432 4416 rundll32.exe 85 PID 628 wrote to memory of 784 628 e57a0e3.exe 8 PID 628 wrote to memory of 792 628 e57a0e3.exe 9 PID 628 wrote to memory of 340 628 e57a0e3.exe 13 PID 628 wrote to memory of 2652 628 e57a0e3.exe 44 PID 628 wrote to memory of 2660 628 e57a0e3.exe 45 PID 628 wrote to memory of 2804 628 e57a0e3.exe 47 PID 628 wrote to memory of 3548 628 e57a0e3.exe 56 PID 628 wrote to memory of 3680 628 e57a0e3.exe 57 PID 628 wrote to memory of 3876 628 e57a0e3.exe 58 PID 628 wrote to memory of 3968 628 e57a0e3.exe 59 PID 628 wrote to memory of 4076 628 e57a0e3.exe 60 PID 628 wrote to memory of 772 628 e57a0e3.exe 61 PID 628 wrote to memory of 4196 628 e57a0e3.exe 62 PID 628 wrote to memory of 2328 628 e57a0e3.exe 64 PID 628 wrote to memory of 1644 628 e57a0e3.exe 76 PID 628 wrote to memory of 5084 628 e57a0e3.exe 84 PID 628 wrote to memory of 5084 628 e57a0e3.exe 84 PID 628 wrote to memory of 4432 628 e57a0e3.exe 85 PID 628 wrote to memory of 4432 628 e57a0e3.exe 85 PID 4432 wrote to memory of 784 4432 e57c2d3.exe 8 PID 4432 wrote to memory of 792 4432 e57c2d3.exe 9 PID 4432 wrote to memory of 340 4432 e57c2d3.exe 13 PID 4432 wrote to memory of 2652 4432 e57c2d3.exe 44 PID 4432 wrote to memory of 2660 4432 e57c2d3.exe 45 PID 4432 wrote to memory of 2804 4432 e57c2d3.exe 47 PID 4432 wrote to memory of 3548 4432 e57c2d3.exe 56 PID 4432 wrote to memory of 3680 4432 e57c2d3.exe 57 PID 4432 wrote to memory of 3876 4432 e57c2d3.exe 58 PID 4432 wrote to memory of 3968 4432 e57c2d3.exe 59 PID 4432 wrote to memory of 4076 4432 e57c2d3.exe 60 PID 4432 wrote to memory of 772 4432 e57c2d3.exe 61 PID 4432 wrote to memory of 4196 4432 e57c2d3.exe 62 PID 4432 wrote to memory of 2328 4432 e57c2d3.exe 64 PID 4432 wrote to memory of 1644 4432 e57c2d3.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a0e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c2d3.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2652
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2660
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2804
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3548
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\e57a0e3.exeC:\Users\Admin\AppData\Local\Temp\e57a0e3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\e57a24b.exeC:\Users\Admin\AppData\Local\Temp\e57a24b.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\e57c2d3.exeC:\Users\Admin\AppData\Local\Temp\e57c2d3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4432
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3680
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4076
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:772
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4196
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2328
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1644
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57a9f23db544b655b415b2d03244c245b
SHA1c1df12d309f332801b40a8fe1f229dc455b8e138
SHA2568460ffeffa1070169b26cdb8b0551eddea30e0a6ef3a29dd060eaa68a9629e29
SHA512f919b4c173fe250f78f6493763efa0dbc333b7ca7e557875f687778563fb99251e70798d823a8ce86c21deff9a4ec0d8a6860ef1c1ba44020793d683e919164e
-
Filesize
256B
MD51d9513b83e66ccc0533637ea5df01b76
SHA1096b88c82907fcf1da59d8cd00c9d1ac46033d4c
SHA256fc1ea29aa84fe1820647a1d5aaa6a4bceaca17a8362431ab2f35c6008c43ea59
SHA512186022afce11c88ca3e537ae30458baec3f4c9c62e47e0fb9da168be3dfec5f291fc253b27ab47702d03b5bfdd73537bea4c56f86dca9949db7d6d9a9108d812