Analysis
-
max time kernel
96s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 21:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b0e87a3bb38c7be1cc3542b958ab0b1e3d4d1e6382af768f33745a03f9c470dN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
5b0e87a3bb38c7be1cc3542b958ab0b1e3d4d1e6382af768f33745a03f9c470dN.dll
-
Size
120KB
-
MD5
2646f72741aae238f6adb0fbfa3b3e00
-
SHA1
21838b72bb6e9181984990303b9dd6076b88142c
-
SHA256
5b0e87a3bb38c7be1cc3542b958ab0b1e3d4d1e6382af768f33745a03f9c470d
-
SHA512
ab75ad189837540f93579acfe416d6380ea6a98a250df6757c6e120b88b146ff101ade5da7750ef930de736da2230ca9e09c60dd114ae536e325c7df74e8e761
-
SSDEEP
1536:TA3ArEUg3gbtrwC7CXny9Tpdpv0/jExPq9uX+DdKLkRJqGhmxJdf54MN9mrjK5:83fUdJwCO3ylpvVX+hKowGgxPCI3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577f23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577f23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579a8a.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579a8a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579a8a.exe -
Executes dropped EXE 3 IoCs
pid Process 3152 e577f23.exe 2436 e578117.exe 2188 e579a8a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577f23.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579a8a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577f23.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579a8a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579a8a.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: e577f23.exe File opened (read-only) \??\Q: e577f23.exe File opened (read-only) \??\J: e577f23.exe File opened (read-only) \??\G: e577f23.exe File opened (read-only) \??\H: e577f23.exe File opened (read-only) \??\M: e577f23.exe File opened (read-only) \??\R: e577f23.exe File opened (read-only) \??\E: e579a8a.exe File opened (read-only) \??\E: e577f23.exe File opened (read-only) \??\P: e577f23.exe File opened (read-only) \??\L: e577f23.exe File opened (read-only) \??\K: e577f23.exe File opened (read-only) \??\O: e577f23.exe File opened (read-only) \??\I: e577f23.exe -
resource yara_rule behavioral2/memory/3152-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-20-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-33-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-19-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-14-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-12-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-41-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-50-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-52-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-54-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-63-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-65-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-66-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-69-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-71-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-74-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-75-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-83-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-84-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-86-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3152-89-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2188-116-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/2188-153-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e577f23.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e577f23.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e577f23.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e577f23.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e577f90 e577f23.exe File opened for modification C:\Windows\SYSTEM.INI e577f23.exe File created C:\Windows\e57d0ec e579a8a.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577f23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578117.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579a8a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3152 e577f23.exe 3152 e577f23.exe 3152 e577f23.exe 3152 e577f23.exe 2188 e579a8a.exe 2188 e579a8a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe Token: SeDebugPrivilege 3152 e577f23.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3524 wrote to memory of 2556 3524 rundll32.exe 83 PID 3524 wrote to memory of 2556 3524 rundll32.exe 83 PID 3524 wrote to memory of 2556 3524 rundll32.exe 83 PID 2556 wrote to memory of 3152 2556 rundll32.exe 84 PID 2556 wrote to memory of 3152 2556 rundll32.exe 84 PID 2556 wrote to memory of 3152 2556 rundll32.exe 84 PID 3152 wrote to memory of 768 3152 e577f23.exe 8 PID 3152 wrote to memory of 772 3152 e577f23.exe 9 PID 3152 wrote to memory of 332 3152 e577f23.exe 13 PID 3152 wrote to memory of 2664 3152 e577f23.exe 44 PID 3152 wrote to memory of 2676 3152 e577f23.exe 45 PID 3152 wrote to memory of 2840 3152 e577f23.exe 48 PID 3152 wrote to memory of 3556 3152 e577f23.exe 56 PID 3152 wrote to memory of 3664 3152 e577f23.exe 57 PID 3152 wrote to memory of 3856 3152 e577f23.exe 58 PID 3152 wrote to memory of 3944 3152 e577f23.exe 59 PID 3152 wrote to memory of 4008 3152 e577f23.exe 60 PID 3152 wrote to memory of 4088 3152 e577f23.exe 61 PID 3152 wrote to memory of 3568 3152 e577f23.exe 62 PID 3152 wrote to memory of 4864 3152 e577f23.exe 74 PID 3152 wrote to memory of 2372 3152 e577f23.exe 76 PID 3152 wrote to memory of 1356 3152 e577f23.exe 81 PID 3152 wrote to memory of 3524 3152 e577f23.exe 82 PID 3152 wrote to memory of 2556 3152 e577f23.exe 83 PID 3152 wrote to memory of 2556 3152 e577f23.exe 83 PID 2556 wrote to memory of 2436 2556 rundll32.exe 85 PID 2556 wrote to memory of 2436 2556 rundll32.exe 85 PID 2556 wrote to memory of 2436 2556 rundll32.exe 85 PID 2556 wrote to memory of 2188 2556 rundll32.exe 86 PID 2556 wrote to memory of 2188 2556 rundll32.exe 86 PID 2556 wrote to memory of 2188 2556 rundll32.exe 86 PID 3152 wrote to memory of 768 3152 e577f23.exe 8 PID 3152 wrote to memory of 772 3152 e577f23.exe 9 PID 3152 wrote to memory of 332 3152 e577f23.exe 13 PID 3152 wrote to memory of 2664 3152 e577f23.exe 44 PID 3152 wrote to memory of 2676 3152 e577f23.exe 45 PID 3152 wrote to memory of 2840 3152 e577f23.exe 48 PID 3152 wrote to memory of 3556 3152 e577f23.exe 56 PID 3152 wrote to memory of 3664 3152 e577f23.exe 57 PID 3152 wrote to memory of 3856 3152 e577f23.exe 58 PID 3152 wrote to memory of 3944 3152 e577f23.exe 59 PID 3152 wrote to memory of 4008 3152 e577f23.exe 60 PID 3152 wrote to memory of 4088 3152 e577f23.exe 61 PID 3152 wrote to memory of 3568 3152 e577f23.exe 62 PID 3152 wrote to memory of 4864 3152 e577f23.exe 74 PID 3152 wrote to memory of 2372 3152 e577f23.exe 76 PID 3152 wrote to memory of 2436 3152 e577f23.exe 85 PID 3152 wrote to memory of 2436 3152 e577f23.exe 85 PID 3152 wrote to memory of 2188 3152 e577f23.exe 86 PID 3152 wrote to memory of 2188 3152 e577f23.exe 86 PID 2188 wrote to memory of 768 2188 e579a8a.exe 8 PID 2188 wrote to memory of 772 2188 e579a8a.exe 9 PID 2188 wrote to memory of 332 2188 e579a8a.exe 13 PID 2188 wrote to memory of 2664 2188 e579a8a.exe 44 PID 2188 wrote to memory of 2676 2188 e579a8a.exe 45 PID 2188 wrote to memory of 2840 2188 e579a8a.exe 48 PID 2188 wrote to memory of 3556 2188 e579a8a.exe 56 PID 2188 wrote to memory of 3664 2188 e579a8a.exe 57 PID 2188 wrote to memory of 3856 2188 e579a8a.exe 58 PID 2188 wrote to memory of 3944 2188 e579a8a.exe 59 PID 2188 wrote to memory of 4008 2188 e579a8a.exe 60 PID 2188 wrote to memory of 4088 2188 e579a8a.exe 61 PID 2188 wrote to memory of 3568 2188 e579a8a.exe 62 PID 2188 wrote to memory of 4864 2188 e579a8a.exe 74 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577f23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579a8a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2676
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2840
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3556
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b0e87a3bb38c7be1cc3542b958ab0b1e3d4d1e6382af768f33745a03f9c470dN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b0e87a3bb38c7be1cc3542b958ab0b1e3d4d1e6382af768f33745a03f9c470dN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\e577f23.exeC:\Users\Admin\AppData\Local\Temp\e577f23.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3152
-
-
C:\Users\Admin\AppData\Local\Temp\e578117.exeC:\Users\Admin\AppData\Local\Temp\e578117.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\e579a8a.exeC:\Users\Admin\AppData\Local\Temp\e579a8a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2188
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3664
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3568
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2372
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1356
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a7ece9d1eff1b3aa3abc21ef0b053747
SHA170e46f78442601ce19cb2d5334c39e292d63fc86
SHA256dc296f35623e62884c6ac0a8707c934f3cf3b099b6f579c1d78a51a1cf9baf07
SHA512e347d33d30fe8108f7691b6be9fe210d69003896a05d49b31db0ce973c343a0b9d390c9d5af7411a3b665f61dc86be0fd758287b8655d4b40ae4e475029db8d7
-
Filesize
257B
MD5ee6288351989dc716a5c77d761c213a8
SHA18312676b610da2a6b38ad5e64cff1979b76b8f42
SHA2567e5ac167b24488b93f0cab1babe5caddede412bf06eb6211fa850bea7b4cefe5
SHA5121f303f43c67bedd00bb72a2969d75836d1d01c5a092d8e146642d952a8a33611474cd1d6b82ac5b489655f89ea55f30b855818b50847aabf0f4ea7086dac5fab