Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e5549cb15796422cd499c591d04fe003ef46dbc63da2b688d27bde9393ae5a4f.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
e5549cb15796422cd499c591d04fe003ef46dbc63da2b688d27bde9393ae5a4f.dll
-
Size
120KB
-
MD5
507b2d1563401849378a3801cf6d20eb
-
SHA1
8ab5680fde3e2d69bfcc1baa2a7ba923117a07fa
-
SHA256
e5549cb15796422cd499c591d04fe003ef46dbc63da2b688d27bde9393ae5a4f
-
SHA512
3f95897bdff8c506e25c47eb03c613c39e6c92d63ba6b0cf8b87b87f8f7f330e74a4e3a9059e1042fe2b0e0a5f0fdd7696458e0736e1d1b0298f429fd1011caf
-
SSDEEP
1536:Aft0NdWtumLEy8CWDMvdnO1BoXmXT+MZWry9x21yffIXX2GcDloC6mzilC0zRz3j:guCl2r6NO1AmD+AWry06sC/ulC0lTWc
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c786.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c786.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ac3e.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c786.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac3e.exe -
Executes dropped EXE 3 IoCs
pid Process 4796 e57ac3e.exe 1828 e57ae8f.exe 1532 e57c786.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c786.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac3e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c786.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac3e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c786.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: e57ac3e.exe File opened (read-only) \??\I: e57ac3e.exe File opened (read-only) \??\O: e57ac3e.exe File opened (read-only) \??\L: e57ac3e.exe File opened (read-only) \??\N: e57ac3e.exe File opened (read-only) \??\Q: e57ac3e.exe File opened (read-only) \??\R: e57ac3e.exe File opened (read-only) \??\E: e57c786.exe File opened (read-only) \??\E: e57ac3e.exe File opened (read-only) \??\K: e57ac3e.exe File opened (read-only) \??\P: e57ac3e.exe File opened (read-only) \??\G: e57ac3e.exe File opened (read-only) \??\H: e57ac3e.exe File opened (read-only) \??\J: e57ac3e.exe File opened (read-only) \??\M: e57ac3e.exe -
resource yara_rule behavioral2/memory/4796-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-13-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-20-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-29-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-21-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-14-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-15-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-40-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-41-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-43-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-44-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-53-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-55-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-57-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-67-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-69-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-71-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-73-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-75-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-77-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-78-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-81-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-83-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-84-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4796-93-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1532-125-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1532-157-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57ac3e.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57ac3e.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57ac3e.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57ac3e.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57acab e57ac3e.exe File opened for modification C:\Windows\SYSTEM.INI e57ac3e.exe File created C:\Windows\e57fdd8 e57c786.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ac3e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ae8f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c786.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4796 e57ac3e.exe 4796 e57ac3e.exe 4796 e57ac3e.exe 4796 e57ac3e.exe 1532 e57c786.exe 1532 e57c786.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe Token: SeDebugPrivilege 4796 e57ac3e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3724 wrote to memory of 2788 3724 rundll32.exe 85 PID 3724 wrote to memory of 2788 3724 rundll32.exe 85 PID 3724 wrote to memory of 2788 3724 rundll32.exe 85 PID 2788 wrote to memory of 4796 2788 rundll32.exe 86 PID 2788 wrote to memory of 4796 2788 rundll32.exe 86 PID 2788 wrote to memory of 4796 2788 rundll32.exe 86 PID 4796 wrote to memory of 772 4796 e57ac3e.exe 8 PID 4796 wrote to memory of 788 4796 e57ac3e.exe 10 PID 4796 wrote to memory of 1020 4796 e57ac3e.exe 13 PID 4796 wrote to memory of 2640 4796 e57ac3e.exe 44 PID 4796 wrote to memory of 2656 4796 e57ac3e.exe 45 PID 4796 wrote to memory of 2804 4796 e57ac3e.exe 49 PID 4796 wrote to memory of 3528 4796 e57ac3e.exe 56 PID 4796 wrote to memory of 3640 4796 e57ac3e.exe 57 PID 4796 wrote to memory of 3828 4796 e57ac3e.exe 58 PID 4796 wrote to memory of 3916 4796 e57ac3e.exe 59 PID 4796 wrote to memory of 3980 4796 e57ac3e.exe 60 PID 4796 wrote to memory of 4080 4796 e57ac3e.exe 61 PID 4796 wrote to memory of 3184 4796 e57ac3e.exe 62 PID 4796 wrote to memory of 3748 4796 e57ac3e.exe 75 PID 4796 wrote to memory of 3612 4796 e57ac3e.exe 76 PID 4796 wrote to memory of 2012 4796 e57ac3e.exe 77 PID 4796 wrote to memory of 5016 4796 e57ac3e.exe 78 PID 4796 wrote to memory of 2300 4796 e57ac3e.exe 83 PID 4796 wrote to memory of 3724 4796 e57ac3e.exe 84 PID 4796 wrote to memory of 2788 4796 e57ac3e.exe 85 PID 4796 wrote to memory of 2788 4796 e57ac3e.exe 85 PID 2788 wrote to memory of 1828 2788 rundll32.exe 87 PID 2788 wrote to memory of 1828 2788 rundll32.exe 87 PID 2788 wrote to memory of 1828 2788 rundll32.exe 87 PID 2788 wrote to memory of 1532 2788 rundll32.exe 89 PID 2788 wrote to memory of 1532 2788 rundll32.exe 89 PID 2788 wrote to memory of 1532 2788 rundll32.exe 89 PID 4796 wrote to memory of 772 4796 e57ac3e.exe 8 PID 4796 wrote to memory of 788 4796 e57ac3e.exe 10 PID 4796 wrote to memory of 1020 4796 e57ac3e.exe 13 PID 4796 wrote to memory of 2640 4796 e57ac3e.exe 44 PID 4796 wrote to memory of 2656 4796 e57ac3e.exe 45 PID 4796 wrote to memory of 2804 4796 e57ac3e.exe 49 PID 4796 wrote to memory of 3528 4796 e57ac3e.exe 56 PID 4796 wrote to memory of 3640 4796 e57ac3e.exe 57 PID 4796 wrote to memory of 3828 4796 e57ac3e.exe 58 PID 4796 wrote to memory of 3916 4796 e57ac3e.exe 59 PID 4796 wrote to memory of 3980 4796 e57ac3e.exe 60 PID 4796 wrote to memory of 4080 4796 e57ac3e.exe 61 PID 4796 wrote to memory of 3184 4796 e57ac3e.exe 62 PID 4796 wrote to memory of 3748 4796 e57ac3e.exe 75 PID 4796 wrote to memory of 3612 4796 e57ac3e.exe 76 PID 4796 wrote to memory of 2012 4796 e57ac3e.exe 77 PID 4796 wrote to memory of 5016 4796 e57ac3e.exe 78 PID 4796 wrote to memory of 1828 4796 e57ac3e.exe 87 PID 4796 wrote to memory of 1828 4796 e57ac3e.exe 87 PID 4796 wrote to memory of 1532 4796 e57ac3e.exe 89 PID 4796 wrote to memory of 1532 4796 e57ac3e.exe 89 PID 1532 wrote to memory of 772 1532 e57c786.exe 8 PID 1532 wrote to memory of 788 1532 e57c786.exe 10 PID 1532 wrote to memory of 1020 1532 e57c786.exe 13 PID 1532 wrote to memory of 2640 1532 e57c786.exe 44 PID 1532 wrote to memory of 2656 1532 e57c786.exe 45 PID 1532 wrote to memory of 2804 1532 e57c786.exe 49 PID 1532 wrote to memory of 3528 1532 e57c786.exe 56 PID 1532 wrote to memory of 3640 1532 e57c786.exe 57 PID 1532 wrote to memory of 3828 1532 e57c786.exe 58 PID 1532 wrote to memory of 3916 1532 e57c786.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c786.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2804
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5549cb15796422cd499c591d04fe003ef46dbc63da2b688d27bde9393ae5a4f.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5549cb15796422cd499c591d04fe003ef46dbc63da2b688d27bde9393ae5a4f.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\e57ac3e.exeC:\Users\Admin\AppData\Local\Temp\e57ac3e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\e57ae8f.exeC:\Users\Admin\AppData\Local\Temp\e57ae8f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\e57c786.exeC:\Users\Admin\AppData\Local\Temp\e57c786.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1532
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3184
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3612
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5016
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2300
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5907987b3deb81b1e0824a0ceaed76ad9
SHA1ee78868b1f18e4c9d974d69e80512fc5de53b290
SHA25668932319b942217ef4a269234e34a29c5c71acbc237fc25401bc12b6572fd0be
SHA5121ed1e76eb2ecde6db266b2d888d2038a3297256e5313dd74f1933709dcab394804045ac74e6a536e752e218ac6360f45612d454a8f945eb17c89635558227bf7
-
Filesize
257B
MD5b9e44264bb21fe4892562973ef7b5745
SHA1157b2da46ded3806d205c441e2c63eb4d0e6dabe
SHA256cae48c84f01edccb422493219eab970dc9648e06fa7da7e9123eb1ab9c0bc148
SHA512e0ee26958ac171fa99ad35f67ad11595ac2f847ba64f011cff0c75962d1748e54c960d857ba47be36b319aa2d6ab8849b7efc04d22c0f97ee936d92cf59ff501