Analysis
-
max time kernel
95s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 04:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5c443265eaa3d3cd2e54481ef68fa15cc188107a130af4d6eb3654882a1f486.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
b5c443265eaa3d3cd2e54481ef68fa15cc188107a130af4d6eb3654882a1f486.dll
-
Size
120KB
-
MD5
360c97700bffa464699a8fa2e6e417d8
-
SHA1
27fed44aae9248625daf417a536338a7e997a098
-
SHA256
b5c443265eaa3d3cd2e54481ef68fa15cc188107a130af4d6eb3654882a1f486
-
SHA512
edc73061c1689de82a948c53f9eba59eb75e8d242b818564112dd85565ad03684bf4ca8c0b0fa37df50daae0f9beb960ab5526fc69dd2146c7a7abb901a80f39
-
SSDEEP
1536:r2Abx4SLivmRTqtZ5fbp8stVqyVLwW1u868nj0CIwB4PEHdjj77gPWvlyxzPYecW:r54SLSZ5zbVLw8nj0z8gEFj78uvlydJ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5777ff.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5777ff.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5777ff.exe -
Executes dropped EXE 4 IoCs
pid Process 3248 e5774d2.exe 4940 e5777ff.exe 3696 e579337.exe 3224 e579357.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5774d2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5777ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5777ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5777ff.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5777ff.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: e5774d2.exe File opened (read-only) \??\I: e5774d2.exe File opened (read-only) \??\J: e5774d2.exe File opened (read-only) \??\K: e5774d2.exe File opened (read-only) \??\M: e5774d2.exe File opened (read-only) \??\P: e5774d2.exe File opened (read-only) \??\H: e5774d2.exe File opened (read-only) \??\Q: e5774d2.exe File opened (read-only) \??\N: e5774d2.exe File opened (read-only) \??\S: e5774d2.exe File opened (read-only) \??\E: e5774d2.exe File opened (read-only) \??\G: e5774d2.exe File opened (read-only) \??\L: e5774d2.exe File opened (read-only) \??\O: e5774d2.exe -
resource yara_rule behavioral2/memory/3248-6-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-8-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-14-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-12-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-11-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-9-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-10-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-15-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-21-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-22-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-20-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-37-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-38-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-39-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-41-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-40-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-43-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-44-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-56-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-59-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-60-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-75-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-76-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-79-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-81-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-82-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-83-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-91-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-92-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-96-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-97-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3248-101-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4940-134-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/4940-150-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5774d2.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5774d2.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5774d2.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5774d2.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e577520 e5774d2.exe File opened for modification C:\Windows\SYSTEM.INI e5774d2.exe File created C:\Windows\e57c68c e5777ff.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5774d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5777ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579337.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579357.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3248 e5774d2.exe 3248 e5774d2.exe 3248 e5774d2.exe 3248 e5774d2.exe 4940 e5777ff.exe 4940 e5777ff.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe Token: SeDebugPrivilege 3248 e5774d2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4540 wrote to memory of 4236 4540 rundll32.exe 83 PID 4540 wrote to memory of 4236 4540 rundll32.exe 83 PID 4540 wrote to memory of 4236 4540 rundll32.exe 83 PID 4236 wrote to memory of 3248 4236 rundll32.exe 84 PID 4236 wrote to memory of 3248 4236 rundll32.exe 84 PID 4236 wrote to memory of 3248 4236 rundll32.exe 84 PID 3248 wrote to memory of 768 3248 e5774d2.exe 8 PID 3248 wrote to memory of 776 3248 e5774d2.exe 9 PID 3248 wrote to memory of 60 3248 e5774d2.exe 13 PID 3248 wrote to memory of 2520 3248 e5774d2.exe 42 PID 3248 wrote to memory of 2536 3248 e5774d2.exe 43 PID 3248 wrote to memory of 2672 3248 e5774d2.exe 44 PID 3248 wrote to memory of 3360 3248 e5774d2.exe 55 PID 3248 wrote to memory of 3660 3248 e5774d2.exe 57 PID 3248 wrote to memory of 3856 3248 e5774d2.exe 58 PID 3248 wrote to memory of 3972 3248 e5774d2.exe 59 PID 3248 wrote to memory of 4036 3248 e5774d2.exe 60 PID 3248 wrote to memory of 1296 3248 e5774d2.exe 61 PID 3248 wrote to memory of 3948 3248 e5774d2.exe 62 PID 3248 wrote to memory of 1648 3248 e5774d2.exe 74 PID 3248 wrote to memory of 1924 3248 e5774d2.exe 76 PID 3248 wrote to memory of 4448 3248 e5774d2.exe 81 PID 3248 wrote to memory of 4540 3248 e5774d2.exe 82 PID 3248 wrote to memory of 4236 3248 e5774d2.exe 83 PID 3248 wrote to memory of 4236 3248 e5774d2.exe 83 PID 4236 wrote to memory of 4940 4236 rundll32.exe 85 PID 4236 wrote to memory of 4940 4236 rundll32.exe 85 PID 4236 wrote to memory of 4940 4236 rundll32.exe 85 PID 4236 wrote to memory of 3696 4236 rundll32.exe 87 PID 4236 wrote to memory of 3696 4236 rundll32.exe 87 PID 4236 wrote to memory of 3696 4236 rundll32.exe 87 PID 4236 wrote to memory of 3224 4236 rundll32.exe 88 PID 4236 wrote to memory of 3224 4236 rundll32.exe 88 PID 4236 wrote to memory of 3224 4236 rundll32.exe 88 PID 3248 wrote to memory of 768 3248 e5774d2.exe 8 PID 3248 wrote to memory of 776 3248 e5774d2.exe 9 PID 3248 wrote to memory of 60 3248 e5774d2.exe 13 PID 3248 wrote to memory of 2520 3248 e5774d2.exe 42 PID 3248 wrote to memory of 2536 3248 e5774d2.exe 43 PID 3248 wrote to memory of 2672 3248 e5774d2.exe 44 PID 3248 wrote to memory of 3360 3248 e5774d2.exe 55 PID 3248 wrote to memory of 3660 3248 e5774d2.exe 57 PID 3248 wrote to memory of 3856 3248 e5774d2.exe 58 PID 3248 wrote to memory of 3972 3248 e5774d2.exe 59 PID 3248 wrote to memory of 4036 3248 e5774d2.exe 60 PID 3248 wrote to memory of 1296 3248 e5774d2.exe 61 PID 3248 wrote to memory of 3948 3248 e5774d2.exe 62 PID 3248 wrote to memory of 1648 3248 e5774d2.exe 74 PID 3248 wrote to memory of 1924 3248 e5774d2.exe 76 PID 3248 wrote to memory of 4940 3248 e5774d2.exe 85 PID 3248 wrote to memory of 4940 3248 e5774d2.exe 85 PID 3248 wrote to memory of 3696 3248 e5774d2.exe 87 PID 3248 wrote to memory of 3696 3248 e5774d2.exe 87 PID 3248 wrote to memory of 3224 3248 e5774d2.exe 88 PID 3248 wrote to memory of 3224 3248 e5774d2.exe 88 PID 4940 wrote to memory of 768 4940 e5777ff.exe 8 PID 4940 wrote to memory of 776 4940 e5777ff.exe 9 PID 4940 wrote to memory of 60 4940 e5777ff.exe 13 PID 4940 wrote to memory of 2520 4940 e5777ff.exe 42 PID 4940 wrote to memory of 2536 4940 e5777ff.exe 43 PID 4940 wrote to memory of 2672 4940 e5777ff.exe 44 PID 4940 wrote to memory of 3360 4940 e5777ff.exe 55 PID 4940 wrote to memory of 3660 4940 e5777ff.exe 57 PID 4940 wrote to memory of 3856 4940 e5777ff.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5774d2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5777ff.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2536
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2672
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3360
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5c443265eaa3d3cd2e54481ef68fa15cc188107a130af4d6eb3654882a1f486.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5c443265eaa3d3cd2e54481ef68fa15cc188107a130af4d6eb3654882a1f486.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\e5774d2.exeC:\Users\Admin\AppData\Local\Temp\e5774d2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3248
-
-
C:\Users\Admin\AppData\Local\Temp\e5777ff.exeC:\Users\Admin\AppData\Local\Temp\e5777ff.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\e579337.exeC:\Users\Admin\AppData\Local\Temp\e579337.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\e579357.exeC:\Users\Admin\AppData\Local\Temp\e579357.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3224
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4036
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1296
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1648
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1924
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4448
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD50b648bee0e2a596c58e0a7cf0297bd65
SHA1e0806b9d6ddc4e11c071dac49050626db283d677
SHA256465767ce209587f92f037a55f168e80b9f67d4c60bc28852c9075c21ec13bc93
SHA512e399a0ce4e7b3f4f177edad054100c299a9303009279db28423ff268bc43fb0feead0c76664c0c50da25e94ee36f5219f7b11c427e39e5176e5f2293d21b8471
-
Filesize
256B
MD5340fcca3949c4f16e234e7ec0ecc4cd7
SHA18e65a1cf41f95c31f6267cc1165bb21d4eddf7a0
SHA25607198f9846fcf06e652277a5f8d9f7bcaac8d448e666ea836cd1e3a58f41f60a
SHA512a983761b35eb17b4eb82b6f5ec7163e481687dc35c25ab33113be0e0994420bfe1c6033cea3fb5f47b0f7ebc94750024b430c219390ca68ff704cceab21b333e