Analysis
-
max time kernel
33s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:08
Static task
static1
Behavioral task
behavioral1
Sample
27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43.dll
Resource
win7-20240708-en
General
-
Target
27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43.dll
-
Size
120KB
-
MD5
bcac25a742dc6b230b7aaf593f22a086
-
SHA1
dcca2ec364493ce09dc8f443873aabe2c0781682
-
SHA256
27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43
-
SHA512
80ec85721c6e12b34ce322b907d44819473bda98a01b9e33a94b55351153d1fb8bb17ac40ae82e92b3eb5871bcfc9caf96b8ee70eaa06e599e064f5315575c3c
-
SSDEEP
3072:cFmdaG5KraU4n+AIz+EfRSPhWHP63zDH8r:cF0aGlgrf2hWKXW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ab34.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab34.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab34.exe -
Executes dropped EXE 4 IoCs
pid Process 4620 e5778e9.exe 2032 e577a7f.exe 1820 e57ab34.exe 4000 e57aba1.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab34.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab34.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5778e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab34.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e5778e9.exe File opened (read-only) \??\M: e5778e9.exe File opened (read-only) \??\H: e57ab34.exe File opened (read-only) \??\I: e57ab34.exe File opened (read-only) \??\E: e57ab34.exe File opened (read-only) \??\G: e57ab34.exe File opened (read-only) \??\E: e5778e9.exe File opened (read-only) \??\G: e5778e9.exe File opened (read-only) \??\H: e5778e9.exe File opened (read-only) \??\K: e5778e9.exe File opened (read-only) \??\L: e5778e9.exe File opened (read-only) \??\J: e57ab34.exe File opened (read-only) \??\I: e5778e9.exe File opened (read-only) \??\N: e5778e9.exe -
resource yara_rule behavioral2/memory/4620-6-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-11-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-8-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-10-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-9-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-12-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-18-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-28-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-23-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-29-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-35-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-36-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-37-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-38-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-39-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-45-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-46-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-61-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-63-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-64-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-67-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-69-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-70-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-76-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-79-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4620-81-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/1820-113-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1820-160-0x0000000000770000-0x000000000182A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57d292 e57ab34.exe File created C:\Windows\e577976 e5778e9.exe File opened for modification C:\Windows\SYSTEM.INI e5778e9.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5778e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577a7f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ab34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57aba1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4620 e5778e9.exe 4620 e5778e9.exe 4620 e5778e9.exe 4620 e5778e9.exe 1820 e57ab34.exe 1820 e57ab34.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe Token: SeDebugPrivilege 4620 e5778e9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4924 wrote to memory of 3528 4924 rundll32.exe 83 PID 4924 wrote to memory of 3528 4924 rundll32.exe 83 PID 4924 wrote to memory of 3528 4924 rundll32.exe 83 PID 3528 wrote to memory of 4620 3528 rundll32.exe 84 PID 3528 wrote to memory of 4620 3528 rundll32.exe 84 PID 3528 wrote to memory of 4620 3528 rundll32.exe 84 PID 4620 wrote to memory of 780 4620 e5778e9.exe 8 PID 4620 wrote to memory of 788 4620 e5778e9.exe 9 PID 4620 wrote to memory of 1020 4620 e5778e9.exe 13 PID 4620 wrote to memory of 2544 4620 e5778e9.exe 44 PID 4620 wrote to memory of 2556 4620 e5778e9.exe 45 PID 4620 wrote to memory of 2724 4620 e5778e9.exe 47 PID 4620 wrote to memory of 3520 4620 e5778e9.exe 56 PID 4620 wrote to memory of 3660 4620 e5778e9.exe 57 PID 4620 wrote to memory of 3848 4620 e5778e9.exe 58 PID 4620 wrote to memory of 3940 4620 e5778e9.exe 59 PID 4620 wrote to memory of 4004 4620 e5778e9.exe 60 PID 4620 wrote to memory of 4092 4620 e5778e9.exe 61 PID 4620 wrote to memory of 4156 4620 e5778e9.exe 62 PID 4620 wrote to memory of 4348 4620 e5778e9.exe 74 PID 4620 wrote to memory of 3280 4620 e5778e9.exe 76 PID 4620 wrote to memory of 3916 4620 e5778e9.exe 81 PID 4620 wrote to memory of 4924 4620 e5778e9.exe 82 PID 4620 wrote to memory of 3528 4620 e5778e9.exe 83 PID 4620 wrote to memory of 3528 4620 e5778e9.exe 83 PID 3528 wrote to memory of 2032 3528 rundll32.exe 85 PID 3528 wrote to memory of 2032 3528 rundll32.exe 85 PID 3528 wrote to memory of 2032 3528 rundll32.exe 85 PID 4620 wrote to memory of 780 4620 e5778e9.exe 8 PID 4620 wrote to memory of 788 4620 e5778e9.exe 9 PID 4620 wrote to memory of 1020 4620 e5778e9.exe 13 PID 4620 wrote to memory of 2544 4620 e5778e9.exe 44 PID 4620 wrote to memory of 2556 4620 e5778e9.exe 45 PID 4620 wrote to memory of 2724 4620 e5778e9.exe 47 PID 4620 wrote to memory of 3520 4620 e5778e9.exe 56 PID 4620 wrote to memory of 3660 4620 e5778e9.exe 57 PID 4620 wrote to memory of 3848 4620 e5778e9.exe 58 PID 4620 wrote to memory of 3940 4620 e5778e9.exe 59 PID 4620 wrote to memory of 4004 4620 e5778e9.exe 60 PID 4620 wrote to memory of 4092 4620 e5778e9.exe 61 PID 4620 wrote to memory of 4156 4620 e5778e9.exe 62 PID 4620 wrote to memory of 4348 4620 e5778e9.exe 74 PID 4620 wrote to memory of 3280 4620 e5778e9.exe 76 PID 4620 wrote to memory of 3916 4620 e5778e9.exe 81 PID 4620 wrote to memory of 4924 4620 e5778e9.exe 82 PID 4620 wrote to memory of 2032 4620 e5778e9.exe 85 PID 4620 wrote to memory of 2032 4620 e5778e9.exe 85 PID 3528 wrote to memory of 1820 3528 rundll32.exe 86 PID 3528 wrote to memory of 1820 3528 rundll32.exe 86 PID 3528 wrote to memory of 1820 3528 rundll32.exe 86 PID 3528 wrote to memory of 4000 3528 rundll32.exe 87 PID 3528 wrote to memory of 4000 3528 rundll32.exe 87 PID 3528 wrote to memory of 4000 3528 rundll32.exe 87 PID 1820 wrote to memory of 780 1820 e57ab34.exe 8 PID 1820 wrote to memory of 788 1820 e57ab34.exe 9 PID 1820 wrote to memory of 1020 1820 e57ab34.exe 13 PID 1820 wrote to memory of 2544 1820 e57ab34.exe 44 PID 1820 wrote to memory of 2556 1820 e57ab34.exe 45 PID 1820 wrote to memory of 2724 1820 e57ab34.exe 47 PID 1820 wrote to memory of 3520 1820 e57ab34.exe 56 PID 1820 wrote to memory of 3660 1820 e57ab34.exe 57 PID 1820 wrote to memory of 3848 1820 e57ab34.exe 58 PID 1820 wrote to memory of 3940 1820 e57ab34.exe 59 PID 1820 wrote to memory of 4004 1820 e57ab34.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5778e9.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2556
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2724
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\e5778e9.exeC:\Users\Admin\AppData\Local\Temp\e5778e9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4620
-
-
C:\Users\Admin\AppData\Local\Temp\e577a7f.exeC:\Users\Admin\AppData\Local\Temp\e577a7f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\e57ab34.exeC:\Users\Admin\AppData\Local\Temp\e57ab34.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\e57aba1.exeC:\Users\Admin\AppData\Local\Temp\e57aba1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4000
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4092
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4348
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3280
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3916
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD55d61bd5cfd312ce28752a7d6e172eff7
SHA1e388c0c0ff67cdb7aaf2a21ef4a9959e3775dbaf
SHA256a99fb4151ce1214a1a64511f2d79214e739966734400901f9946c57572fc420d
SHA512c199b7c2c9f29f4d1689dd60c982ee5380581d3cd2292b9d3a5dc050665b0278c6f94ca29d5a1870d7621a11fd3b0d107c7303d436594972a66a28d1a0fd9bef
-
Filesize
257B
MD5ff4edeb45c713419dc169b37059026f8
SHA11a46de44fc03258632497d5fbc86a25ecfbcb6db
SHA256efcc2fa5fd67cce3d530030127e3397fa37a9d573c30d87b83c9f6a4ed9a0fe2
SHA51227b049d6c0dbeeb06c0aa4f30bebb0ccb8c9f4517237af921c888629aedb6266f1c0732607ab76818c5cf2c84d6b1c3bc1dbd03225d0a93f30e4c5e108e2c7bf