Analysis
-
max time kernel
31s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 09:23
Static task
static1
Behavioral task
behavioral1
Sample
bda47cb88a48f31ac634674222808ec9bfe4568bc82b4f819729e99d431559b4.dll
Resource
win7-20241023-en
General
-
Target
bda47cb88a48f31ac634674222808ec9bfe4568bc82b4f819729e99d431559b4.dll
-
Size
120KB
-
MD5
9fd28873db3342625b527a1d61f360d6
-
SHA1
ec2bb16eef41f0a0248fb7b7aff8e88822d63d36
-
SHA256
bda47cb88a48f31ac634674222808ec9bfe4568bc82b4f819729e99d431559b4
-
SHA512
405c69411a64bb48b2cc90ff395235b9e32c29431a9b2f7a55c1b155a5db4367174b13658783ae890788b33d5acbd87230db446afbc253ab846ed9ee9ef098ce
-
SSDEEP
3072:Z8uNklEpmdravCSd/whrcqAB2JTOnkdNPrEhvwUSZ:Z8nl1sCSJOr+BCOA0vIZ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5e5523.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e279a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5e5523.exe -
Executes dropped EXE 4 IoCs
pid Process 2296 e5e279a.exe 1780 e5e28e3.exe 3892 e5e5523.exe 2204 e5e5532.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5e5523.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5e5523.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5e5523.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5e279a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e5523.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e5e279a.exe File opened (read-only) \??\H: e5e279a.exe File opened (read-only) \??\I: e5e279a.exe File opened (read-only) \??\L: e5e279a.exe File opened (read-only) \??\H: e5e5523.exe File opened (read-only) \??\M: e5e279a.exe File opened (read-only) \??\N: e5e279a.exe File opened (read-only) \??\I: e5e5523.exe File opened (read-only) \??\J: e5e279a.exe File opened (read-only) \??\K: e5e279a.exe File opened (read-only) \??\E: e5e5523.exe File opened (read-only) \??\J: e5e5523.exe File opened (read-only) \??\G: e5e279a.exe File opened (read-only) \??\G: e5e5523.exe -
resource yara_rule behavioral2/memory/2296-6-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-8-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-9-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-11-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-10-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-19-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-22-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-30-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-32-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-33-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-34-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-35-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-36-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-37-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-38-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-45-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-59-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-60-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-62-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-63-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-65-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-68-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-69-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-73-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2296-74-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3892-113-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3892-158-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5e2817 e5e279a.exe File opened for modification C:\Windows\SYSTEM.INI e5e279a.exe File created C:\Windows\e5e7c71 e5e5523.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5e5532.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5e279a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5e28e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5e5523.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2296 e5e279a.exe 2296 e5e279a.exe 2296 e5e279a.exe 2296 e5e279a.exe 3892 e5e5523.exe 3892 e5e5523.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe Token: SeDebugPrivilege 2296 e5e279a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4288 3580 rundll32.exe 82 PID 3580 wrote to memory of 4288 3580 rundll32.exe 82 PID 3580 wrote to memory of 4288 3580 rundll32.exe 82 PID 4288 wrote to memory of 2296 4288 rundll32.exe 83 PID 4288 wrote to memory of 2296 4288 rundll32.exe 83 PID 4288 wrote to memory of 2296 4288 rundll32.exe 83 PID 2296 wrote to memory of 780 2296 e5e279a.exe 8 PID 2296 wrote to memory of 788 2296 e5e279a.exe 9 PID 2296 wrote to memory of 384 2296 e5e279a.exe 13 PID 2296 wrote to memory of 2724 2296 e5e279a.exe 49 PID 2296 wrote to memory of 3088 2296 e5e279a.exe 50 PID 2296 wrote to memory of 3168 2296 e5e279a.exe 51 PID 2296 wrote to memory of 3452 2296 e5e279a.exe 54 PID 2296 wrote to memory of 3568 2296 e5e279a.exe 55 PID 2296 wrote to memory of 3744 2296 e5e279a.exe 56 PID 2296 wrote to memory of 3860 2296 e5e279a.exe 57 PID 2296 wrote to memory of 3956 2296 e5e279a.exe 58 PID 2296 wrote to memory of 4056 2296 e5e279a.exe 59 PID 2296 wrote to memory of 3476 2296 e5e279a.exe 60 PID 2296 wrote to memory of 3976 2296 e5e279a.exe 75 PID 2296 wrote to memory of 4520 2296 e5e279a.exe 76 PID 2296 wrote to memory of 3580 2296 e5e279a.exe 81 PID 2296 wrote to memory of 4288 2296 e5e279a.exe 82 PID 2296 wrote to memory of 4288 2296 e5e279a.exe 82 PID 4288 wrote to memory of 1780 4288 rundll32.exe 84 PID 4288 wrote to memory of 1780 4288 rundll32.exe 84 PID 4288 wrote to memory of 1780 4288 rundll32.exe 84 PID 2296 wrote to memory of 780 2296 e5e279a.exe 8 PID 2296 wrote to memory of 788 2296 e5e279a.exe 9 PID 2296 wrote to memory of 384 2296 e5e279a.exe 13 PID 2296 wrote to memory of 2724 2296 e5e279a.exe 49 PID 2296 wrote to memory of 3088 2296 e5e279a.exe 50 PID 2296 wrote to memory of 3168 2296 e5e279a.exe 51 PID 2296 wrote to memory of 3452 2296 e5e279a.exe 54 PID 2296 wrote to memory of 3568 2296 e5e279a.exe 55 PID 2296 wrote to memory of 3744 2296 e5e279a.exe 56 PID 2296 wrote to memory of 3860 2296 e5e279a.exe 57 PID 2296 wrote to memory of 3956 2296 e5e279a.exe 58 PID 2296 wrote to memory of 4056 2296 e5e279a.exe 59 PID 2296 wrote to memory of 3476 2296 e5e279a.exe 60 PID 2296 wrote to memory of 3976 2296 e5e279a.exe 75 PID 2296 wrote to memory of 4520 2296 e5e279a.exe 76 PID 2296 wrote to memory of 3580 2296 e5e279a.exe 81 PID 2296 wrote to memory of 1780 2296 e5e279a.exe 84 PID 2296 wrote to memory of 1780 2296 e5e279a.exe 84 PID 4288 wrote to memory of 3892 4288 rundll32.exe 85 PID 4288 wrote to memory of 3892 4288 rundll32.exe 85 PID 4288 wrote to memory of 3892 4288 rundll32.exe 85 PID 4288 wrote to memory of 2204 4288 rundll32.exe 86 PID 4288 wrote to memory of 2204 4288 rundll32.exe 86 PID 4288 wrote to memory of 2204 4288 rundll32.exe 86 PID 3892 wrote to memory of 780 3892 e5e5523.exe 8 PID 3892 wrote to memory of 788 3892 e5e5523.exe 9 PID 3892 wrote to memory of 384 3892 e5e5523.exe 13 PID 3892 wrote to memory of 2724 3892 e5e5523.exe 49 PID 3892 wrote to memory of 3088 3892 e5e5523.exe 50 PID 3892 wrote to memory of 3168 3892 e5e5523.exe 51 PID 3892 wrote to memory of 3452 3892 e5e5523.exe 54 PID 3892 wrote to memory of 3568 3892 e5e5523.exe 55 PID 3892 wrote to memory of 3744 3892 e5e5523.exe 56 PID 3892 wrote to memory of 3860 3892 e5e5523.exe 57 PID 3892 wrote to memory of 3956 3892 e5e5523.exe 58 PID 3892 wrote to memory of 4056 3892 e5e5523.exe 59 PID 3892 wrote to memory of 3476 3892 e5e5523.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e279a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e5523.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3088
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bda47cb88a48f31ac634674222808ec9bfe4568bc82b4f819729e99d431559b4.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bda47cb88a48f31ac634674222808ec9bfe4568bc82b4f819729e99d431559b4.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\e5e279a.exeC:\Users\Admin\AppData\Local\Temp\e5e279a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\e5e28e3.exeC:\Users\Admin\AppData\Local\Temp\e5e28e3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\e5e5523.exeC:\Users\Admin\AppData\Local\Temp\e5e5523.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3892
-
-
C:\Users\Admin\AppData\Local\Temp\e5e5532.exeC:\Users\Admin\AppData\Local\Temp\e5e5532.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3476
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4520
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d220674b34170149626156d20759227e
SHA1f9cccbf7f88573fa778560de0080f153f9bf504f
SHA256a2d19115ab21ed5815b5f476524f7fe78091633958bb84abd6336df4e6138317
SHA5124c33e081fc1dd6bd2900947899ab1baecce7b2c24f6b21218ed846e1e847f34c47cf219b412b71f29d65bdb9c992b364026127c0bdc43a164e7c0629bb466d08
-
Filesize
257B
MD5b1b2a248626d4aeb5f5d29537c028cad
SHA1042fa1ae55fe14f17645d932f2baa5fca2699831
SHA256cdd8e1e0ce00f243c377490e1de686f85181cdb33bf92e4fd1d0e7f03e0bf2b0
SHA51288fd8839ee0f13c6c27dc7960ed4cc3e7dd7a63b38cfd4db7e4bb819bdd80a6820c955d306cf0ae609d9a8fccae74b6d27e7773a7819fc98972e06d03a6855e6