Analysis
-
max time kernel
94s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 09:46
Static task
static1
Behavioral task
behavioral1
Sample
985b71fd79a11777d694c975b763fac7ecd6ec1c6cfbbddf4d5137dd8c986a86N.dll
Resource
win7-20240903-en
General
-
Target
985b71fd79a11777d694c975b763fac7ecd6ec1c6cfbbddf4d5137dd8c986a86N.dll
-
Size
120KB
-
MD5
79e2cd9244974182d1b2d1e8a06b3660
-
SHA1
d384d2bc0a36513c0f66aa3d1e61a7448e259db2
-
SHA256
985b71fd79a11777d694c975b763fac7ecd6ec1c6cfbbddf4d5137dd8c986a86
-
SHA512
d8042dc1503c834b5f8f3c75993136aac53345ab5b37f71fb900d27b28b3ec96f858dc2af9868825f760b0d18a8ef0afdaae0e5d78a21c5547f391205e8dae90
-
SSDEEP
3072:RLuyL6Jn12tJB3ZaAs0R6Rc+1WDT0C/3l0Huj6Av7:RLuG6JeBpO0RJTF/10Hu+M
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5b8bf1.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b8bf1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b69b3.exe -
Executes dropped EXE 3 IoCs
pid Process 1536 e5b69b3.exe 4492 e5b6b78.exe 4504 e5b8bf1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b69b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b8bf1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b8bf1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5b8bf1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b8bf1.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e5b69b3.exe File opened (read-only) \??\I: e5b69b3.exe File opened (read-only) \??\E: e5b69b3.exe File opened (read-only) \??\L: e5b69b3.exe File opened (read-only) \??\M: e5b69b3.exe File opened (read-only) \??\N: e5b69b3.exe File opened (read-only) \??\P: e5b69b3.exe File opened (read-only) \??\G: e5b69b3.exe File opened (read-only) \??\O: e5b69b3.exe File opened (read-only) \??\E: e5b8bf1.exe File opened (read-only) \??\K: e5b69b3.exe File opened (read-only) \??\G: e5b8bf1.exe File opened (read-only) \??\H: e5b8bf1.exe File opened (read-only) \??\J: e5b69b3.exe -
resource yara_rule behavioral2/memory/1536-6-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-12-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-29-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-32-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-17-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-8-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-34-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-35-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-48-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-56-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-60-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-61-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-63-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-64-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-68-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-69-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-73-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-74-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-75-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/1536-77-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4504-104-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/4504-146-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5b69b3.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5b69b3.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5b69b3.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e5b69b3.exe File created C:\Windows\e5bbb4e e5b8bf1.exe File created C:\Windows\e5b6a11 e5b69b3.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5b69b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5b6b78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5b8bf1.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1536 e5b69b3.exe 1536 e5b69b3.exe 1536 e5b69b3.exe 1536 e5b69b3.exe 4504 e5b8bf1.exe 4504 e5b8bf1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe Token: SeDebugPrivilege 1536 e5b69b3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 380 wrote to memory of 3044 380 rundll32.exe 81 PID 380 wrote to memory of 3044 380 rundll32.exe 81 PID 380 wrote to memory of 3044 380 rundll32.exe 81 PID 3044 wrote to memory of 1536 3044 rundll32.exe 82 PID 3044 wrote to memory of 1536 3044 rundll32.exe 82 PID 3044 wrote to memory of 1536 3044 rundll32.exe 82 PID 1536 wrote to memory of 788 1536 e5b69b3.exe 8 PID 1536 wrote to memory of 792 1536 e5b69b3.exe 9 PID 1536 wrote to memory of 376 1536 e5b69b3.exe 13 PID 1536 wrote to memory of 2996 1536 e5b69b3.exe 49 PID 1536 wrote to memory of 3068 1536 e5b69b3.exe 50 PID 1536 wrote to memory of 1052 1536 e5b69b3.exe 51 PID 1536 wrote to memory of 3436 1536 e5b69b3.exe 54 PID 1536 wrote to memory of 3572 1536 e5b69b3.exe 55 PID 1536 wrote to memory of 3752 1536 e5b69b3.exe 56 PID 1536 wrote to memory of 3840 1536 e5b69b3.exe 57 PID 1536 wrote to memory of 3944 1536 e5b69b3.exe 58 PID 1536 wrote to memory of 4028 1536 e5b69b3.exe 59 PID 1536 wrote to memory of 3336 1536 e5b69b3.exe 60 PID 1536 wrote to memory of 2968 1536 e5b69b3.exe 74 PID 1536 wrote to memory of 4384 1536 e5b69b3.exe 75 PID 1536 wrote to memory of 380 1536 e5b69b3.exe 80 PID 1536 wrote to memory of 3044 1536 e5b69b3.exe 81 PID 1536 wrote to memory of 3044 1536 e5b69b3.exe 81 PID 3044 wrote to memory of 4492 3044 rundll32.exe 83 PID 3044 wrote to memory of 4492 3044 rundll32.exe 83 PID 3044 wrote to memory of 4492 3044 rundll32.exe 83 PID 3044 wrote to memory of 4504 3044 rundll32.exe 84 PID 3044 wrote to memory of 4504 3044 rundll32.exe 84 PID 3044 wrote to memory of 4504 3044 rundll32.exe 84 PID 1536 wrote to memory of 788 1536 e5b69b3.exe 8 PID 1536 wrote to memory of 792 1536 e5b69b3.exe 9 PID 1536 wrote to memory of 376 1536 e5b69b3.exe 13 PID 1536 wrote to memory of 2996 1536 e5b69b3.exe 49 PID 1536 wrote to memory of 3068 1536 e5b69b3.exe 50 PID 1536 wrote to memory of 1052 1536 e5b69b3.exe 51 PID 1536 wrote to memory of 3436 1536 e5b69b3.exe 54 PID 1536 wrote to memory of 3572 1536 e5b69b3.exe 55 PID 1536 wrote to memory of 3752 1536 e5b69b3.exe 56 PID 1536 wrote to memory of 3840 1536 e5b69b3.exe 57 PID 1536 wrote to memory of 3944 1536 e5b69b3.exe 58 PID 1536 wrote to memory of 4028 1536 e5b69b3.exe 59 PID 1536 wrote to memory of 3336 1536 e5b69b3.exe 60 PID 1536 wrote to memory of 2968 1536 e5b69b3.exe 74 PID 1536 wrote to memory of 4384 1536 e5b69b3.exe 75 PID 1536 wrote to memory of 4492 1536 e5b69b3.exe 83 PID 1536 wrote to memory of 4492 1536 e5b69b3.exe 83 PID 1536 wrote to memory of 4504 1536 e5b69b3.exe 84 PID 1536 wrote to memory of 4504 1536 e5b69b3.exe 84 PID 4504 wrote to memory of 788 4504 e5b8bf1.exe 8 PID 4504 wrote to memory of 792 4504 e5b8bf1.exe 9 PID 4504 wrote to memory of 376 4504 e5b8bf1.exe 13 PID 4504 wrote to memory of 2996 4504 e5b8bf1.exe 49 PID 4504 wrote to memory of 3068 4504 e5b8bf1.exe 50 PID 4504 wrote to memory of 1052 4504 e5b8bf1.exe 51 PID 4504 wrote to memory of 3436 4504 e5b8bf1.exe 54 PID 4504 wrote to memory of 3572 4504 e5b8bf1.exe 55 PID 4504 wrote to memory of 3752 4504 e5b8bf1.exe 56 PID 4504 wrote to memory of 3840 4504 e5b8bf1.exe 57 PID 4504 wrote to memory of 3944 4504 e5b8bf1.exe 58 PID 4504 wrote to memory of 4028 4504 e5b8bf1.exe 59 PID 4504 wrote to memory of 3336 4504 e5b8bf1.exe 60 PID 4504 wrote to memory of 2968 4504 e5b8bf1.exe 74 PID 4504 wrote to memory of 4384 4504 e5b8bf1.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b69b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b8bf1.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3068
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1052
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\985b71fd79a11777d694c975b763fac7ecd6ec1c6cfbbddf4d5137dd8c986a86N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\985b71fd79a11777d694c975b763fac7ecd6ec1c6cfbbddf4d5137dd8c986a86N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\e5b69b3.exeC:\Users\Admin\AppData\Local\Temp\e5b69b3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\e5b6b78.exeC:\Users\Admin\AppData\Local\Temp\e5b6b78.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\e5b8bf1.exeC:\Users\Admin\AppData\Local\Temp\e5b8bf1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4504
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3336
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4384
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD50e0765ae034e3bbda33776bf32ee8019
SHA1cc27f1b05945b915184e9eb1f09c0f631857a642
SHA256def8552d63042ccfc2fa57fa64008d5012b1a92ba63bebfb57d0642ef09798b9
SHA512ba67bdc4214c02719a500c7c32ae82142b0645d38a5ee32b8ea50472d8f9e22a22947020037231808b1e13b3fa4a986a7f118cfeeff9315c881bc82e15e8da46
-
Filesize
257B
MD5c7e6181b0e093ddf7d1242b17b71fc5e
SHA1cc77200fc2b1b44b2d4311cc0b497c480612d33b
SHA25629d8a3e0a99ae3aa80ad544c3683c34c9572b1bbdc48fb2302be76cecdf11004
SHA512d4b7a93943a28a09e99aec774c2428efc423979438e37ae443cc0acae3a44c568ea37b290af77c35d4ab014edf8e148099724362e75401b056cc79ae40870db9