Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607N.dll
Resource
win7-20240903-en
General
-
Target
a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607N.dll
-
Size
120KB
-
MD5
89f777f85e883ec4b45d9c2568e10ab0
-
SHA1
6cee9f1ce114ce0e6357b27d56fab429914146fc
-
SHA256
a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607
-
SHA512
cabc908fb6c53f28bce24b9a77491c72583bdb33a7a406704b78f7e6c9f2b7f28d180a4081c2a3c5e0250dce55750c780d39b275c2febd1fb321dc65356ab4a0
-
SSDEEP
1536:ryZUI76rS/VmFjSeRaEKdDWpu9ADzDF9oBd7z8YhwaDNvOOckVyPpUV0DC+UaUPm:iMuVGjSz4u9G9oB2Cw0ObVhBubBAez
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57739a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57739a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578f01.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578f01.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578f01.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578f01.exe -
Executes dropped EXE 3 IoCs
pid Process 2316 e57739a.exe 828 e5774c2.exe 3404 e578f01.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57739a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578f01.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578f01.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578f01.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57739a.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: e57739a.exe File opened (read-only) \??\E: e57739a.exe File opened (read-only) \??\H: e57739a.exe File opened (read-only) \??\K: e57739a.exe File opened (read-only) \??\E: e578f01.exe File opened (read-only) \??\L: e57739a.exe File opened (read-only) \??\M: e57739a.exe File opened (read-only) \??\O: e57739a.exe File opened (read-only) \??\I: e57739a.exe File opened (read-only) \??\J: e57739a.exe File opened (read-only) \??\R: e57739a.exe File opened (read-only) \??\S: e57739a.exe File opened (read-only) \??\G: e578f01.exe File opened (read-only) \??\G: e57739a.exe File opened (read-only) \??\P: e57739a.exe File opened (read-only) \??\Q: e57739a.exe -
resource yara_rule behavioral2/memory/2316-12-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-22-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-23-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-13-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-31-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-41-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-50-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-52-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-54-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-64-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-65-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-69-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-70-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-73-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-74-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-82-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-83-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-85-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-87-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2316-88-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3404-125-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/3404-156-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57739a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57739a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57739a.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57739a.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5773f7 e57739a.exe File opened for modification C:\Windows\SYSTEM.INI e57739a.exe File created C:\Windows\e57c41b e578f01.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57739a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5774c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578f01.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2316 e57739a.exe 2316 e57739a.exe 2316 e57739a.exe 2316 e57739a.exe 3404 e578f01.exe 3404 e578f01.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe Token: SeDebugPrivilege 2316 e57739a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3764 wrote to memory of 3804 3764 rundll32.exe 82 PID 3764 wrote to memory of 3804 3764 rundll32.exe 82 PID 3764 wrote to memory of 3804 3764 rundll32.exe 82 PID 3804 wrote to memory of 2316 3804 rundll32.exe 83 PID 3804 wrote to memory of 2316 3804 rundll32.exe 83 PID 3804 wrote to memory of 2316 3804 rundll32.exe 83 PID 2316 wrote to memory of 800 2316 e57739a.exe 9 PID 2316 wrote to memory of 808 2316 e57739a.exe 10 PID 2316 wrote to memory of 384 2316 e57739a.exe 13 PID 2316 wrote to memory of 2636 2316 e57739a.exe 44 PID 2316 wrote to memory of 2664 2316 e57739a.exe 45 PID 2316 wrote to memory of 2836 2316 e57739a.exe 49 PID 2316 wrote to memory of 3500 2316 e57739a.exe 55 PID 2316 wrote to memory of 3724 2316 e57739a.exe 57 PID 2316 wrote to memory of 3908 2316 e57739a.exe 58 PID 2316 wrote to memory of 4000 2316 e57739a.exe 59 PID 2316 wrote to memory of 4064 2316 e57739a.exe 60 PID 2316 wrote to memory of 2804 2316 e57739a.exe 61 PID 2316 wrote to memory of 4128 2316 e57739a.exe 62 PID 2316 wrote to memory of 3304 2316 e57739a.exe 74 PID 2316 wrote to memory of 4980 2316 e57739a.exe 76 PID 2316 wrote to memory of 3764 2316 e57739a.exe 81 PID 2316 wrote to memory of 3804 2316 e57739a.exe 82 PID 2316 wrote to memory of 3804 2316 e57739a.exe 82 PID 3804 wrote to memory of 828 3804 rundll32.exe 84 PID 3804 wrote to memory of 828 3804 rundll32.exe 84 PID 3804 wrote to memory of 828 3804 rundll32.exe 84 PID 3804 wrote to memory of 3404 3804 rundll32.exe 89 PID 3804 wrote to memory of 3404 3804 rundll32.exe 89 PID 3804 wrote to memory of 3404 3804 rundll32.exe 89 PID 2316 wrote to memory of 800 2316 e57739a.exe 9 PID 2316 wrote to memory of 808 2316 e57739a.exe 10 PID 2316 wrote to memory of 384 2316 e57739a.exe 13 PID 2316 wrote to memory of 2636 2316 e57739a.exe 44 PID 2316 wrote to memory of 2664 2316 e57739a.exe 45 PID 2316 wrote to memory of 2836 2316 e57739a.exe 49 PID 2316 wrote to memory of 3500 2316 e57739a.exe 55 PID 2316 wrote to memory of 3724 2316 e57739a.exe 57 PID 2316 wrote to memory of 3908 2316 e57739a.exe 58 PID 2316 wrote to memory of 4000 2316 e57739a.exe 59 PID 2316 wrote to memory of 4064 2316 e57739a.exe 60 PID 2316 wrote to memory of 2804 2316 e57739a.exe 61 PID 2316 wrote to memory of 4128 2316 e57739a.exe 62 PID 2316 wrote to memory of 3304 2316 e57739a.exe 74 PID 2316 wrote to memory of 4980 2316 e57739a.exe 76 PID 2316 wrote to memory of 828 2316 e57739a.exe 84 PID 2316 wrote to memory of 828 2316 e57739a.exe 84 PID 2316 wrote to memory of 3404 2316 e57739a.exe 89 PID 2316 wrote to memory of 3404 2316 e57739a.exe 89 PID 3404 wrote to memory of 800 3404 e578f01.exe 9 PID 3404 wrote to memory of 808 3404 e578f01.exe 10 PID 3404 wrote to memory of 384 3404 e578f01.exe 13 PID 3404 wrote to memory of 2636 3404 e578f01.exe 44 PID 3404 wrote to memory of 2664 3404 e578f01.exe 45 PID 3404 wrote to memory of 2836 3404 e578f01.exe 49 PID 3404 wrote to memory of 3500 3404 e578f01.exe 55 PID 3404 wrote to memory of 3724 3404 e578f01.exe 57 PID 3404 wrote to memory of 3908 3404 e578f01.exe 58 PID 3404 wrote to memory of 4000 3404 e578f01.exe 59 PID 3404 wrote to memory of 4064 3404 e578f01.exe 60 PID 3404 wrote to memory of 2804 3404 e578f01.exe 61 PID 3404 wrote to memory of 4128 3404 e578f01.exe 62 PID 3404 wrote to memory of 3304 3404 e578f01.exe 74 PID 3404 wrote to memory of 4980 3404 e578f01.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57739a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578f01.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2836
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\e57739a.exeC:\Users\Admin\AppData\Local\Temp\e57739a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316
-
-
C:\Users\Admin\AppData\Local\Temp\e5774c2.exeC:\Users\Admin\AppData\Local\Temp\e5774c2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:828
-
-
C:\Users\Admin\AppData\Local\Temp\e578f01.exeC:\Users\Admin\AppData\Local\Temp\e578f01.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3404
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3724
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4064
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4128
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3304
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4980
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5bd78a65d792cae1e3a0e184c23122c37
SHA17b8eb3b5852bd32051680154f18b190465d53b76
SHA256fa0a3c3b2de196c46efd1e75eaeb85e1e9d13e50b6fb6a0a776273490ad71af7
SHA5124ab79fa1fc91eebafd6a2522f2fbc152239973dc7878d42a69f0bc326f404d9aaf89b0cb6bd5d6d7e622da5849eb3d26d43317d24fd2e8933ace7728a0409a98
-
Filesize
257B
MD51dc14048bd42825c2a8538820b100d87
SHA10ae2a9175e122db31804ab8247827807f00a12b9
SHA2560c9fc4b9401ed6b957d24dd72da243157b70ef6ddac0ce2f9acfadc8814e7fda
SHA512f7b9da48e42bcf2af5ab6e7a023f7629d7c5812c86efca7fcaef322e968547242eb52365aaa0ec4c0dfce5b8c6b5ce3455cdecca75ed7b74d11d92e846989b64