Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e3357d672bab6e2144b648cc15411367cd358434ff91e041db44574c2e2e1176N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
e3357d672bab6e2144b648cc15411367cd358434ff91e041db44574c2e2e1176N.dll
-
Size
120KB
-
MD5
73ad0841dd0db6ea73e497546a0d0b60
-
SHA1
91def1fea04afc574f2382d7484198e6fc48ce15
-
SHA256
e3357d672bab6e2144b648cc15411367cd358434ff91e041db44574c2e2e1176
-
SHA512
2e45e8ae08a32d86fc2982da96cef7efe8ee6dc0ea4573129e7d24dae3a7efc7d6c23f1b8a1a35c4f84109830c15275f099089f804214af913ea971737901407
-
SSDEEP
3072:WytBSCdTmIdXhhf9LcwmVVHrpG6/a4ZI:DyCZmInV9LcD746t
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a78a.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d6c8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d6c8.exe -
Executes dropped EXE 3 IoCs
pid Process 2796 e57a42f.exe 2676 e57a78a.exe 1680 e57d6c8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d6c8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a78a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d6c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a42f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a42f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d6c8.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57a42f.exe File opened (read-only) \??\G: e57a42f.exe File opened (read-only) \??\H: e57a42f.exe File opened (read-only) \??\I: e57a42f.exe File opened (read-only) \??\J: e57a42f.exe File opened (read-only) \??\K: e57a42f.exe -
resource yara_rule behavioral2/memory/2796-13-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-16-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-17-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-20-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-21-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-43-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-44-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-54-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-56-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-57-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-58-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-61-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-62-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-69-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2796-71-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2676-97-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/2676-98-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/2676-100-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/2676-95-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/2676-92-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/2676-96-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/2676-93-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/2676-94-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/2676-128-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e57f647 e57a78a.exe File created C:\Windows\e581efd e57d6c8.exe File created C:\Windows\e57a4ac e57a42f.exe File opened for modification C:\Windows\SYSTEM.INI e57a42f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d6c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a42f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a78a.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2796 e57a42f.exe 2796 e57a42f.exe 2796 e57a42f.exe 2796 e57a42f.exe 2676 e57a78a.exe 2676 e57a78a.exe 1680 e57d6c8.exe 1680 e57d6c8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe Token: SeDebugPrivilege 2796 e57a42f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4292 wrote to memory of 3536 4292 rundll32.exe 82 PID 4292 wrote to memory of 3536 4292 rundll32.exe 82 PID 4292 wrote to memory of 3536 4292 rundll32.exe 82 PID 3536 wrote to memory of 2796 3536 rundll32.exe 83 PID 3536 wrote to memory of 2796 3536 rundll32.exe 83 PID 3536 wrote to memory of 2796 3536 rundll32.exe 83 PID 2796 wrote to memory of 792 2796 e57a42f.exe 8 PID 2796 wrote to memory of 796 2796 e57a42f.exe 9 PID 2796 wrote to memory of 396 2796 e57a42f.exe 13 PID 2796 wrote to memory of 2640 2796 e57a42f.exe 44 PID 2796 wrote to memory of 2684 2796 e57a42f.exe 45 PID 2796 wrote to memory of 2876 2796 e57a42f.exe 51 PID 2796 wrote to memory of 3424 2796 e57a42f.exe 55 PID 2796 wrote to memory of 3608 2796 e57a42f.exe 57 PID 2796 wrote to memory of 3796 2796 e57a42f.exe 58 PID 2796 wrote to memory of 3896 2796 e57a42f.exe 59 PID 2796 wrote to memory of 3964 2796 e57a42f.exe 60 PID 2796 wrote to memory of 4068 2796 e57a42f.exe 61 PID 2796 wrote to memory of 3420 2796 e57a42f.exe 62 PID 2796 wrote to memory of 1484 2796 e57a42f.exe 64 PID 2796 wrote to memory of 60 2796 e57a42f.exe 75 PID 2796 wrote to memory of 4292 2796 e57a42f.exe 81 PID 2796 wrote to memory of 3536 2796 e57a42f.exe 82 PID 2796 wrote to memory of 3536 2796 e57a42f.exe 82 PID 3536 wrote to memory of 2676 3536 rundll32.exe 84 PID 3536 wrote to memory of 2676 3536 rundll32.exe 84 PID 3536 wrote to memory of 2676 3536 rundll32.exe 84 PID 2796 wrote to memory of 792 2796 e57a42f.exe 8 PID 2796 wrote to memory of 796 2796 e57a42f.exe 9 PID 2796 wrote to memory of 396 2796 e57a42f.exe 13 PID 2796 wrote to memory of 2640 2796 e57a42f.exe 44 PID 2796 wrote to memory of 2684 2796 e57a42f.exe 45 PID 2796 wrote to memory of 2876 2796 e57a42f.exe 51 PID 2796 wrote to memory of 3424 2796 e57a42f.exe 55 PID 2796 wrote to memory of 3608 2796 e57a42f.exe 57 PID 2796 wrote to memory of 3796 2796 e57a42f.exe 58 PID 2796 wrote to memory of 3896 2796 e57a42f.exe 59 PID 2796 wrote to memory of 3964 2796 e57a42f.exe 60 PID 2796 wrote to memory of 4068 2796 e57a42f.exe 61 PID 2796 wrote to memory of 3420 2796 e57a42f.exe 62 PID 2796 wrote to memory of 1484 2796 e57a42f.exe 64 PID 2796 wrote to memory of 60 2796 e57a42f.exe 75 PID 2796 wrote to memory of 4292 2796 e57a42f.exe 81 PID 2796 wrote to memory of 2676 2796 e57a42f.exe 84 PID 2796 wrote to memory of 2676 2796 e57a42f.exe 84 PID 3536 wrote to memory of 1680 3536 rundll32.exe 85 PID 3536 wrote to memory of 1680 3536 rundll32.exe 85 PID 3536 wrote to memory of 1680 3536 rundll32.exe 85 PID 2676 wrote to memory of 792 2676 e57a78a.exe 8 PID 2676 wrote to memory of 796 2676 e57a78a.exe 9 PID 2676 wrote to memory of 396 2676 e57a78a.exe 13 PID 2676 wrote to memory of 2640 2676 e57a78a.exe 44 PID 2676 wrote to memory of 2684 2676 e57a78a.exe 45 PID 2676 wrote to memory of 2876 2676 e57a78a.exe 51 PID 2676 wrote to memory of 3424 2676 e57a78a.exe 55 PID 2676 wrote to memory of 3608 2676 e57a78a.exe 57 PID 2676 wrote to memory of 3796 2676 e57a78a.exe 58 PID 2676 wrote to memory of 3896 2676 e57a78a.exe 59 PID 2676 wrote to memory of 3964 2676 e57a78a.exe 60 PID 2676 wrote to memory of 4068 2676 e57a78a.exe 61 PID 2676 wrote to memory of 3420 2676 e57a78a.exe 62 PID 2676 wrote to memory of 1484 2676 e57a78a.exe 64 PID 2676 wrote to memory of 60 2676 e57a78a.exe 75 PID 2676 wrote to memory of 1680 2676 e57a78a.exe 85 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a42f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d6c8.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:396
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2684
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2876
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3357d672bab6e2144b648cc15411367cd358434ff91e041db44574c2e2e1176N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3357d672bab6e2144b648cc15411367cd358434ff91e041db44574c2e2e1176N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\e57a42f.exeC:\Users\Admin\AppData\Local\Temp\e57a42f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\e57a78a.exeC:\Users\Admin\AppData\Local\Temp\e57a78a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\e57d6c8.exeC:\Users\Admin\AppData\Local\Temp\e57d6c8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1680
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3796
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3420
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1484
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:60
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e906cb0acf1bdf0de134b82514f66c4c
SHA19daf453f885e4aa24d6c62a682c9a37aec8ab0ef
SHA256e5dcaee152ed2db9ba70d5b3ef589ff1df05ad70bc8a39a5cc20e29cbd99f9b2
SHA512a6572f006c0c64021b6266e511cd767425c6e61105f1d22ffda9bf84599ebc6fe023e536398a072ea965fb7ec542e1e5c91b6cfe8f42f5f4b0f40e673e8a2e03
-
Filesize
257B
MD5504baae4c04febb400bb496f747a1f24
SHA15770acf0a61f4cffa3c303fbf46350e35e6c29c5
SHA2564a3632b1cf2ded174c75966a7837f5e377cc4c5d447b1ea14325e2fe08573bcd
SHA512699c1bd6d689daabecc47768b7f578d01de8366080d50cf2eec6bc66b925faff63a7ea9fcedb9bd69660fbb6400a2344537c629b7042e49231c00ba05757355a