Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b33f8ccb111d6ef62514a143fb6ee18bc5b668077ca67b5bdf3ed0a4ad9fb7a0N.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
120 seconds
General
-
Target
b33f8ccb111d6ef62514a143fb6ee18bc5b668077ca67b5bdf3ed0a4ad9fb7a0N.dll
-
Size
120KB
-
MD5
5f20c0ce3b399a8f717911d9aba5e0f0
-
SHA1
5d2d333372eaab84dfe17c38d1697f30cb9f99f0
-
SHA256
b33f8ccb111d6ef62514a143fb6ee18bc5b668077ca67b5bdf3ed0a4ad9fb7a0
-
SHA512
16aadd78465082b2eb9c0e2fc35df4d341863aaeacddb3bbf1beaefc194d1f64338469bb90455a71f5fe05860561efffae589eea5fc5e70f42f7e6131d8d87a3
-
SSDEEP
3072:GTvyYZhlHEymskuipjlPHdbSpe9Gj+KpYBGh3:dYZ7Eywuejx92Eo0BGh3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57731d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57731d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57754f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57754f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57754f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57754f.exe -
Executes dropped EXE 4 IoCs
pid Process 1820 e57731d.exe 2416 e57754f.exe 4796 e578e94.exe 1240 e578eb3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57754f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57731d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57754f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57754f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57754f.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: e57731d.exe File opened (read-only) \??\I: e57731d.exe File opened (read-only) \??\P: e57731d.exe File opened (read-only) \??\N: e57731d.exe File opened (read-only) \??\H: e57731d.exe File opened (read-only) \??\L: e57731d.exe File opened (read-only) \??\M: e57731d.exe File opened (read-only) \??\Q: e57731d.exe File opened (read-only) \??\E: e57731d.exe File opened (read-only) \??\J: e57731d.exe File opened (read-only) \??\K: e57731d.exe File opened (read-only) \??\O: e57731d.exe File opened (read-only) \??\S: e57731d.exe File opened (read-only) \??\G: e57731d.exe -
resource yara_rule behavioral2/memory/1820-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-12-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-13-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-17-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-14-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-15-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-16-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-40-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-42-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-43-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-58-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-60-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-62-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-75-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-77-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-81-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-80-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-83-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-84-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-85-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-87-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-92-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-98-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1820-106-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2416-130-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/2416-150-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57731d.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57731d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57731d.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57731d.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57731d.exe File created C:\Windows\e57c44a e57754f.exe File created C:\Windows\e57738a e57731d.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57731d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57754f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578e94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578eb3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1820 e57731d.exe 1820 e57731d.exe 1820 e57731d.exe 1820 e57731d.exe 2416 e57754f.exe 2416 e57754f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe Token: SeDebugPrivilege 1820 e57731d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 392 wrote to memory of 4692 392 rundll32.exe 83 PID 392 wrote to memory of 4692 392 rundll32.exe 83 PID 392 wrote to memory of 4692 392 rundll32.exe 83 PID 4692 wrote to memory of 1820 4692 rundll32.exe 84 PID 4692 wrote to memory of 1820 4692 rundll32.exe 84 PID 4692 wrote to memory of 1820 4692 rundll32.exe 84 PID 1820 wrote to memory of 772 1820 e57731d.exe 8 PID 1820 wrote to memory of 780 1820 e57731d.exe 9 PID 1820 wrote to memory of 384 1820 e57731d.exe 13 PID 1820 wrote to memory of 2652 1820 e57731d.exe 44 PID 1820 wrote to memory of 2664 1820 e57731d.exe 45 PID 1820 wrote to memory of 2840 1820 e57731d.exe 50 PID 1820 wrote to memory of 3488 1820 e57731d.exe 56 PID 1820 wrote to memory of 3624 1820 e57731d.exe 57 PID 1820 wrote to memory of 3836 1820 e57731d.exe 58 PID 1820 wrote to memory of 3932 1820 e57731d.exe 59 PID 1820 wrote to memory of 4024 1820 e57731d.exe 60 PID 1820 wrote to memory of 680 1820 e57731d.exe 61 PID 1820 wrote to memory of 4080 1820 e57731d.exe 62 PID 1820 wrote to memory of 2488 1820 e57731d.exe 74 PID 1820 wrote to memory of 4680 1820 e57731d.exe 76 PID 1820 wrote to memory of 2088 1820 e57731d.exe 81 PID 1820 wrote to memory of 392 1820 e57731d.exe 82 PID 1820 wrote to memory of 4692 1820 e57731d.exe 83 PID 1820 wrote to memory of 4692 1820 e57731d.exe 83 PID 4692 wrote to memory of 2416 4692 rundll32.exe 85 PID 4692 wrote to memory of 2416 4692 rundll32.exe 85 PID 4692 wrote to memory of 2416 4692 rundll32.exe 85 PID 4692 wrote to memory of 4796 4692 rundll32.exe 86 PID 4692 wrote to memory of 4796 4692 rundll32.exe 86 PID 4692 wrote to memory of 4796 4692 rundll32.exe 86 PID 4692 wrote to memory of 1240 4692 rundll32.exe 87 PID 4692 wrote to memory of 1240 4692 rundll32.exe 87 PID 4692 wrote to memory of 1240 4692 rundll32.exe 87 PID 1820 wrote to memory of 772 1820 e57731d.exe 8 PID 1820 wrote to memory of 780 1820 e57731d.exe 9 PID 1820 wrote to memory of 384 1820 e57731d.exe 13 PID 1820 wrote to memory of 2652 1820 e57731d.exe 44 PID 1820 wrote to memory of 2664 1820 e57731d.exe 45 PID 1820 wrote to memory of 2840 1820 e57731d.exe 50 PID 1820 wrote to memory of 3488 1820 e57731d.exe 56 PID 1820 wrote to memory of 3624 1820 e57731d.exe 57 PID 1820 wrote to memory of 3836 1820 e57731d.exe 58 PID 1820 wrote to memory of 3932 1820 e57731d.exe 59 PID 1820 wrote to memory of 4024 1820 e57731d.exe 60 PID 1820 wrote to memory of 680 1820 e57731d.exe 61 PID 1820 wrote to memory of 4080 1820 e57731d.exe 62 PID 1820 wrote to memory of 2488 1820 e57731d.exe 74 PID 1820 wrote to memory of 4680 1820 e57731d.exe 76 PID 1820 wrote to memory of 2416 1820 e57731d.exe 85 PID 1820 wrote to memory of 2416 1820 e57731d.exe 85 PID 1820 wrote to memory of 4796 1820 e57731d.exe 86 PID 1820 wrote to memory of 4796 1820 e57731d.exe 86 PID 1820 wrote to memory of 1240 1820 e57731d.exe 87 PID 1820 wrote to memory of 1240 1820 e57731d.exe 87 PID 2416 wrote to memory of 772 2416 e57754f.exe 8 PID 2416 wrote to memory of 780 2416 e57754f.exe 9 PID 2416 wrote to memory of 384 2416 e57754f.exe 13 PID 2416 wrote to memory of 2652 2416 e57754f.exe 44 PID 2416 wrote to memory of 2664 2416 e57754f.exe 45 PID 2416 wrote to memory of 2840 2416 e57754f.exe 50 PID 2416 wrote to memory of 3488 2416 e57754f.exe 56 PID 2416 wrote to memory of 3624 2416 e57754f.exe 57 PID 2416 wrote to memory of 3836 2416 e57754f.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57731d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57754f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2840
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b33f8ccb111d6ef62514a143fb6ee18bc5b668077ca67b5bdf3ed0a4ad9fb7a0N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b33f8ccb111d6ef62514a143fb6ee18bc5b668077ca67b5bdf3ed0a4ad9fb7a0N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\e57731d.exeC:\Users\Admin\AppData\Local\Temp\e57731d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\e57754f.exeC:\Users\Admin\AppData\Local\Temp\e57754f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\e578e94.exeC:\Users\Admin\AppData\Local\Temp\e578e94.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\e578eb3.exeC:\Users\Admin\AppData\Local\Temp\e578eb3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3836
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3932
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:680
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4080
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2488
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4680
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2088
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1352
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d802a14facfab757d2e8c71495b58713
SHA119ab1b1cc23c24f49f7a432cc1478e0a418699e8
SHA25639d43d79fc4ba233a9a282bc5cddaca29ec7122ba8cfb7e1d391517a751e8a6d
SHA5126553ab17930f94a32dbb713c6f42b9f6e1c034dc91b55b1cd0b395ad62252dcf56ae4c5548769ff74b75115db79779d2d4740045a2521b650e6cdb00f5902f1c
-
Filesize
256B
MD50ec3451a847c2aebc166518c7e3813b4
SHA17d461684e59f6de917a4355dc93b3f729d39a710
SHA256a8e0723119bc003fada714986c82081529901fe3be4d20eb3309093b48a04d3f
SHA51285fb8b1e7871c9027ff803ab082494f04c3444096e260f32c2274decbffa18edea38dd92012ca1c766e8f26523ea3c8b4d093de2e5696f2e7d5d834ed42812a9