Analysis
-
max time kernel
96s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe982c3c0a9998190a5da76f9965ed07_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
fe982c3c0a9998190a5da76f9965ed07_JaffaCakes118.dll
-
Size
120KB
-
MD5
fe982c3c0a9998190a5da76f9965ed07
-
SHA1
a818ada4517f108dab490db25f7eaf08a87682dd
-
SHA256
4e30c5eeb1866a8ef3b1dc0618c6080b34bf7fe77c72645005b31d9d43ce0415
-
SHA512
d22b36f82ca48987de6db872029708da4f788966e3dd0da49d74a3bb22c39189bef17e3d186996c08a6afedac8a5e7c0d17959807c5dd755ec9c226d194d3bd4
-
SSDEEP
1536:mxqNa4gnPlNQtYs2cp5KPnRp/NDGi7/4u3JqP0k0KwlATzzNRlWp11hLQAE:Ysa5nPlOmM+PRzDn7r3JqsjbAr6r
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ccb6.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f77f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f77f.exe -
Executes dropped EXE 3 IoCs
pid Process 2364 e57ccb6.exe 3648 e57d409.exe 3628 e57f77f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f77f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f77f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f77f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ccb6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f77f.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e57ccb6.exe File opened (read-only) \??\H: e57f77f.exe File opened (read-only) \??\G: e57ccb6.exe File opened (read-only) \??\J: e57ccb6.exe File opened (read-only) \??\K: e57ccb6.exe File opened (read-only) \??\M: e57ccb6.exe File opened (read-only) \??\E: e57f77f.exe File opened (read-only) \??\G: e57f77f.exe File opened (read-only) \??\E: e57ccb6.exe File opened (read-only) \??\H: e57ccb6.exe File opened (read-only) \??\I: e57ccb6.exe -
resource yara_rule behavioral2/memory/2364-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-7-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-12-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-18-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-19-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-28-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-30-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-33-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-40-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-50-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-60-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-61-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-63-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-64-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-65-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-67-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-70-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-72-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2364-73-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3628-92-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3628-95-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3628-144-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e57ccb6.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57ccb6.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57ccb6.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57cd14 e57ccb6.exe File opened for modification C:\Windows\SYSTEM.INI e57ccb6.exe File created C:\Windows\e581f6a e57f77f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ccb6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d409.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f77f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2364 e57ccb6.exe 2364 e57ccb6.exe 2364 e57ccb6.exe 2364 e57ccb6.exe 3628 e57f77f.exe 3628 e57f77f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe Token: SeDebugPrivilege 2364 e57ccb6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4468 wrote to memory of 3552 4468 rundll32.exe 83 PID 4468 wrote to memory of 3552 4468 rundll32.exe 83 PID 4468 wrote to memory of 3552 4468 rundll32.exe 83 PID 3552 wrote to memory of 2364 3552 rundll32.exe 84 PID 3552 wrote to memory of 2364 3552 rundll32.exe 84 PID 3552 wrote to memory of 2364 3552 rundll32.exe 84 PID 2364 wrote to memory of 772 2364 e57ccb6.exe 8 PID 2364 wrote to memory of 776 2364 e57ccb6.exe 9 PID 2364 wrote to memory of 1012 2364 e57ccb6.exe 13 PID 2364 wrote to memory of 2632 2364 e57ccb6.exe 44 PID 2364 wrote to memory of 2640 2364 e57ccb6.exe 45 PID 2364 wrote to memory of 2748 2364 e57ccb6.exe 47 PID 2364 wrote to memory of 3504 2364 e57ccb6.exe 56 PID 2364 wrote to memory of 3600 2364 e57ccb6.exe 57 PID 2364 wrote to memory of 3820 2364 e57ccb6.exe 58 PID 2364 wrote to memory of 3916 2364 e57ccb6.exe 59 PID 2364 wrote to memory of 3996 2364 e57ccb6.exe 60 PID 2364 wrote to memory of 4076 2364 e57ccb6.exe 61 PID 2364 wrote to memory of 4160 2364 e57ccb6.exe 62 PID 2364 wrote to memory of 4616 2364 e57ccb6.exe 75 PID 2364 wrote to memory of 5096 2364 e57ccb6.exe 76 PID 2364 wrote to memory of 2620 2364 e57ccb6.exe 81 PID 2364 wrote to memory of 4468 2364 e57ccb6.exe 82 PID 2364 wrote to memory of 3552 2364 e57ccb6.exe 83 PID 2364 wrote to memory of 3552 2364 e57ccb6.exe 83 PID 3552 wrote to memory of 3648 3552 rundll32.exe 85 PID 3552 wrote to memory of 3648 3552 rundll32.exe 85 PID 3552 wrote to memory of 3648 3552 rundll32.exe 85 PID 3552 wrote to memory of 3628 3552 rundll32.exe 88 PID 3552 wrote to memory of 3628 3552 rundll32.exe 88 PID 3552 wrote to memory of 3628 3552 rundll32.exe 88 PID 2364 wrote to memory of 772 2364 e57ccb6.exe 8 PID 2364 wrote to memory of 776 2364 e57ccb6.exe 9 PID 2364 wrote to memory of 1012 2364 e57ccb6.exe 13 PID 2364 wrote to memory of 2632 2364 e57ccb6.exe 44 PID 2364 wrote to memory of 2640 2364 e57ccb6.exe 45 PID 2364 wrote to memory of 2748 2364 e57ccb6.exe 47 PID 2364 wrote to memory of 3504 2364 e57ccb6.exe 56 PID 2364 wrote to memory of 3600 2364 e57ccb6.exe 57 PID 2364 wrote to memory of 3820 2364 e57ccb6.exe 58 PID 2364 wrote to memory of 3916 2364 e57ccb6.exe 59 PID 2364 wrote to memory of 3996 2364 e57ccb6.exe 60 PID 2364 wrote to memory of 4076 2364 e57ccb6.exe 61 PID 2364 wrote to memory of 4160 2364 e57ccb6.exe 62 PID 2364 wrote to memory of 4616 2364 e57ccb6.exe 75 PID 2364 wrote to memory of 5096 2364 e57ccb6.exe 76 PID 2364 wrote to memory of 2620 2364 e57ccb6.exe 81 PID 2364 wrote to memory of 3648 2364 e57ccb6.exe 85 PID 2364 wrote to memory of 3648 2364 e57ccb6.exe 85 PID 2364 wrote to memory of 3628 2364 e57ccb6.exe 88 PID 2364 wrote to memory of 3628 2364 e57ccb6.exe 88 PID 3628 wrote to memory of 772 3628 e57f77f.exe 8 PID 3628 wrote to memory of 776 3628 e57f77f.exe 9 PID 3628 wrote to memory of 1012 3628 e57f77f.exe 13 PID 3628 wrote to memory of 2632 3628 e57f77f.exe 44 PID 3628 wrote to memory of 2640 3628 e57f77f.exe 45 PID 3628 wrote to memory of 2748 3628 e57f77f.exe 47 PID 3628 wrote to memory of 3504 3628 e57f77f.exe 56 PID 3628 wrote to memory of 3600 3628 e57f77f.exe 57 PID 3628 wrote to memory of 3820 3628 e57f77f.exe 58 PID 3628 wrote to memory of 3916 3628 e57f77f.exe 59 PID 3628 wrote to memory of 3996 3628 e57f77f.exe 60 PID 3628 wrote to memory of 4076 3628 e57f77f.exe 61 PID 3628 wrote to memory of 4160 3628 e57f77f.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f77f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2640
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2748
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fe982c3c0a9998190a5da76f9965ed07_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fe982c3c0a9998190a5da76f9965ed07_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\e57ccb6.exeC:\Users\Admin\AppData\Local\Temp\e57ccb6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\e57d409.exeC:\Users\Admin\AppData\Local\Temp\e57d409.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648
-
-
C:\Users\Admin\AppData\Local\Temp\e57f77f.exeC:\Users\Admin\AppData\Local\Temp\e57f77f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3628
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4160
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4616
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5096
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2620
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a1672bee7315f9ac858b472ec08c5678
SHA1008025e282bdb593008a4da18f5aa6b0c3911493
SHA2560e245938776d41664880ca7c81a10c5284eb26e4599e68159c516247bf420ba6
SHA51254855c47f2b2f299fe56c948e151697b913e397ebb055726e071caf16704db71c38142a7f4d80c6d11e122bad0e128a641929cbd2f1101f825272b240688e4c0
-
Filesize
257B
MD5a0c497090e5abb807ebd5c7485c91330
SHA176e05901c2378ffc543f52342d6bf6ae2db2e6e6
SHA256a7525a55bbebe879ca707c36fe4c1281c547a115a1770e9da4f071890b76227e
SHA512fc5d88473638d530558ccff3b4a8a766527345043ea547fcbc9e2ed5a7370bf338812463ee7f1c9ee3762debfaa655c0e075786ab6c420393402471718b4ddb4