Analysis
-
max time kernel
93s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 07:11
Static task
static1
Behavioral task
behavioral1
Sample
703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll
Resource
win7-20241023-en
General
-
Target
703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll
-
Size
120KB
-
MD5
32654fe2ae581a72e9aa91401c2aab82
-
SHA1
253c854372ad84dc78e925659cb94a57adc8b1ed
-
SHA256
703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16
-
SHA512
dd9f8e2a4344607b6197fba025b1237c6e8f85b5e85656d810ff988a7dacec4003b7b98b44a4b28981668c56c06af79d075071a1ec4797a999cdb841bdd7eb62
-
SSDEEP
3072:Ho+CyN4Xnld4YwjcNi+g4dzAm8Ws4Py7+14:7Cyanld4HGPJdznjDPy04
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5f7d38.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f98be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f98be.exe -
Executes dropped EXE 3 IoCs
pid Process 4424 e5f7d38.exe 1108 e5f7f0c.exe 2364 e5f98be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f98be.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f7d38.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f7d38.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f98be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f7d38.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e5f7d38.exe File opened (read-only) \??\I: e5f7d38.exe File opened (read-only) \??\N: e5f7d38.exe File opened (read-only) \??\S: e5f7d38.exe File opened (read-only) \??\E: e5f98be.exe File opened (read-only) \??\H: e5f7d38.exe File opened (read-only) \??\L: e5f7d38.exe File opened (read-only) \??\K: e5f7d38.exe File opened (read-only) \??\M: e5f7d38.exe File opened (read-only) \??\P: e5f7d38.exe File opened (read-only) \??\Q: e5f7d38.exe File opened (read-only) \??\R: e5f7d38.exe File opened (read-only) \??\E: e5f7d38.exe File opened (read-only) \??\J: e5f7d38.exe File opened (read-only) \??\O: e5f7d38.exe -
resource yara_rule behavioral2/memory/4424-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-13-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-14-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-21-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-15-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-22-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-42-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-43-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-52-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-54-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-55-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-66-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-67-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-70-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-72-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-75-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-76-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-79-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-80-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-83-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-84-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-88-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/4424-92-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2364-119-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/2364-153-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e5f7d38.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5f7d38.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5f7d38.exe File opened for modification C:\Program Files\7-Zip\7z.exe e5f7d38.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e5f7d38.exe File created C:\Windows\e5fce55 e5f98be.exe File created C:\Windows\e5f7da5 e5f7d38.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f7d38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f7f0c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f98be.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4424 e5f7d38.exe 4424 e5f7d38.exe 4424 e5f7d38.exe 4424 e5f7d38.exe 2364 e5f98be.exe 2364 e5f98be.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe Token: SeDebugPrivilege 4424 e5f7d38.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4440 wrote to memory of 5116 4440 rundll32.exe 82 PID 4440 wrote to memory of 5116 4440 rundll32.exe 82 PID 4440 wrote to memory of 5116 4440 rundll32.exe 82 PID 5116 wrote to memory of 4424 5116 rundll32.exe 83 PID 5116 wrote to memory of 4424 5116 rundll32.exe 83 PID 5116 wrote to memory of 4424 5116 rundll32.exe 83 PID 4424 wrote to memory of 776 4424 e5f7d38.exe 8 PID 4424 wrote to memory of 772 4424 e5f7d38.exe 9 PID 4424 wrote to memory of 316 4424 e5f7d38.exe 13 PID 4424 wrote to memory of 2248 4424 e5f7d38.exe 49 PID 4424 wrote to memory of 2752 4424 e5f7d38.exe 50 PID 4424 wrote to memory of 2668 4424 e5f7d38.exe 51 PID 4424 wrote to memory of 3464 4424 e5f7d38.exe 54 PID 4424 wrote to memory of 3596 4424 e5f7d38.exe 55 PID 4424 wrote to memory of 3772 4424 e5f7d38.exe 56 PID 4424 wrote to memory of 3864 4424 e5f7d38.exe 57 PID 4424 wrote to memory of 3924 4424 e5f7d38.exe 58 PID 4424 wrote to memory of 4016 4424 e5f7d38.exe 59 PID 4424 wrote to memory of 3592 4424 e5f7d38.exe 60 PID 4424 wrote to memory of 4996 4424 e5f7d38.exe 75 PID 4424 wrote to memory of 4364 4424 e5f7d38.exe 76 PID 4424 wrote to memory of 4440 4424 e5f7d38.exe 81 PID 4424 wrote to memory of 5116 4424 e5f7d38.exe 82 PID 4424 wrote to memory of 5116 4424 e5f7d38.exe 82 PID 5116 wrote to memory of 1108 5116 rundll32.exe 84 PID 5116 wrote to memory of 1108 5116 rundll32.exe 84 PID 5116 wrote to memory of 1108 5116 rundll32.exe 84 PID 5116 wrote to memory of 2364 5116 rundll32.exe 89 PID 5116 wrote to memory of 2364 5116 rundll32.exe 89 PID 5116 wrote to memory of 2364 5116 rundll32.exe 89 PID 4424 wrote to memory of 776 4424 e5f7d38.exe 8 PID 4424 wrote to memory of 772 4424 e5f7d38.exe 9 PID 4424 wrote to memory of 316 4424 e5f7d38.exe 13 PID 4424 wrote to memory of 2248 4424 e5f7d38.exe 49 PID 4424 wrote to memory of 2752 4424 e5f7d38.exe 50 PID 4424 wrote to memory of 2668 4424 e5f7d38.exe 51 PID 4424 wrote to memory of 3464 4424 e5f7d38.exe 54 PID 4424 wrote to memory of 3596 4424 e5f7d38.exe 55 PID 4424 wrote to memory of 3772 4424 e5f7d38.exe 56 PID 4424 wrote to memory of 3864 4424 e5f7d38.exe 57 PID 4424 wrote to memory of 3924 4424 e5f7d38.exe 58 PID 4424 wrote to memory of 4016 4424 e5f7d38.exe 59 PID 4424 wrote to memory of 3592 4424 e5f7d38.exe 60 PID 4424 wrote to memory of 4996 4424 e5f7d38.exe 75 PID 4424 wrote to memory of 4364 4424 e5f7d38.exe 76 PID 4424 wrote to memory of 1108 4424 e5f7d38.exe 84 PID 4424 wrote to memory of 1108 4424 e5f7d38.exe 84 PID 4424 wrote to memory of 2364 4424 e5f7d38.exe 89 PID 4424 wrote to memory of 2364 4424 e5f7d38.exe 89 PID 2364 wrote to memory of 776 2364 e5f98be.exe 8 PID 2364 wrote to memory of 772 2364 e5f98be.exe 9 PID 2364 wrote to memory of 316 2364 e5f98be.exe 13 PID 2364 wrote to memory of 2248 2364 e5f98be.exe 49 PID 2364 wrote to memory of 2752 2364 e5f98be.exe 50 PID 2364 wrote to memory of 2668 2364 e5f98be.exe 51 PID 2364 wrote to memory of 3464 2364 e5f98be.exe 54 PID 2364 wrote to memory of 3596 2364 e5f98be.exe 55 PID 2364 wrote to memory of 3772 2364 e5f98be.exe 56 PID 2364 wrote to memory of 3864 2364 e5f98be.exe 57 PID 2364 wrote to memory of 3924 2364 e5f98be.exe 58 PID 2364 wrote to memory of 4016 2364 e5f98be.exe 59 PID 2364 wrote to memory of 3592 2364 e5f98be.exe 60 PID 2364 wrote to memory of 4996 2364 e5f98be.exe 75 PID 2364 wrote to memory of 4364 2364 e5f98be.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f7d38.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f98be.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2752
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2668
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\e5f7d38.exeC:\Users\Admin\AppData\Local\Temp\e5f7d38.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\e5f7f0c.exeC:\Users\Admin\AppData\Local\Temp\e5f7f0c.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1108
-
-
C:\Users\Admin\AppData\Local\Temp\e5f98be.exeC:\Users\Admin\AppData\Local\Temp\e5f98be.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3592
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4364
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD59f6dc47fa19382690d19ed8a359696f1
SHA10a673df77cb1219e5372db041ddcf9fafe31328a
SHA256bc2793599caa0e6703b7370c3508de4543ef98e7581be1ed55acd4731ab59148
SHA51283c673802c192a7866faef2e077fa1b85bde25429a0efc9df48471bf0431617b0c24a03f11574c012dc83e5ab145ea86dad736439324724dc7a9a3a002b8c450
-
Filesize
257B
MD5ce083c31d8e5f2d1c08cdd30a4cf4db4
SHA19fd8b9adeeef419d6fd4585e71739b0454b22388
SHA2568dd8dd582377fe1cd273bb69eeef8727a65bdb709c0a9d82b03b71bd42eb2707
SHA512065bab3542b32100ffb01c4dd22de9996564b1e90706bc92523b931f1c36ac08170615c4047d079456196fd93be8cb9fff40d6c8d1a18c449d5a83aa3b58600f