Analysis
-
max time kernel
92s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
fe5ed133e579b8cfd16a74b660e5396b5f4ed964b68be5c7e3a054d87c434659.dll
Resource
win7-20240729-en
General
-
Target
fe5ed133e579b8cfd16a74b660e5396b5f4ed964b68be5c7e3a054d87c434659.dll
-
Size
120KB
-
MD5
3b15ee4e15a1c611a2c1bba67ca7e3fa
-
SHA1
6f99f8998f96eedb794f59f29f15c9f527dd1161
-
SHA256
fe5ed133e579b8cfd16a74b660e5396b5f4ed964b68be5c7e3a054d87c434659
-
SHA512
32e4595865eef882f6c572d0198be82106cf30021443af94734d3c698c6027cb7cc00378df5870fd02ba0a6b5bee677e761df72962294821bd738913d1a3b5eb
-
SSDEEP
3072:GTvyYZhlHEymskuipjlPHdbSpe9Gj+KpYBGh3R:dYZ7Eywuejx92Eo0BGh3R
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ab34.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dd7f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dd7f.exe -
Executes dropped EXE 4 IoCs
pid Process 3412 e57ab34.exe 4436 e57ace9.exe 1056 e57dd60.exe 2996 e57dd7f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dd7f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ab34.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dd7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ab34.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dd7f.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57dd7f.exe File opened (read-only) \??\H: e57ab34.exe File opened (read-only) \??\I: e57ab34.exe File opened (read-only) \??\J: e57ab34.exe File opened (read-only) \??\K: e57ab34.exe File opened (read-only) \??\L: e57ab34.exe File opened (read-only) \??\E: e57dd7f.exe File opened (read-only) \??\I: e57dd7f.exe File opened (read-only) \??\E: e57ab34.exe File opened (read-only) \??\M: e57ab34.exe File opened (read-only) \??\N: e57ab34.exe File opened (read-only) \??\H: e57dd7f.exe File opened (read-only) \??\J: e57dd7f.exe File opened (read-only) \??\G: e57ab34.exe -
resource yara_rule behavioral2/memory/3412-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-24-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-29-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-35-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-18-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-23-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-17-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-39-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-40-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-46-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-47-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-62-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-63-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-65-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-66-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-67-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-69-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-73-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3412-79-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2996-157-0x0000000000780000-0x000000000183A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57aba1 e57ab34.exe File opened for modification C:\Windows\SYSTEM.INI e57ab34.exe File created C:\Windows\e5804be e57dd7f.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dd60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dd7f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ab34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ace9.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3412 e57ab34.exe 3412 e57ab34.exe 3412 e57ab34.exe 3412 e57ab34.exe 2996 e57dd7f.exe 2996 e57dd7f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe Token: SeDebugPrivilege 3412 e57ab34.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1208 wrote to memory of 3492 1208 rundll32.exe 83 PID 1208 wrote to memory of 3492 1208 rundll32.exe 83 PID 1208 wrote to memory of 3492 1208 rundll32.exe 83 PID 3492 wrote to memory of 3412 3492 rundll32.exe 84 PID 3492 wrote to memory of 3412 3492 rundll32.exe 84 PID 3492 wrote to memory of 3412 3492 rundll32.exe 84 PID 3412 wrote to memory of 788 3412 e57ab34.exe 8 PID 3412 wrote to memory of 792 3412 e57ab34.exe 9 PID 3412 wrote to memory of 388 3412 e57ab34.exe 13 PID 3412 wrote to memory of 3008 3412 e57ab34.exe 50 PID 3412 wrote to memory of 3052 3412 e57ab34.exe 51 PID 3412 wrote to memory of 3100 3412 e57ab34.exe 52 PID 3412 wrote to memory of 3436 3412 e57ab34.exe 56 PID 3412 wrote to memory of 3568 3412 e57ab34.exe 57 PID 3412 wrote to memory of 3744 3412 e57ab34.exe 58 PID 3412 wrote to memory of 3832 3412 e57ab34.exe 59 PID 3412 wrote to memory of 3896 3412 e57ab34.exe 60 PID 3412 wrote to memory of 3980 3412 e57ab34.exe 61 PID 3412 wrote to memory of 3372 3412 e57ab34.exe 62 PID 3412 wrote to memory of 5072 3412 e57ab34.exe 65 PID 3412 wrote to memory of 4792 3412 e57ab34.exe 75 PID 3412 wrote to memory of 1584 3412 e57ab34.exe 81 PID 3412 wrote to memory of 1208 3412 e57ab34.exe 82 PID 3412 wrote to memory of 3492 3412 e57ab34.exe 83 PID 3412 wrote to memory of 3492 3412 e57ab34.exe 83 PID 3492 wrote to memory of 4436 3492 rundll32.exe 85 PID 3492 wrote to memory of 4436 3492 rundll32.exe 85 PID 3492 wrote to memory of 4436 3492 rundll32.exe 85 PID 3412 wrote to memory of 788 3412 e57ab34.exe 8 PID 3412 wrote to memory of 792 3412 e57ab34.exe 9 PID 3412 wrote to memory of 388 3412 e57ab34.exe 13 PID 3412 wrote to memory of 3008 3412 e57ab34.exe 50 PID 3412 wrote to memory of 3052 3412 e57ab34.exe 51 PID 3412 wrote to memory of 3100 3412 e57ab34.exe 52 PID 3412 wrote to memory of 3436 3412 e57ab34.exe 56 PID 3412 wrote to memory of 3568 3412 e57ab34.exe 57 PID 3412 wrote to memory of 3744 3412 e57ab34.exe 58 PID 3412 wrote to memory of 3832 3412 e57ab34.exe 59 PID 3412 wrote to memory of 3896 3412 e57ab34.exe 60 PID 3412 wrote to memory of 3980 3412 e57ab34.exe 61 PID 3412 wrote to memory of 3372 3412 e57ab34.exe 62 PID 3412 wrote to memory of 5072 3412 e57ab34.exe 65 PID 3412 wrote to memory of 4792 3412 e57ab34.exe 75 PID 3412 wrote to memory of 1584 3412 e57ab34.exe 81 PID 3412 wrote to memory of 1208 3412 e57ab34.exe 82 PID 3412 wrote to memory of 4436 3412 e57ab34.exe 85 PID 3412 wrote to memory of 4436 3412 e57ab34.exe 85 PID 3492 wrote to memory of 1056 3492 rundll32.exe 87 PID 3492 wrote to memory of 1056 3492 rundll32.exe 87 PID 3492 wrote to memory of 1056 3492 rundll32.exe 87 PID 3492 wrote to memory of 2996 3492 rundll32.exe 88 PID 3492 wrote to memory of 2996 3492 rundll32.exe 88 PID 3492 wrote to memory of 2996 3492 rundll32.exe 88 PID 2996 wrote to memory of 788 2996 e57dd7f.exe 8 PID 2996 wrote to memory of 792 2996 e57dd7f.exe 9 PID 2996 wrote to memory of 388 2996 e57dd7f.exe 13 PID 2996 wrote to memory of 3008 2996 e57dd7f.exe 50 PID 2996 wrote to memory of 3052 2996 e57dd7f.exe 51 PID 2996 wrote to memory of 3100 2996 e57dd7f.exe 52 PID 2996 wrote to memory of 3436 2996 e57dd7f.exe 56 PID 2996 wrote to memory of 3568 2996 e57dd7f.exe 57 PID 2996 wrote to memory of 3744 2996 e57dd7f.exe 58 PID 2996 wrote to memory of 3832 2996 e57dd7f.exe 59 PID 2996 wrote to memory of 3896 2996 e57dd7f.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ab34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dd7f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3052
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fe5ed133e579b8cfd16a74b660e5396b5f4ed964b68be5c7e3a054d87c434659.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fe5ed133e579b8cfd16a74b660e5396b5f4ed964b68be5c7e3a054d87c434659.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\e57ab34.exeC:\Users\Admin\AppData\Local\Temp\e57ab34.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3412
-
-
C:\Users\Admin\AppData\Local\Temp\e57ace9.exeC:\Users\Admin\AppData\Local\Temp\e57ace9.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\e57dd60.exeC:\Users\Admin\AppData\Local\Temp\e57dd60.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056
-
-
C:\Users\Admin\AppData\Local\Temp\e57dd7f.exeC:\Users\Admin\AppData\Local\Temp\e57dd7f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2996
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5072
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4792
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1584
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d802a14facfab757d2e8c71495b58713
SHA119ab1b1cc23c24f49f7a432cc1478e0a418699e8
SHA25639d43d79fc4ba233a9a282bc5cddaca29ec7122ba8cfb7e1d391517a751e8a6d
SHA5126553ab17930f94a32dbb713c6f42b9f6e1c034dc91b55b1cd0b395ad62252dcf56ae4c5548769ff74b75115db79779d2d4740045a2521b650e6cdb00f5902f1c
-
Filesize
257B
MD5b0ba3f0d6e5ddd1823d6989f5e654409
SHA175fe678de82452bf57ebc3b5cd0c8986ff3318c8
SHA2560ed882baaa99f18fc760d299a13bbccf3590b9de94d05e372b3977c52b735f9b
SHA512ec4e7211991954626da938e226a6f26b7b75f0c46a3aae35fc0c7ef10166edb6d628a67137fd80ed1b2e5e1cf48c61ff92f006abea7ccc1f29d02c79e92b14b5