Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 23:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
468379dcc66bb1a04f0260b63c8817948b5fcb6c1b008faa2fa62c080893470e.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
468379dcc66bb1a04f0260b63c8817948b5fcb6c1b008faa2fa62c080893470e.dll
-
Size
120KB
-
MD5
0f579acab2ea583ad8570e66ecf4ebb1
-
SHA1
f0920b7cda926e9d6e8523a079be346640fd8b7b
-
SHA256
468379dcc66bb1a04f0260b63c8817948b5fcb6c1b008faa2fa62c080893470e
-
SHA512
07d9d9988c89dfe662c3fbb1f01910f076a6abfa00f759c5c97b311a90cd0399436d1a106b94f1fab2e11fcfb6a700cab105d341b26b931db9af00b342c4d443
-
SSDEEP
3072:uCqgNr9CnbEoMzkj/9gl9O64MOxXZToIW4QHwx5:ZqyMVMzkj/OjOWMXKIWnQP
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578fad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578fad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577445.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577445.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578fad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578fad.exe -
Executes dropped EXE 3 IoCs
pid Process 4172 e577445.exe 4660 e577530.exe 1996 e578fad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577445.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578fad.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578fad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578fad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578fad.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: e577445.exe File opened (read-only) \??\R: e577445.exe File opened (read-only) \??\G: e578fad.exe File opened (read-only) \??\O: e577445.exe File opened (read-only) \??\S: e577445.exe File opened (read-only) \??\T: e577445.exe File opened (read-only) \??\E: e578fad.exe File opened (read-only) \??\J: e577445.exe File opened (read-only) \??\K: e577445.exe File opened (read-only) \??\M: e577445.exe File opened (read-only) \??\E: e577445.exe File opened (read-only) \??\H: e577445.exe File opened (read-only) \??\P: e577445.exe File opened (read-only) \??\Q: e577445.exe File opened (read-only) \??\G: e577445.exe File opened (read-only) \??\I: e577445.exe File opened (read-only) \??\L: e577445.exe -
resource yara_rule behavioral2/memory/4172-8-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-11-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-12-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-27-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-26-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-13-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-40-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-43-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-44-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-52-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-55-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-57-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-66-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-67-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-70-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-72-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-75-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-76-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-79-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-82-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-83-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-84-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-92-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4172-93-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/1996-124-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1996-160-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e577445.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e577445.exe File opened for modification C:\Program Files\7-Zip\7z.exe e577445.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e577445.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e577494 e577445.exe File opened for modification C:\Windows\SYSTEM.INI e577445.exe File created C:\Windows\e57c479 e578fad.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577445.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577530.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578fad.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4172 e577445.exe 4172 e577445.exe 4172 e577445.exe 4172 e577445.exe 1996 e578fad.exe 1996 e578fad.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe Token: SeDebugPrivilege 4172 e577445.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 3684 wrote to memory of 5084 3684 rundll32.exe 83 PID 3684 wrote to memory of 5084 3684 rundll32.exe 83 PID 3684 wrote to memory of 5084 3684 rundll32.exe 83 PID 5084 wrote to memory of 4172 5084 rundll32.exe 84 PID 5084 wrote to memory of 4172 5084 rundll32.exe 84 PID 5084 wrote to memory of 4172 5084 rundll32.exe 84 PID 4172 wrote to memory of 780 4172 e577445.exe 8 PID 4172 wrote to memory of 788 4172 e577445.exe 9 PID 4172 wrote to memory of 316 4172 e577445.exe 13 PID 4172 wrote to memory of 2508 4172 e577445.exe 42 PID 4172 wrote to memory of 2540 4172 e577445.exe 43 PID 4172 wrote to memory of 2640 4172 e577445.exe 44 PID 4172 wrote to memory of 3484 4172 e577445.exe 56 PID 4172 wrote to memory of 3612 4172 e577445.exe 57 PID 4172 wrote to memory of 3852 4172 e577445.exe 58 PID 4172 wrote to memory of 3944 4172 e577445.exe 59 PID 4172 wrote to memory of 4004 4172 e577445.exe 60 PID 4172 wrote to memory of 380 4172 e577445.exe 61 PID 4172 wrote to memory of 2340 4172 e577445.exe 74 PID 4172 wrote to memory of 4192 4172 e577445.exe 76 PID 4172 wrote to memory of 3036 4172 e577445.exe 81 PID 4172 wrote to memory of 3684 4172 e577445.exe 82 PID 4172 wrote to memory of 5084 4172 e577445.exe 83 PID 4172 wrote to memory of 5084 4172 e577445.exe 83 PID 5084 wrote to memory of 4660 5084 rundll32.exe 85 PID 5084 wrote to memory of 4660 5084 rundll32.exe 85 PID 5084 wrote to memory of 4660 5084 rundll32.exe 85 PID 5084 wrote to memory of 1996 5084 rundll32.exe 87 PID 5084 wrote to memory of 1996 5084 rundll32.exe 87 PID 5084 wrote to memory of 1996 5084 rundll32.exe 87 PID 4172 wrote to memory of 780 4172 e577445.exe 8 PID 4172 wrote to memory of 788 4172 e577445.exe 9 PID 4172 wrote to memory of 316 4172 e577445.exe 13 PID 4172 wrote to memory of 2508 4172 e577445.exe 42 PID 4172 wrote to memory of 2540 4172 e577445.exe 43 PID 4172 wrote to memory of 2640 4172 e577445.exe 44 PID 4172 wrote to memory of 3484 4172 e577445.exe 56 PID 4172 wrote to memory of 3612 4172 e577445.exe 57 PID 4172 wrote to memory of 3852 4172 e577445.exe 58 PID 4172 wrote to memory of 3944 4172 e577445.exe 59 PID 4172 wrote to memory of 4004 4172 e577445.exe 60 PID 4172 wrote to memory of 380 4172 e577445.exe 61 PID 4172 wrote to memory of 2340 4172 e577445.exe 74 PID 4172 wrote to memory of 4192 4172 e577445.exe 76 PID 4172 wrote to memory of 4660 4172 e577445.exe 85 PID 4172 wrote to memory of 4660 4172 e577445.exe 85 PID 4172 wrote to memory of 1996 4172 e577445.exe 87 PID 4172 wrote to memory of 1996 4172 e577445.exe 87 PID 4172 wrote to memory of 860 4172 e577445.exe 91 PID 1996 wrote to memory of 780 1996 e578fad.exe 8 PID 1996 wrote to memory of 788 1996 e578fad.exe 9 PID 1996 wrote to memory of 316 1996 e578fad.exe 13 PID 1996 wrote to memory of 2508 1996 e578fad.exe 42 PID 1996 wrote to memory of 2540 1996 e578fad.exe 43 PID 1996 wrote to memory of 2640 1996 e578fad.exe 44 PID 1996 wrote to memory of 3484 1996 e578fad.exe 56 PID 1996 wrote to memory of 3612 1996 e578fad.exe 57 PID 1996 wrote to memory of 3852 1996 e578fad.exe 58 PID 1996 wrote to memory of 3944 1996 e578fad.exe 59 PID 1996 wrote to memory of 4004 1996 e578fad.exe 60 PID 1996 wrote to memory of 380 1996 e578fad.exe 61 PID 1996 wrote to memory of 2340 1996 e578fad.exe 74 PID 1996 wrote to memory of 4192 1996 e578fad.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577445.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578fad.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2540
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2640
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\468379dcc66bb1a04f0260b63c8817948b5fcb6c1b008faa2fa62c080893470e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\468379dcc66bb1a04f0260b63c8817948b5fcb6c1b008faa2fa62c080893470e.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\e577445.exeC:\Users\Admin\AppData\Local\Temp\e577445.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4172
-
-
C:\Users\Admin\AppData\Local\Temp\e577530.exeC:\Users\Admin\AppData\Local\Temp\e577530.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4660
-
-
C:\Users\Admin\AppData\Local\Temp\e578fad.exeC:\Users\Admin\AppData\Local\Temp\e578fad.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1996
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3612
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:380
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2340
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3036
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:860
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD598d55a24465aed01d3b6fd8014025254
SHA1753c0db1e5e5f16849cc1740ddfacd71f69c7a7c
SHA25608acb6ba58736f9d44acc584e161c913e1866281d441d434e4efabcca62c573c
SHA5129c77f351a84d88cdfdd17982a02d66b68fc4468f8b1960a72631a5f56b8dc8e0b56beb934f06ccf8e79c6e4743a54d446d4e9d747609a35bf1702f8ec1b335cb
-
Filesize
257B
MD560ba6c8e969d359a0a3c21a4bed6f8e1
SHA16b9017abe25bf5abf5ed52e40adf5c2cf19a5fa4
SHA25659fbcb46a24d9ace3a532c8a9b3a14ef52e866a0ffa6507d5e1aad5c53dcfdd8
SHA5122c8931599cae947e6791ae245d0b5f79c341f5c7b78a2fb75d169b556286318890d7ef05575b882d20c0aa8fe69865c24bc225a7f281314e0926e68876d78809