Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 19:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2c.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2c.dll
-
Size
120KB
-
MD5
d4d9eed9ba0d0b07623a57c29cdbdf10
-
SHA1
60a540135a13a0941d76548f4a0e5849786c7797
-
SHA256
00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2c
-
SHA512
d2ad6c94b788c9aab5a20ef156e2bd6eff808e9934eb6ded7a554e5b8bab901e537563dfbc450e7339bc96da07108c5b94e297694aa9cadf17c15623da8b6126
-
SSDEEP
1536:KAjgel2pHKnfktQ13oJ45y/b8ddA7xowtqGHLXmZ0rO4Hikw92cDH9LTA:zUpqnfkQ666bWdA7uw17yQnHikk2cDu
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a170.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a170.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bd06.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bd06.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bd06.exe -
Executes dropped EXE 4 IoCs
pid Process 4112 e57a170.exe 5016 e57a2a8.exe 3964 e57bcf7.exe 1724 e57bd06.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a170.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bd06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bd06.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bd06.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bd06.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e57a170.exe File opened (read-only) \??\N: e57a170.exe File opened (read-only) \??\R: e57a170.exe File opened (read-only) \??\L: e57a170.exe File opened (read-only) \??\M: e57a170.exe File opened (read-only) \??\O: e57a170.exe File opened (read-only) \??\Q: e57a170.exe File opened (read-only) \??\S: e57a170.exe File opened (read-only) \??\H: e57a170.exe File opened (read-only) \??\I: e57a170.exe File opened (read-only) \??\J: e57a170.exe File opened (read-only) \??\E: e57bd06.exe File opened (read-only) \??\G: e57bd06.exe File opened (read-only) \??\E: e57a170.exe File opened (read-only) \??\G: e57a170.exe File opened (read-only) \??\P: e57a170.exe -
resource yara_rule behavioral2/memory/4112-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-18-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-32-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-26-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-34-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-41-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-42-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-57-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-59-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-61-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-74-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-80-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-81-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-83-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-85-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-86-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-91-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-98-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4112-101-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1724-128-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/1724-171-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a170.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57a170.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57a170.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57a170.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a1be e57a170.exe File opened for modification C:\Windows\SYSTEM.INI e57a170.exe File created C:\Windows\e57f1d2 e57bd06.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a170.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a2a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bcf7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bd06.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4112 e57a170.exe 4112 e57a170.exe 4112 e57a170.exe 4112 e57a170.exe 1724 e57bd06.exe 1724 e57bd06.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe Token: SeDebugPrivilege 4112 e57a170.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2252 2748 rundll32.exe 83 PID 2748 wrote to memory of 2252 2748 rundll32.exe 83 PID 2748 wrote to memory of 2252 2748 rundll32.exe 83 PID 2252 wrote to memory of 4112 2252 rundll32.exe 84 PID 2252 wrote to memory of 4112 2252 rundll32.exe 84 PID 2252 wrote to memory of 4112 2252 rundll32.exe 84 PID 4112 wrote to memory of 780 4112 e57a170.exe 8 PID 4112 wrote to memory of 788 4112 e57a170.exe 9 PID 4112 wrote to memory of 384 4112 e57a170.exe 13 PID 4112 wrote to memory of 2884 4112 e57a170.exe 49 PID 4112 wrote to memory of 2912 4112 e57a170.exe 50 PID 4112 wrote to memory of 3020 4112 e57a170.exe 52 PID 4112 wrote to memory of 3432 4112 e57a170.exe 56 PID 4112 wrote to memory of 3540 4112 e57a170.exe 57 PID 4112 wrote to memory of 3724 4112 e57a170.exe 58 PID 4112 wrote to memory of 3832 4112 e57a170.exe 59 PID 4112 wrote to memory of 3912 4112 e57a170.exe 60 PID 4112 wrote to memory of 3992 4112 e57a170.exe 61 PID 4112 wrote to memory of 4100 4112 e57a170.exe 62 PID 4112 wrote to memory of 2864 4112 e57a170.exe 74 PID 4112 wrote to memory of 1812 4112 e57a170.exe 76 PID 4112 wrote to memory of 212 4112 e57a170.exe 81 PID 4112 wrote to memory of 2748 4112 e57a170.exe 82 PID 4112 wrote to memory of 2252 4112 e57a170.exe 83 PID 4112 wrote to memory of 2252 4112 e57a170.exe 83 PID 2252 wrote to memory of 5016 2252 rundll32.exe 85 PID 2252 wrote to memory of 5016 2252 rundll32.exe 85 PID 2252 wrote to memory of 5016 2252 rundll32.exe 85 PID 2252 wrote to memory of 3964 2252 rundll32.exe 87 PID 2252 wrote to memory of 3964 2252 rundll32.exe 87 PID 2252 wrote to memory of 3964 2252 rundll32.exe 87 PID 2252 wrote to memory of 1724 2252 rundll32.exe 88 PID 2252 wrote to memory of 1724 2252 rundll32.exe 88 PID 2252 wrote to memory of 1724 2252 rundll32.exe 88 PID 4112 wrote to memory of 780 4112 e57a170.exe 8 PID 4112 wrote to memory of 788 4112 e57a170.exe 9 PID 4112 wrote to memory of 384 4112 e57a170.exe 13 PID 4112 wrote to memory of 2884 4112 e57a170.exe 49 PID 4112 wrote to memory of 2912 4112 e57a170.exe 50 PID 4112 wrote to memory of 3020 4112 e57a170.exe 52 PID 4112 wrote to memory of 3432 4112 e57a170.exe 56 PID 4112 wrote to memory of 3540 4112 e57a170.exe 57 PID 4112 wrote to memory of 3724 4112 e57a170.exe 58 PID 4112 wrote to memory of 3832 4112 e57a170.exe 59 PID 4112 wrote to memory of 3912 4112 e57a170.exe 60 PID 4112 wrote to memory of 3992 4112 e57a170.exe 61 PID 4112 wrote to memory of 4100 4112 e57a170.exe 62 PID 4112 wrote to memory of 2864 4112 e57a170.exe 74 PID 4112 wrote to memory of 1812 4112 e57a170.exe 76 PID 4112 wrote to memory of 5016 4112 e57a170.exe 85 PID 4112 wrote to memory of 5016 4112 e57a170.exe 85 PID 4112 wrote to memory of 3964 4112 e57a170.exe 87 PID 4112 wrote to memory of 3964 4112 e57a170.exe 87 PID 4112 wrote to memory of 1724 4112 e57a170.exe 88 PID 4112 wrote to memory of 1724 4112 e57a170.exe 88 PID 1724 wrote to memory of 780 1724 e57bd06.exe 8 PID 1724 wrote to memory of 788 1724 e57bd06.exe 9 PID 1724 wrote to memory of 384 1724 e57bd06.exe 13 PID 1724 wrote to memory of 2884 1724 e57bd06.exe 49 PID 1724 wrote to memory of 2912 1724 e57bd06.exe 50 PID 1724 wrote to memory of 3020 1724 e57bd06.exe 52 PID 1724 wrote to memory of 3432 1724 e57bd06.exe 56 PID 1724 wrote to memory of 3540 1724 e57bd06.exe 57 PID 1724 wrote to memory of 3724 1724 e57bd06.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a170.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bd06.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2912
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3020
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2c.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00c57fe6c3c0477ed34944a6ef6512fe485db00aef3e798eaefbd97312611b2c.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\e57a170.exeC:\Users\Admin\AppData\Local\Temp\e57a170.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4112
-
-
C:\Users\Admin\AppData\Local\Temp\e57a2a8.exeC:\Users\Admin\AppData\Local\Temp\e57a2a8.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\e57bcf7.exeC:\Users\Admin\AppData\Local\Temp\e57bcf7.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3964
-
-
C:\Users\Admin\AppData\Local\Temp\e57bd06.exeC:\Users\Admin\AppData\Local\Temp\e57bd06.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4100
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1812
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:212
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5aeedaa4ab3ec0bb5dc1871d489a38547
SHA122b183f00b9ffba0723481262b22228a66099e73
SHA25647db4fb291a3ea9bec3d18b293ea41fe2b34d0b63bd2de8a055c1325ce2eea9b
SHA5122ab218dd78c8d6abcd9de618211e71f91abe01b1f21fd13f7da844a95d5965d8b847b70e54af65068ff7651bc29a46df4ecaf54a8bfcd119a4fd94efa21b4e6f
-
Filesize
257B
MD5028490261268484a0ba7ed37fe318356
SHA187608b9b279e54d75034a912902da381f17ff4c8
SHA256f065bb32912abe304c9421ee868e55940eaa5c28cf39c4f8c9b9a7abafb57a23
SHA512d82606ca5bfb313e3d95891255b2dfdf9f0f3bc01a88a3d9a0402f5a321da96e5d61883a7c22992a3bbba56e42908362f5dbadfb4bbb550e17e5ab84644facd0