Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 23:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e61144e2b1aacff3883d750559a1c0a74c4c638a5a88505ac9a1f786ffd417a.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
5e61144e2b1aacff3883d750559a1c0a74c4c638a5a88505ac9a1f786ffd417a.dll
-
Size
120KB
-
MD5
df75314c9a29d3853fb0eb4bb75b20c3
-
SHA1
113f5938e74244d82b523b50a8341cc868a76a1c
-
SHA256
5e61144e2b1aacff3883d750559a1c0a74c4c638a5a88505ac9a1f786ffd417a
-
SHA512
c94a83179be2314d291ae9ef0f2c62596340bc988b73609432cd6904643c63114409873cdecd7b0cd7101fb89e8ff210fc45c88c62a38037331f2696ef8d22c4
-
SSDEEP
1536:4cnYeEBkSV0HPMpGaoVXqK+gOdSIwoiGbpQAPsa7Slkb8izjTP8Eqa6aNYlqc5eo:gNBoSGZpgghGbpQIsaelGJTP+IWJ5eo
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5e274c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e2a3a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5e2a3a.exe -
Executes dropped EXE 3 IoCs
pid Process 1884 e5e274c.exe 4564 e5e2a3a.exe 2808 e5e42e3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5e2a3a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5e274c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5e2a3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5e2a3a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e2a3a.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e5e274c.exe File opened (read-only) \??\L: e5e274c.exe File opened (read-only) \??\N: e5e274c.exe File opened (read-only) \??\O: e5e274c.exe File opened (read-only) \??\P: e5e274c.exe File opened (read-only) \??\S: e5e274c.exe File opened (read-only) \??\I: e5e274c.exe File opened (read-only) \??\K: e5e274c.exe File opened (read-only) \??\R: e5e274c.exe File opened (read-only) \??\G: e5e274c.exe File opened (read-only) \??\H: e5e274c.exe File opened (read-only) \??\J: e5e274c.exe File opened (read-only) \??\M: e5e274c.exe File opened (read-only) \??\Q: e5e274c.exe -
resource yara_rule behavioral2/memory/1884-6-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-10-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-11-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-12-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-18-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-19-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-9-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-20-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-21-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-8-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-22-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-36-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-37-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-38-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-39-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-40-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-42-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-43-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-53-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-55-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-56-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-58-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-68-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-71-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-73-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-75-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-77-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-78-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-80-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-81-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-84-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1884-88-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/4564-117-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4564-130-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5e274c.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5e274c.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5e274c.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5e274c.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e5e274c.exe File created C:\Windows\e5e78b8 e5e2a3a.exe File created C:\Windows\e5e27aa e5e274c.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5e2a3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5e42e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5e274c.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1884 e5e274c.exe 1884 e5e274c.exe 1884 e5e274c.exe 1884 e5e274c.exe 4564 e5e2a3a.exe 4564 e5e2a3a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe Token: SeDebugPrivilege 1884 e5e274c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2664 2440 rundll32.exe 82 PID 2440 wrote to memory of 2664 2440 rundll32.exe 82 PID 2440 wrote to memory of 2664 2440 rundll32.exe 82 PID 2664 wrote to memory of 1884 2664 rundll32.exe 83 PID 2664 wrote to memory of 1884 2664 rundll32.exe 83 PID 2664 wrote to memory of 1884 2664 rundll32.exe 83 PID 1884 wrote to memory of 780 1884 e5e274c.exe 8 PID 1884 wrote to memory of 788 1884 e5e274c.exe 9 PID 1884 wrote to memory of 384 1884 e5e274c.exe 13 PID 1884 wrote to memory of 2724 1884 e5e274c.exe 49 PID 1884 wrote to memory of 3088 1884 e5e274c.exe 50 PID 1884 wrote to memory of 3168 1884 e5e274c.exe 51 PID 1884 wrote to memory of 3452 1884 e5e274c.exe 54 PID 1884 wrote to memory of 3568 1884 e5e274c.exe 55 PID 1884 wrote to memory of 3744 1884 e5e274c.exe 56 PID 1884 wrote to memory of 3860 1884 e5e274c.exe 57 PID 1884 wrote to memory of 3956 1884 e5e274c.exe 58 PID 1884 wrote to memory of 4056 1884 e5e274c.exe 59 PID 1884 wrote to memory of 3476 1884 e5e274c.exe 60 PID 1884 wrote to memory of 3976 1884 e5e274c.exe 75 PID 1884 wrote to memory of 4520 1884 e5e274c.exe 76 PID 1884 wrote to memory of 2440 1884 e5e274c.exe 81 PID 1884 wrote to memory of 2664 1884 e5e274c.exe 82 PID 1884 wrote to memory of 2664 1884 e5e274c.exe 82 PID 2664 wrote to memory of 4564 2664 rundll32.exe 84 PID 2664 wrote to memory of 4564 2664 rundll32.exe 84 PID 2664 wrote to memory of 4564 2664 rundll32.exe 84 PID 2664 wrote to memory of 2808 2664 rundll32.exe 89 PID 2664 wrote to memory of 2808 2664 rundll32.exe 89 PID 2664 wrote to memory of 2808 2664 rundll32.exe 89 PID 1884 wrote to memory of 780 1884 e5e274c.exe 8 PID 1884 wrote to memory of 788 1884 e5e274c.exe 9 PID 1884 wrote to memory of 384 1884 e5e274c.exe 13 PID 1884 wrote to memory of 2724 1884 e5e274c.exe 49 PID 1884 wrote to memory of 3088 1884 e5e274c.exe 50 PID 1884 wrote to memory of 3168 1884 e5e274c.exe 51 PID 1884 wrote to memory of 3452 1884 e5e274c.exe 54 PID 1884 wrote to memory of 3568 1884 e5e274c.exe 55 PID 1884 wrote to memory of 3744 1884 e5e274c.exe 56 PID 1884 wrote to memory of 3860 1884 e5e274c.exe 57 PID 1884 wrote to memory of 3956 1884 e5e274c.exe 58 PID 1884 wrote to memory of 4056 1884 e5e274c.exe 59 PID 1884 wrote to memory of 3476 1884 e5e274c.exe 60 PID 1884 wrote to memory of 3976 1884 e5e274c.exe 75 PID 1884 wrote to memory of 4520 1884 e5e274c.exe 76 PID 1884 wrote to memory of 4564 1884 e5e274c.exe 84 PID 1884 wrote to memory of 4564 1884 e5e274c.exe 84 PID 1884 wrote to memory of 2808 1884 e5e274c.exe 89 PID 1884 wrote to memory of 2808 1884 e5e274c.exe 89 PID 4564 wrote to memory of 780 4564 e5e2a3a.exe 8 PID 4564 wrote to memory of 788 4564 e5e2a3a.exe 9 PID 4564 wrote to memory of 384 4564 e5e2a3a.exe 13 PID 4564 wrote to memory of 2724 4564 e5e2a3a.exe 49 PID 4564 wrote to memory of 3088 4564 e5e2a3a.exe 50 PID 4564 wrote to memory of 3168 4564 e5e2a3a.exe 51 PID 4564 wrote to memory of 3452 4564 e5e2a3a.exe 54 PID 4564 wrote to memory of 3568 4564 e5e2a3a.exe 55 PID 4564 wrote to memory of 3744 4564 e5e2a3a.exe 56 PID 4564 wrote to memory of 3860 4564 e5e2a3a.exe 57 PID 4564 wrote to memory of 3956 4564 e5e2a3a.exe 58 PID 4564 wrote to memory of 4056 4564 e5e2a3a.exe 59 PID 4564 wrote to memory of 3476 4564 e5e2a3a.exe 60 PID 4564 wrote to memory of 3976 4564 e5e2a3a.exe 75 PID 4564 wrote to memory of 4520 4564 e5e2a3a.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e274c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5e2a3a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3088
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e61144e2b1aacff3883d750559a1c0a74c4c638a5a88505ac9a1f786ffd417a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e61144e2b1aacff3883d750559a1c0a74c4c638a5a88505ac9a1f786ffd417a.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\e5e274c.exeC:\Users\Admin\AppData\Local\Temp\e5e274c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\e5e2a3a.exeC:\Users\Admin\AppData\Local\Temp\e5e2a3a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4564
-
-
C:\Users\Admin\AppData\Local\Temp\e5e42e3.exeC:\Users\Admin\AppData\Local\Temp\e5e42e3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3476
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4520
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b8f861329c7bae579739782149c5ee25
SHA12edf200b897299c7f34c7be4be8a11e981a44aed
SHA256ad4d7b78f55a89634f8cdea0521aece9bfd21f2a57e8875c79086e97db33818e
SHA51221fa1f9ed1fe4aebb6cef137ee1146816aacd298ec2ac977117775609863360cc0140fcb8287848e66c50984acaa2e74b14a3410dc8315685e8051d46cbccb6b
-
Filesize
257B
MD5974ebaf90391fad557b8c23a80f4c8cf
SHA1a026e910bb56575dbe2854dbc9eb46dd1fcc6cda
SHA256daded2b9934c0e05cd785bdf496ab1cad72b8ab2bad0772506c4d3b28dcfad45
SHA512a5ef4b379d81908915e864c59a042d82219ffbd5fb6d8323ccc267a726493f277aef00c75557cfe5c223f39413efedf849ce4ab4aa882a95a3bf40ce16ca8baa