Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 06:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e30df87007d64287ca3a275f2688568987aef6300dc551d9646c7a541278880a.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
e30df87007d64287ca3a275f2688568987aef6300dc551d9646c7a541278880a.dll
-
Size
120KB
-
MD5
6de4485845279aa88623b2b2482fad22
-
SHA1
a44fbe0ba7b927d543baf61e2a255b97d386ae21
-
SHA256
e30df87007d64287ca3a275f2688568987aef6300dc551d9646c7a541278880a
-
SHA512
18a96784404d15a820d2ad5e5676738e336c75c01dc7c069a95e86ac42bac202dad7d61556bb93665df3256dc9ec9110bf2ca0284485aa2d961a95e767092b44
-
SSDEEP
1536:P3f4P02zTr3jzDN3+nStgwRJirjF8JgUCckjEQRqxlsuXUPfxE43rKmYva:Pv4cc/rN3+nStRJiveBCtEG6UhEYJYC
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5791b1.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5791b1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575dcf.exe -
Executes dropped EXE 4 IoCs
pid Process 1808 e575dcf.exe 3468 e57611b.exe 2524 e5791b1.exe 3756 e5791d0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5791b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5791b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5791b1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5791b1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5791b1.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e575dcf.exe File opened (read-only) \??\G: e575dcf.exe File opened (read-only) \??\H: e575dcf.exe File opened (read-only) \??\J: e575dcf.exe File opened (read-only) \??\K: e575dcf.exe File opened (read-only) \??\E: e5791b1.exe File opened (read-only) \??\G: e5791b1.exe File opened (read-only) \??\J: e5791b1.exe File opened (read-only) \??\I: e575dcf.exe File opened (read-only) \??\L: e575dcf.exe File opened (read-only) \??\M: e575dcf.exe File opened (read-only) \??\H: e5791b1.exe File opened (read-only) \??\I: e5791b1.exe -
resource yara_rule behavioral2/memory/1808-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-17-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-18-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-26-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-32-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-33-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-46-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-60-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-62-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-63-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-64-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-71-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-72-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1808-79-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2524-101-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2524-117-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2524-161-0x0000000000810000-0x00000000018CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e575fd3 e575dcf.exe File opened for modification C:\Windows\SYSTEM.INI e575dcf.exe File created C:\Windows\e57b91e e5791b1.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e575dcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57611b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5791b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5791d0.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1808 e575dcf.exe 1808 e575dcf.exe 1808 e575dcf.exe 1808 e575dcf.exe 2524 e5791b1.exe 2524 e5791b1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe Token: SeDebugPrivilege 1808 e575dcf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 4992 2372 rundll32.exe 85 PID 2372 wrote to memory of 4992 2372 rundll32.exe 85 PID 2372 wrote to memory of 4992 2372 rundll32.exe 85 PID 4992 wrote to memory of 1808 4992 rundll32.exe 86 PID 4992 wrote to memory of 1808 4992 rundll32.exe 86 PID 4992 wrote to memory of 1808 4992 rundll32.exe 86 PID 1808 wrote to memory of 796 1808 e575dcf.exe 8 PID 1808 wrote to memory of 804 1808 e575dcf.exe 9 PID 1808 wrote to memory of 380 1808 e575dcf.exe 13 PID 1808 wrote to memory of 2396 1808 e575dcf.exe 42 PID 1808 wrote to memory of 2424 1808 e575dcf.exe 43 PID 1808 wrote to memory of 2516 1808 e575dcf.exe 44 PID 1808 wrote to memory of 3516 1808 e575dcf.exe 56 PID 1808 wrote to memory of 3624 1808 e575dcf.exe 57 PID 1808 wrote to memory of 3820 1808 e575dcf.exe 58 PID 1808 wrote to memory of 3908 1808 e575dcf.exe 59 PID 1808 wrote to memory of 3972 1808 e575dcf.exe 60 PID 1808 wrote to memory of 4052 1808 e575dcf.exe 61 PID 1808 wrote to memory of 2588 1808 e575dcf.exe 62 PID 1808 wrote to memory of 4924 1808 e575dcf.exe 75 PID 1808 wrote to memory of 2332 1808 e575dcf.exe 76 PID 1808 wrote to memory of 2060 1808 e575dcf.exe 77 PID 1808 wrote to memory of 2412 1808 e575dcf.exe 78 PID 1808 wrote to memory of 2508 1808 e575dcf.exe 83 PID 1808 wrote to memory of 2372 1808 e575dcf.exe 84 PID 1808 wrote to memory of 4992 1808 e575dcf.exe 85 PID 1808 wrote to memory of 4992 1808 e575dcf.exe 85 PID 4992 wrote to memory of 3468 4992 rundll32.exe 87 PID 4992 wrote to memory of 3468 4992 rundll32.exe 87 PID 4992 wrote to memory of 3468 4992 rundll32.exe 87 PID 1808 wrote to memory of 796 1808 e575dcf.exe 8 PID 1808 wrote to memory of 804 1808 e575dcf.exe 9 PID 1808 wrote to memory of 380 1808 e575dcf.exe 13 PID 1808 wrote to memory of 2396 1808 e575dcf.exe 42 PID 1808 wrote to memory of 2424 1808 e575dcf.exe 43 PID 1808 wrote to memory of 2516 1808 e575dcf.exe 44 PID 1808 wrote to memory of 3516 1808 e575dcf.exe 56 PID 1808 wrote to memory of 3624 1808 e575dcf.exe 57 PID 1808 wrote to memory of 3820 1808 e575dcf.exe 58 PID 1808 wrote to memory of 3908 1808 e575dcf.exe 59 PID 1808 wrote to memory of 3972 1808 e575dcf.exe 60 PID 1808 wrote to memory of 4052 1808 e575dcf.exe 61 PID 1808 wrote to memory of 2588 1808 e575dcf.exe 62 PID 1808 wrote to memory of 4924 1808 e575dcf.exe 75 PID 1808 wrote to memory of 2332 1808 e575dcf.exe 76 PID 1808 wrote to memory of 2060 1808 e575dcf.exe 77 PID 1808 wrote to memory of 2412 1808 e575dcf.exe 78 PID 1808 wrote to memory of 2508 1808 e575dcf.exe 83 PID 1808 wrote to memory of 2372 1808 e575dcf.exe 84 PID 1808 wrote to memory of 3468 1808 e575dcf.exe 87 PID 1808 wrote to memory of 3468 1808 e575dcf.exe 87 PID 4992 wrote to memory of 2524 4992 rundll32.exe 88 PID 4992 wrote to memory of 2524 4992 rundll32.exe 88 PID 4992 wrote to memory of 2524 4992 rundll32.exe 88 PID 4992 wrote to memory of 3756 4992 rundll32.exe 89 PID 4992 wrote to memory of 3756 4992 rundll32.exe 89 PID 4992 wrote to memory of 3756 4992 rundll32.exe 89 PID 2524 wrote to memory of 796 2524 e5791b1.exe 8 PID 2524 wrote to memory of 804 2524 e5791b1.exe 9 PID 2524 wrote to memory of 380 2524 e5791b1.exe 13 PID 2524 wrote to memory of 2396 2524 e5791b1.exe 42 PID 2524 wrote to memory of 2424 2524 e5791b1.exe 43 PID 2524 wrote to memory of 2516 2524 e5791b1.exe 44 PID 2524 wrote to memory of 3516 2524 e5791b1.exe 56 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575dcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5791b1.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2424
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2516
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3516
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e30df87007d64287ca3a275f2688568987aef6300dc551d9646c7a541278880a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e30df87007d64287ca3a275f2688568987aef6300dc551d9646c7a541278880a.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\e575dcf.exeC:\Users\Admin\AppData\Local\Temp\e575dcf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\e57611b.exeC:\Users\Admin\AppData\Local\Temp\e57611b.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3468
-
-
C:\Users\Admin\AppData\Local\Temp\e5791b1.exeC:\Users\Admin\AppData\Local\Temp\e5791b1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\e5791d0.exeC:\Users\Admin\AppData\Local\Temp\e5791d0.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3756
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2588
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2332
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2412
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2508
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c2f4e66e6d5e831cacdde844a565e88a
SHA1c6fe5ff52c2ff7a68f4c756a39ab8ee23d541ef4
SHA25673c45ddb71d88a96b1b921169184b4e6d135ebf5bf5bac4c0f27e90212650d82
SHA5122870ab7a02757bf10743c29bb89652aab925509bc11e4b82e349ecbdc33c1a4eabcc96d89e695837889bf2f8aa706c2e2733f565a2005b4ba3cf6f51e6a4e4a2
-
Filesize
257B
MD59ce61ed88100dd73aed8edfbf3fafc53
SHA1b1cfa039ab160644e8dba369012825d997692ed8
SHA256b7601ca5c2f92099bac562c7a5a4427519ae9b787a9287ccd21537ca7d74e445
SHA512068f1c1cae90365a6007e09a7016016992fac8d778b7f9e34272cd8aa99fa9eb10949338f69671f2c6479edb34e4844357f3bb461c3cd03928fa500f8fd32993