Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 05:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb370f9859087a218ad0325120e8a7bf4fbc178041a0b84f2ea34ea92ef7fda0.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
cb370f9859087a218ad0325120e8a7bf4fbc178041a0b84f2ea34ea92ef7fda0.dll
-
Size
120KB
-
MD5
035358a6066e22b842f07e71f9f78467
-
SHA1
a0b764758534a4040de67a990603c55f1c13fc44
-
SHA256
cb370f9859087a218ad0325120e8a7bf4fbc178041a0b84f2ea34ea92ef7fda0
-
SHA512
5eab041dca35ba014b003c113495ad7c0bd971f48535e4d44bcfd11ddc791131027b7ca0930f2240484696ec49ebaa4cec89374263ad8130175cc1f7241fec1c
-
SSDEEP
1536:oumhzdYs6OaIdVToI5l4OfA5ErhL8r6fRPFt1UAd/HZaBPNlAzxc0oK7ZzqDJxoZ:otNaIduO45Elm6fj9ClASAFu0Z
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579e53.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579e53.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5782dc.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e53.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5782dc.exe -
Executes dropped EXE 3 IoCs
pid Process 5084 e5782dc.exe 2828 e5783d6.exe 4120 e579e53.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579e53.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5782dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579e53.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579e53.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e53.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: e5782dc.exe File opened (read-only) \??\O: e5782dc.exe File opened (read-only) \??\E: e579e53.exe File opened (read-only) \??\P: e5782dc.exe File opened (read-only) \??\I: e5782dc.exe File opened (read-only) \??\K: e5782dc.exe File opened (read-only) \??\L: e5782dc.exe File opened (read-only) \??\Q: e5782dc.exe File opened (read-only) \??\S: e5782dc.exe File opened (read-only) \??\E: e5782dc.exe File opened (read-only) \??\H: e5782dc.exe File opened (read-only) \??\M: e5782dc.exe File opened (read-only) \??\G: e5782dc.exe File opened (read-only) \??\J: e5782dc.exe File opened (read-only) \??\R: e5782dc.exe -
resource yara_rule behavioral2/memory/5084-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-22-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-24-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-21-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-23-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-42-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-43-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-52-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-53-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-55-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-69-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-71-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-74-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-78-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-79-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-86-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-87-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/5084-93-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4120-132-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4120-157-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5782dc.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5782dc.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5782dc.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5782dc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57833a e5782dc.exe File opened for modification C:\Windows\SYSTEM.INI e5782dc.exe File created C:\Windows\e57d34e e579e53.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579e53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5782dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5783d6.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5084 e5782dc.exe 5084 e5782dc.exe 5084 e5782dc.exe 5084 e5782dc.exe 4120 e579e53.exe 4120 e579e53.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe Token: SeDebugPrivilege 5084 e5782dc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4736 wrote to memory of 4860 4736 rundll32.exe 83 PID 4736 wrote to memory of 4860 4736 rundll32.exe 83 PID 4736 wrote to memory of 4860 4736 rundll32.exe 83 PID 4860 wrote to memory of 5084 4860 rundll32.exe 84 PID 4860 wrote to memory of 5084 4860 rundll32.exe 84 PID 4860 wrote to memory of 5084 4860 rundll32.exe 84 PID 5084 wrote to memory of 768 5084 e5782dc.exe 8 PID 5084 wrote to memory of 776 5084 e5782dc.exe 9 PID 5084 wrote to memory of 380 5084 e5782dc.exe 13 PID 5084 wrote to memory of 2968 5084 e5782dc.exe 50 PID 5084 wrote to memory of 3012 5084 e5782dc.exe 51 PID 5084 wrote to memory of 2156 5084 e5782dc.exe 52 PID 5084 wrote to memory of 3436 5084 e5782dc.exe 56 PID 5084 wrote to memory of 3568 5084 e5782dc.exe 57 PID 5084 wrote to memory of 3732 5084 e5782dc.exe 58 PID 5084 wrote to memory of 3880 5084 e5782dc.exe 59 PID 5084 wrote to memory of 3956 5084 e5782dc.exe 60 PID 5084 wrote to memory of 4044 5084 e5782dc.exe 61 PID 5084 wrote to memory of 3840 5084 e5782dc.exe 62 PID 5084 wrote to memory of 1656 5084 e5782dc.exe 74 PID 5084 wrote to memory of 2780 5084 e5782dc.exe 76 PID 5084 wrote to memory of 5004 5084 e5782dc.exe 81 PID 5084 wrote to memory of 4736 5084 e5782dc.exe 82 PID 5084 wrote to memory of 4860 5084 e5782dc.exe 83 PID 5084 wrote to memory of 4860 5084 e5782dc.exe 83 PID 4860 wrote to memory of 2828 4860 rundll32.exe 85 PID 4860 wrote to memory of 2828 4860 rundll32.exe 85 PID 4860 wrote to memory of 2828 4860 rundll32.exe 85 PID 4860 wrote to memory of 4120 4860 rundll32.exe 87 PID 4860 wrote to memory of 4120 4860 rundll32.exe 87 PID 4860 wrote to memory of 4120 4860 rundll32.exe 87 PID 5084 wrote to memory of 768 5084 e5782dc.exe 8 PID 5084 wrote to memory of 776 5084 e5782dc.exe 9 PID 5084 wrote to memory of 380 5084 e5782dc.exe 13 PID 5084 wrote to memory of 2968 5084 e5782dc.exe 50 PID 5084 wrote to memory of 3012 5084 e5782dc.exe 51 PID 5084 wrote to memory of 2156 5084 e5782dc.exe 52 PID 5084 wrote to memory of 3436 5084 e5782dc.exe 56 PID 5084 wrote to memory of 3568 5084 e5782dc.exe 57 PID 5084 wrote to memory of 3732 5084 e5782dc.exe 58 PID 5084 wrote to memory of 3880 5084 e5782dc.exe 59 PID 5084 wrote to memory of 3956 5084 e5782dc.exe 60 PID 5084 wrote to memory of 4044 5084 e5782dc.exe 61 PID 5084 wrote to memory of 3840 5084 e5782dc.exe 62 PID 5084 wrote to memory of 1656 5084 e5782dc.exe 74 PID 5084 wrote to memory of 2780 5084 e5782dc.exe 76 PID 5084 wrote to memory of 2828 5084 e5782dc.exe 85 PID 5084 wrote to memory of 2828 5084 e5782dc.exe 85 PID 5084 wrote to memory of 4120 5084 e5782dc.exe 87 PID 5084 wrote to memory of 4120 5084 e5782dc.exe 87 PID 4120 wrote to memory of 768 4120 e579e53.exe 8 PID 4120 wrote to memory of 776 4120 e579e53.exe 9 PID 4120 wrote to memory of 380 4120 e579e53.exe 13 PID 4120 wrote to memory of 2968 4120 e579e53.exe 50 PID 4120 wrote to memory of 3012 4120 e579e53.exe 51 PID 4120 wrote to memory of 2156 4120 e579e53.exe 52 PID 4120 wrote to memory of 3436 4120 e579e53.exe 56 PID 4120 wrote to memory of 3568 4120 e579e53.exe 57 PID 4120 wrote to memory of 3732 4120 e579e53.exe 58 PID 4120 wrote to memory of 3880 4120 e579e53.exe 59 PID 4120 wrote to memory of 3956 4120 e579e53.exe 60 PID 4120 wrote to memory of 4044 4120 e579e53.exe 61 PID 4120 wrote to memory of 3840 4120 e579e53.exe 62 PID 4120 wrote to memory of 1656 4120 e579e53.exe 74 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5782dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e53.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3012
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb370f9859087a218ad0325120e8a7bf4fbc178041a0b84f2ea34ea92ef7fda0.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb370f9859087a218ad0325120e8a7bf4fbc178041a0b84f2ea34ea92ef7fda0.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\e5782dc.exeC:\Users\Admin\AppData\Local\Temp\e5782dc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\e5783d6.exeC:\Users\Admin\AppData\Local\Temp\e5783d6.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\e579e53.exeC:\Users\Admin\AppData\Local\Temp\e579e53.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4120
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3732
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3880
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3840
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1656
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2780
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5004
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5fb59f77b551665ba08d7daa1e7977acd
SHA12dc7df1b6815ae64b4593dff25e7310519b3c908
SHA256e015e28f4ba52bc9e146806476573cb3334cab1b9614146c274cb1ab0b557432
SHA512198e3d25363a786fc17aae6292ac4ef79085eff7416ced7622a2e9c1bdf9a203802a6b4a5afe6f595590103637fe70f12688322346993a1fcfec32163c1fb7ce
-
Filesize
257B
MD511973da5bcfd1b1b144d38a489cfe01a
SHA1b4e6d49749dec00f618c7b52723f67de085245dc
SHA25697391d2baaff771f02a54555cc9f0337083e15340384110500a3cb77a58cf753
SHA512bd63e4863accc3c877af6af935b6ca681c8d407afc290384c39d1d6d3418467e3aa263e983857f905824da674b6d2448298eb4adf0d3fdfcdfa6135e401fbd5c