Analysis
-
max time kernel
91s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 11:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4f4d4ca3c033589b86b27c8d02586000886e3ce487d1ef454d01220635fb13a9N.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
4f4d4ca3c033589b86b27c8d02586000886e3ce487d1ef454d01220635fb13a9N.dll
-
Size
120KB
-
MD5
b09ca1c724e23ea11c1e6bec53031fc0
-
SHA1
6a99bc479dc3447c295db0637608e508806d73b1
-
SHA256
4f4d4ca3c033589b86b27c8d02586000886e3ce487d1ef454d01220635fb13a9
-
SHA512
fb285f062ec926d377c952c0e060fe5d48ea59eb987a483486d835f82df6cfba4a6c63c00e3213c89f95d11df6b715c8922cd220653eabaf1d1b82ad88d58aae
-
SSDEEP
1536:zW33nb2aQNX9T0QQwVz1AxNaRAW13spw8wCcDhr67MXmB8T2:zWnnblEtptVKRW1spw8x6h2T82
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578656.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578656.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578944.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578944.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bb61.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb61.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb61.exe -
Executes dropped EXE 4 IoCs
pid Process 4368 e578656.exe 960 e578944.exe 3600 e57bb12.exe 4556 e57bb61.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb61.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578656.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578656.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578944.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578656.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e578656.exe File opened (read-only) \??\L: e578656.exe File opened (read-only) \??\M: e578656.exe File opened (read-only) \??\E: e578656.exe File opened (read-only) \??\G: e578656.exe File opened (read-only) \??\H: e578656.exe File opened (read-only) \??\I: e578656.exe File opened (read-only) \??\J: e578656.exe -
resource yara_rule behavioral2/memory/4368-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-18-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-19-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-20-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-17-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-21-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-22-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-40-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-41-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-47-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-49-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-65-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-66-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-68-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-69-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-70-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-77-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-76-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/4368-84-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/960-106-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/960-108-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/960-111-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/960-107-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/960-103-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/960-136-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e5786a5 e578656.exe File opened for modification C:\Windows\SYSTEM.INI e578656.exe File created C:\Windows\e57d87e e578944.exe File created C:\Windows\e5800c6 e57bb61.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578944.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578656.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4368 e578656.exe 4368 e578656.exe 4368 e578656.exe 4368 e578656.exe 960 e578944.exe 960 e578944.exe 4556 e57bb61.exe 4556 e57bb61.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe Token: SeDebugPrivilege 4368 e578656.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2700 1712 rundll32.exe 83 PID 1712 wrote to memory of 2700 1712 rundll32.exe 83 PID 1712 wrote to memory of 2700 1712 rundll32.exe 83 PID 2700 wrote to memory of 4368 2700 rundll32.exe 84 PID 2700 wrote to memory of 4368 2700 rundll32.exe 84 PID 2700 wrote to memory of 4368 2700 rundll32.exe 84 PID 4368 wrote to memory of 784 4368 e578656.exe 8 PID 4368 wrote to memory of 792 4368 e578656.exe 9 PID 4368 wrote to memory of 60 4368 e578656.exe 13 PID 4368 wrote to memory of 2896 4368 e578656.exe 49 PID 4368 wrote to memory of 2928 4368 e578656.exe 50 PID 4368 wrote to memory of 1088 4368 e578656.exe 52 PID 4368 wrote to memory of 3476 4368 e578656.exe 56 PID 4368 wrote to memory of 3652 4368 e578656.exe 57 PID 4368 wrote to memory of 3840 4368 e578656.exe 58 PID 4368 wrote to memory of 3932 4368 e578656.exe 59 PID 4368 wrote to memory of 4004 4368 e578656.exe 60 PID 4368 wrote to memory of 2684 4368 e578656.exe 61 PID 4368 wrote to memory of 4204 4368 e578656.exe 62 PID 4368 wrote to memory of 2340 4368 e578656.exe 75 PID 4368 wrote to memory of 3872 4368 e578656.exe 76 PID 4368 wrote to memory of 3584 4368 e578656.exe 81 PID 4368 wrote to memory of 1712 4368 e578656.exe 82 PID 4368 wrote to memory of 2700 4368 e578656.exe 83 PID 4368 wrote to memory of 2700 4368 e578656.exe 83 PID 2700 wrote to memory of 960 2700 rundll32.exe 85 PID 2700 wrote to memory of 960 2700 rundll32.exe 85 PID 2700 wrote to memory of 960 2700 rundll32.exe 85 PID 4368 wrote to memory of 784 4368 e578656.exe 8 PID 4368 wrote to memory of 792 4368 e578656.exe 9 PID 4368 wrote to memory of 60 4368 e578656.exe 13 PID 4368 wrote to memory of 2896 4368 e578656.exe 49 PID 4368 wrote to memory of 2928 4368 e578656.exe 50 PID 4368 wrote to memory of 1088 4368 e578656.exe 52 PID 4368 wrote to memory of 3476 4368 e578656.exe 56 PID 4368 wrote to memory of 3652 4368 e578656.exe 57 PID 4368 wrote to memory of 3840 4368 e578656.exe 58 PID 4368 wrote to memory of 3932 4368 e578656.exe 59 PID 4368 wrote to memory of 4004 4368 e578656.exe 60 PID 4368 wrote to memory of 2684 4368 e578656.exe 61 PID 4368 wrote to memory of 4204 4368 e578656.exe 62 PID 4368 wrote to memory of 2340 4368 e578656.exe 75 PID 4368 wrote to memory of 3872 4368 e578656.exe 76 PID 4368 wrote to memory of 3584 4368 e578656.exe 81 PID 4368 wrote to memory of 1712 4368 e578656.exe 82 PID 4368 wrote to memory of 960 4368 e578656.exe 85 PID 4368 wrote to memory of 960 4368 e578656.exe 85 PID 2700 wrote to memory of 3600 2700 rundll32.exe 87 PID 2700 wrote to memory of 3600 2700 rundll32.exe 87 PID 2700 wrote to memory of 3600 2700 rundll32.exe 87 PID 2700 wrote to memory of 4556 2700 rundll32.exe 88 PID 2700 wrote to memory of 4556 2700 rundll32.exe 88 PID 2700 wrote to memory of 4556 2700 rundll32.exe 88 PID 960 wrote to memory of 784 960 e578944.exe 8 PID 960 wrote to memory of 792 960 e578944.exe 9 PID 960 wrote to memory of 60 960 e578944.exe 13 PID 960 wrote to memory of 2896 960 e578944.exe 49 PID 960 wrote to memory of 2928 960 e578944.exe 50 PID 960 wrote to memory of 1088 960 e578944.exe 52 PID 960 wrote to memory of 3476 960 e578944.exe 56 PID 960 wrote to memory of 3652 960 e578944.exe 57 PID 960 wrote to memory of 3840 960 e578944.exe 58 PID 960 wrote to memory of 3932 960 e578944.exe 59 PID 960 wrote to memory of 4004 960 e578944.exe 60 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578656.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578944.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb61.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2928
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1088
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f4d4ca3c033589b86b27c8d02586000886e3ce487d1ef454d01220635fb13a9N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f4d4ca3c033589b86b27c8d02586000886e3ce487d1ef454d01220635fb13a9N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\e578656.exeC:\Users\Admin\AppData\Local\Temp\e578656.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\e578944.exeC:\Users\Admin\AppData\Local\Temp\e578944.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:960
-
-
C:\Users\Admin\AppData\Local\Temp\e57bb12.exeC:\Users\Admin\AppData\Local\Temp\e57bb12.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\e57bb61.exeC:\Users\Admin\AppData\Local\Temp\e57bb61.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4556
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3652
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3932
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2684
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4204
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2340
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3872
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3584
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5531cca9074840665ff2b3c3839f15d21
SHA1d8eeb5209051e2c69eeb884b6ac28e102c095916
SHA2560f1a5c6aec8b98fcd5b5f582c90e42c86dfa1f747c8b7b0ee2da988115fd9ce1
SHA5127c7136a58afedbcdc4d3ffd715c6ef6ea89443dd454ef3c27861146b9b7a2a705612db1870a2e53ee0573aa6e2d7e4d3ddd2959a1dec93f59cb9f682b373e2ca
-
Filesize
256B
MD5a12acad0aaa358692b4d319e210479af
SHA1ffabd9d91a9566bc16bf374a9443caef56278ea1
SHA25696de1f4939582d6d9bd95736eeb25a1a2e82fa7c57792ea00ef8f3d1e44df4d5
SHA512148bdb75776ec1bd9e7e368ae56b4978454c38a393af0d1f12e5af8c955fbc212266bbdfea3e81c8889f78392e4c5a11af11046c8ceb9dd913d3ca87acf2586d