Analysis
-
max time kernel
31s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 11:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be478076b42c08c352e2b141bb33df6ddcd56fa1d4fa137b0eec45543561569d.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
be478076b42c08c352e2b141bb33df6ddcd56fa1d4fa137b0eec45543561569d.dll
-
Size
120KB
-
MD5
92d07287990f1e05899a4d6ae1be6b7e
-
SHA1
a95a1004f6af310a393a4f8782ac1c1b54b2fe60
-
SHA256
be478076b42c08c352e2b141bb33df6ddcd56fa1d4fa137b0eec45543561569d
-
SHA512
4c9132650734bac604c7511520cfae4c156d2f2c953165fd460fc41ee4ffc6fc73d5dcefed07d9b02561e353f1afa6287435e0c020f8e31f17a363142f20d596
-
SSDEEP
3072:QN+fXR9V4SMp/jI0a44Upw0K1yifBi8qfJW:Qwh9g7akA1ZJpqE
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e7a1.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e7a1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e7a1.exe -
Executes dropped EXE 4 IoCs
pid Process 5064 e57bb41.exe 1828 e57bd35.exe 3664 e57e7a1.exe 3920 e57e7ef.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e7a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e7a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e7a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bb41.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e7a1.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57bb41.exe File opened (read-only) \??\N: e57bb41.exe File opened (read-only) \??\G: e57e7a1.exe File opened (read-only) \??\M: e57bb41.exe File opened (read-only) \??\E: e57e7a1.exe File opened (read-only) \??\J: e57e7a1.exe File opened (read-only) \??\E: e57bb41.exe File opened (read-only) \??\L: e57bb41.exe File opened (read-only) \??\J: e57bb41.exe File opened (read-only) \??\K: e57bb41.exe File opened (read-only) \??\H: e57e7a1.exe File opened (read-only) \??\I: e57e7a1.exe File opened (read-only) \??\G: e57bb41.exe File opened (read-only) \??\H: e57bb41.exe -
resource yara_rule behavioral2/memory/5064-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-17-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-18-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-19-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-24-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-31-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-45-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-60-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-61-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-63-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-64-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-65-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-67-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-69-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-71-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/5064-73-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3664-117-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/3664-156-0x00000000007C0000-0x000000000187A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57bb8f e57bb41.exe File opened for modification C:\Windows\SYSTEM.INI e57bb41.exe File created C:\Windows\e580f2e e57e7a1.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bb41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bd35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e7a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e7ef.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5064 e57bb41.exe 5064 e57bb41.exe 5064 e57bb41.exe 5064 e57bb41.exe 3664 e57e7a1.exe 3664 e57e7a1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe Token: SeDebugPrivilege 5064 e57bb41.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3368 wrote to memory of 3636 3368 rundll32.exe 84 PID 3368 wrote to memory of 3636 3368 rundll32.exe 84 PID 3368 wrote to memory of 3636 3368 rundll32.exe 84 PID 3636 wrote to memory of 5064 3636 rundll32.exe 85 PID 3636 wrote to memory of 5064 3636 rundll32.exe 85 PID 3636 wrote to memory of 5064 3636 rundll32.exe 85 PID 5064 wrote to memory of 764 5064 e57bb41.exe 8 PID 5064 wrote to memory of 772 5064 e57bb41.exe 9 PID 5064 wrote to memory of 1012 5064 e57bb41.exe 13 PID 5064 wrote to memory of 2784 5064 e57bb41.exe 50 PID 5064 wrote to memory of 760 5064 e57bb41.exe 51 PID 5064 wrote to memory of 3100 5064 e57bb41.exe 52 PID 5064 wrote to memory of 3440 5064 e57bb41.exe 56 PID 5064 wrote to memory of 3552 5064 e57bb41.exe 57 PID 5064 wrote to memory of 3760 5064 e57bb41.exe 58 PID 5064 wrote to memory of 3872 5064 e57bb41.exe 59 PID 5064 wrote to memory of 3936 5064 e57bb41.exe 60 PID 5064 wrote to memory of 4032 5064 e57bb41.exe 61 PID 5064 wrote to memory of 2236 5064 e57bb41.exe 62 PID 5064 wrote to memory of 4188 5064 e57bb41.exe 64 PID 5064 wrote to memory of 4628 5064 e57bb41.exe 74 PID 5064 wrote to memory of 2716 5064 e57bb41.exe 77 PID 5064 wrote to memory of 848 5064 e57bb41.exe 82 PID 5064 wrote to memory of 3368 5064 e57bb41.exe 83 PID 5064 wrote to memory of 3636 5064 e57bb41.exe 84 PID 5064 wrote to memory of 3636 5064 e57bb41.exe 84 PID 3636 wrote to memory of 1828 3636 rundll32.exe 86 PID 3636 wrote to memory of 1828 3636 rundll32.exe 86 PID 3636 wrote to memory of 1828 3636 rundll32.exe 86 PID 5064 wrote to memory of 764 5064 e57bb41.exe 8 PID 5064 wrote to memory of 772 5064 e57bb41.exe 9 PID 5064 wrote to memory of 1012 5064 e57bb41.exe 13 PID 5064 wrote to memory of 2784 5064 e57bb41.exe 50 PID 5064 wrote to memory of 760 5064 e57bb41.exe 51 PID 5064 wrote to memory of 3100 5064 e57bb41.exe 52 PID 5064 wrote to memory of 3440 5064 e57bb41.exe 56 PID 5064 wrote to memory of 3552 5064 e57bb41.exe 57 PID 5064 wrote to memory of 3760 5064 e57bb41.exe 58 PID 5064 wrote to memory of 3872 5064 e57bb41.exe 59 PID 5064 wrote to memory of 3936 5064 e57bb41.exe 60 PID 5064 wrote to memory of 4032 5064 e57bb41.exe 61 PID 5064 wrote to memory of 2236 5064 e57bb41.exe 62 PID 5064 wrote to memory of 4188 5064 e57bb41.exe 64 PID 5064 wrote to memory of 4628 5064 e57bb41.exe 74 PID 5064 wrote to memory of 2716 5064 e57bb41.exe 77 PID 5064 wrote to memory of 848 5064 e57bb41.exe 82 PID 5064 wrote to memory of 3368 5064 e57bb41.exe 83 PID 5064 wrote to memory of 1828 5064 e57bb41.exe 86 PID 5064 wrote to memory of 1828 5064 e57bb41.exe 86 PID 3636 wrote to memory of 3664 3636 rundll32.exe 87 PID 3636 wrote to memory of 3664 3636 rundll32.exe 87 PID 3636 wrote to memory of 3664 3636 rundll32.exe 87 PID 3636 wrote to memory of 3920 3636 rundll32.exe 88 PID 3636 wrote to memory of 3920 3636 rundll32.exe 88 PID 3636 wrote to memory of 3920 3636 rundll32.exe 88 PID 3664 wrote to memory of 764 3664 e57e7a1.exe 8 PID 3664 wrote to memory of 772 3664 e57e7a1.exe 9 PID 3664 wrote to memory of 1012 3664 e57e7a1.exe 13 PID 3664 wrote to memory of 2784 3664 e57e7a1.exe 50 PID 3664 wrote to memory of 760 3664 e57e7a1.exe 51 PID 3664 wrote to memory of 3100 3664 e57e7a1.exe 52 PID 3664 wrote to memory of 3440 3664 e57e7a1.exe 56 PID 3664 wrote to memory of 3552 3664 e57e7a1.exe 57 PID 3664 wrote to memory of 3760 3664 e57e7a1.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bb41.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e7a1.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:760
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\be478076b42c08c352e2b141bb33df6ddcd56fa1d4fa137b0eec45543561569d.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\be478076b42c08c352e2b141bb33df6ddcd56fa1d4fa137b0eec45543561569d.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\e57bb41.exeC:\Users\Admin\AppData\Local\Temp\e57bb41.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\e57bd35.exeC:\Users\Admin\AppData\Local\Temp\e57bd35.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\e57e7a1.exeC:\Users\Admin\AppData\Local\Temp\e57e7a1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\e57e7ef.exeC:\Users\Admin\AppData\Local\Temp\e57e7ef.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3920
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2236
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4628
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2716
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:848
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56c8efdfb4d5997bd52c2f5d9b94c1dea
SHA1ba1b67a59794a817fb653e179be136ebcca39384
SHA25672c78a76bc4c1eb391f864443f37bf40ff8c2024152d2ccfa8f6d5c638ec76fa
SHA51220e6527e4e2a7d5310f290a92d9f9b7a36a8d120866e7716a4b94ad66de7b1df64030e1ca39ae91c363777d282225ab924dade2e5b127f74de6419d5d4e5ea2c
-
Filesize
257B
MD558f6bb2737d21906b228792d01384335
SHA194869e8d91b1c0b452e5ac6d57a5d012773c1e1d
SHA25605ec8dd1e64559dff56cb38df5ed44468d496d43f19708988afa70079288d67c
SHA512878707544c3c1364d4b0c94e477d9eb77ad7b3694dc9eec9492fc6812b92037db638b198bf107c763ff871757c4e83113842f25e03aa2343688b5bd5658b273f