Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 15:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3023c6c4730f42f68856fc8558af778d078cf163935209f96de798ca72a1bb70.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
3023c6c4730f42f68856fc8558af778d078cf163935209f96de798ca72a1bb70.dll
-
Size
120KB
-
MD5
b058c37d8c1cf21985e70ac22116f4ca
-
SHA1
c3ab7dc79c52e2a425981981f60f20d14f90480b
-
SHA256
3023c6c4730f42f68856fc8558af778d078cf163935209f96de798ca72a1bb70
-
SHA512
6147d0f797b380bb1fbd94311fd155276db728a0e7dc4164c0ccb8259a0d5697b1d70b6821ab6bdeaabdcd6e7bc6aa84e78327b925fc06ede1d21f99b36edcc1
-
SSDEEP
1536:zW33nb2aQNX9T0QQwVz1AxNaRAW13spw8wCcDhr67MXmB8T2p:zWnnblEtptVKRW1spw8x6h2T82p
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b779.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b611.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b779.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b611.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dcd3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dcd3.exe -
Executes dropped EXE 4 IoCs
pid Process 2704 e57b611.exe 3312 e57b779.exe 4808 e57dcd3.exe 2752 e57dcf2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b779.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b611.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dcd3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dcd3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dcd3.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57b611.exe File opened (read-only) \??\I: e57b611.exe File opened (read-only) \??\M: e57b611.exe File opened (read-only) \??\K: e57b611.exe File opened (read-only) \??\L: e57b611.exe File opened (read-only) \??\N: e57b611.exe File opened (read-only) \??\E: e57b611.exe File opened (read-only) \??\G: e57b611.exe File opened (read-only) \??\J: e57b611.exe -
resource yara_rule behavioral2/memory/2704-6-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-10-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-8-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-9-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-13-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-23-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-31-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-27-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-12-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-11-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-33-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-35-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-37-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-36-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-38-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-39-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-62-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-67-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-68-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-69-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-72-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-73-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-76-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-77-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-79-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2704-81-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3312-112-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/3312-126-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e57b65f e57b611.exe File opened for modification C:\Windows\SYSTEM.INI e57b611.exe File created C:\Windows\e580635 e57b779.exe File created C:\Windows\e582b41 e57dcd3.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b611.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b779.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dcd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dcf2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2704 e57b611.exe 2704 e57b611.exe 2704 e57b611.exe 2704 e57b611.exe 3312 e57b779.exe 3312 e57b779.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe Token: SeDebugPrivilege 2704 e57b611.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4544 wrote to memory of 1552 4544 rundll32.exe 82 PID 4544 wrote to memory of 1552 4544 rundll32.exe 82 PID 4544 wrote to memory of 1552 4544 rundll32.exe 82 PID 1552 wrote to memory of 2704 1552 rundll32.exe 83 PID 1552 wrote to memory of 2704 1552 rundll32.exe 83 PID 1552 wrote to memory of 2704 1552 rundll32.exe 83 PID 2704 wrote to memory of 784 2704 e57b611.exe 9 PID 2704 wrote to memory of 792 2704 e57b611.exe 10 PID 2704 wrote to memory of 316 2704 e57b611.exe 13 PID 2704 wrote to memory of 2672 2704 e57b611.exe 44 PID 2704 wrote to memory of 2680 2704 e57b611.exe 45 PID 2704 wrote to memory of 3020 2704 e57b611.exe 51 PID 2704 wrote to memory of 3456 2704 e57b611.exe 56 PID 2704 wrote to memory of 3596 2704 e57b611.exe 57 PID 2704 wrote to memory of 3776 2704 e57b611.exe 58 PID 2704 wrote to memory of 3864 2704 e57b611.exe 59 PID 2704 wrote to memory of 3924 2704 e57b611.exe 60 PID 2704 wrote to memory of 4008 2704 e57b611.exe 61 PID 2704 wrote to memory of 4148 2704 e57b611.exe 62 PID 2704 wrote to memory of 3748 2704 e57b611.exe 74 PID 2704 wrote to memory of 3324 2704 e57b611.exe 76 PID 2704 wrote to memory of 4544 2704 e57b611.exe 81 PID 2704 wrote to memory of 1552 2704 e57b611.exe 82 PID 2704 wrote to memory of 1552 2704 e57b611.exe 82 PID 1552 wrote to memory of 3312 1552 rundll32.exe 84 PID 1552 wrote to memory of 3312 1552 rundll32.exe 84 PID 1552 wrote to memory of 3312 1552 rundll32.exe 84 PID 1552 wrote to memory of 4808 1552 rundll32.exe 85 PID 1552 wrote to memory of 4808 1552 rundll32.exe 85 PID 1552 wrote to memory of 4808 1552 rundll32.exe 85 PID 1552 wrote to memory of 2752 1552 rundll32.exe 86 PID 1552 wrote to memory of 2752 1552 rundll32.exe 86 PID 1552 wrote to memory of 2752 1552 rundll32.exe 86 PID 2704 wrote to memory of 784 2704 e57b611.exe 9 PID 2704 wrote to memory of 792 2704 e57b611.exe 10 PID 2704 wrote to memory of 316 2704 e57b611.exe 13 PID 2704 wrote to memory of 2672 2704 e57b611.exe 44 PID 2704 wrote to memory of 2680 2704 e57b611.exe 45 PID 2704 wrote to memory of 3020 2704 e57b611.exe 51 PID 2704 wrote to memory of 3456 2704 e57b611.exe 56 PID 2704 wrote to memory of 3596 2704 e57b611.exe 57 PID 2704 wrote to memory of 3776 2704 e57b611.exe 58 PID 2704 wrote to memory of 3864 2704 e57b611.exe 59 PID 2704 wrote to memory of 3924 2704 e57b611.exe 60 PID 2704 wrote to memory of 4008 2704 e57b611.exe 61 PID 2704 wrote to memory of 4148 2704 e57b611.exe 62 PID 2704 wrote to memory of 3748 2704 e57b611.exe 74 PID 2704 wrote to memory of 3324 2704 e57b611.exe 76 PID 2704 wrote to memory of 3312 2704 e57b611.exe 84 PID 2704 wrote to memory of 3312 2704 e57b611.exe 84 PID 2704 wrote to memory of 4808 2704 e57b611.exe 85 PID 2704 wrote to memory of 4808 2704 e57b611.exe 85 PID 2704 wrote to memory of 2752 2704 e57b611.exe 86 PID 2704 wrote to memory of 2752 2704 e57b611.exe 86 PID 3312 wrote to memory of 784 3312 e57b779.exe 9 PID 3312 wrote to memory of 792 3312 e57b779.exe 10 PID 3312 wrote to memory of 316 3312 e57b779.exe 13 PID 3312 wrote to memory of 2672 3312 e57b779.exe 44 PID 3312 wrote to memory of 2680 3312 e57b779.exe 45 PID 3312 wrote to memory of 3020 3312 e57b779.exe 51 PID 3312 wrote to memory of 3456 3312 e57b779.exe 56 PID 3312 wrote to memory of 3596 3312 e57b779.exe 57 PID 3312 wrote to memory of 3776 3312 e57b779.exe 58 PID 3312 wrote to memory of 3864 3312 e57b779.exe 59 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b611.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b779.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dcd3.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3020
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3023c6c4730f42f68856fc8558af778d078cf163935209f96de798ca72a1bb70.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3023c6c4730f42f68856fc8558af778d078cf163935209f96de798ca72a1bb70.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\e57b611.exeC:\Users\Admin\AppData\Local\Temp\e57b611.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\e57b779.exeC:\Users\Admin\AppData\Local\Temp\e57b779.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3312
-
-
C:\Users\Admin\AppData\Local\Temp\e57dcd3.exeC:\Users\Admin\AppData\Local\Temp\e57dcd3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\e57dcf2.exeC:\Users\Admin\AppData\Local\Temp\e57dcf2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3324
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5531cca9074840665ff2b3c3839f15d21
SHA1d8eeb5209051e2c69eeb884b6ac28e102c095916
SHA2560f1a5c6aec8b98fcd5b5f582c90e42c86dfa1f747c8b7b0ee2da988115fd9ce1
SHA5127c7136a58afedbcdc4d3ffd715c6ef6ea89443dd454ef3c27861146b9b7a2a705612db1870a2e53ee0573aa6e2d7e4d3ddd2959a1dec93f59cb9f682b373e2ca
-
Filesize
257B
MD5f6d1e9ed5cb88881e65705c0a6d7c234
SHA12a0ffe33fa6723b05dc9445c312646abac17eb59
SHA256dadeba640c2a2d8a3bd9eb1a9d9a4e03911e15129bc5208c1a36448df481df4f
SHA512e513a5d60a58d34b4d265968d1ca5e42240abdc2b1fb03f1305387c3ca7d166160098d08e7b292ac9857a49c87f929e8d7afdacce5387095aec4c29eba2c7cbc