Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 16:02
Static task
static1
Behavioral task
behavioral1
Sample
f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621.dll
Resource
win7-20240903-en
General
-
Target
f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621.dll
-
Size
120KB
-
MD5
f6cea54b75384f0168d211e027268f07
-
SHA1
2796a3934e2d01dc3a6b41bb1dba9dbddbdb923e
-
SHA256
f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621
-
SHA512
15218b346f0a9c3e94a2e982e0d0ef1cbb20655ab61403b6fe1b4d89f2b98b2551f7df4af811302477f5ffc7918a17b9ae7c4859448cb1334d62103a04392e3f
-
SSDEEP
1536:LwtOSfz3LXx23MUUXVXgSm7ATzanT1oK6dD2VNLHeo7MqXCajYZILjedgfbUPl1N:W3AM9LmE+v6dDYNLHPMIj8dgfWK5Y
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57709c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57709c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579dd6.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579dd6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579dd6.exe -
Executes dropped EXE 3 IoCs
pid Process 880 e57709c.exe 3944 e5771e4.exe 2620 e579dd6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579dd6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579dd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579dd6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579dd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579dd6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579dd6.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57709c.exe File opened (read-only) \??\J: e57709c.exe File opened (read-only) \??\I: e579dd6.exe File opened (read-only) \??\J: e579dd6.exe File opened (read-only) \??\E: e579dd6.exe File opened (read-only) \??\G: e579dd6.exe File opened (read-only) \??\G: e57709c.exe File opened (read-only) \??\H: e57709c.exe File opened (read-only) \??\I: e57709c.exe File opened (read-only) \??\K: e57709c.exe File opened (read-only) \??\L: e57709c.exe File opened (read-only) \??\M: e57709c.exe File opened (read-only) \??\H: e579dd6.exe -
resource yara_rule behavioral2/memory/880-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-27-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-25-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-32-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-34-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-21-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-53-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-57-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-58-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-60-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-62-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-63-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-64-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-67-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/880-74-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2620-99-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2620-105-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2620-126-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2620-151-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5770ea e57709c.exe File opened for modification C:\Windows\SYSTEM.INI e57709c.exe File created C:\Windows\e57c544 e579dd6.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5771e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579dd6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57709c.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 880 e57709c.exe 880 e57709c.exe 880 e57709c.exe 880 e57709c.exe 2620 e579dd6.exe 2620 e579dd6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe Token: SeDebugPrivilege 880 e57709c.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1980 wrote to memory of 4504 1980 rundll32.exe 82 PID 1980 wrote to memory of 4504 1980 rundll32.exe 82 PID 1980 wrote to memory of 4504 1980 rundll32.exe 82 PID 4504 wrote to memory of 880 4504 rundll32.exe 83 PID 4504 wrote to memory of 880 4504 rundll32.exe 83 PID 4504 wrote to memory of 880 4504 rundll32.exe 83 PID 880 wrote to memory of 788 880 e57709c.exe 8 PID 880 wrote to memory of 792 880 e57709c.exe 9 PID 880 wrote to memory of 376 880 e57709c.exe 13 PID 880 wrote to memory of 2652 880 e57709c.exe 44 PID 880 wrote to memory of 2664 880 e57709c.exe 45 PID 880 wrote to memory of 2852 880 e57709c.exe 51 PID 880 wrote to memory of 3392 880 e57709c.exe 56 PID 880 wrote to memory of 3604 880 e57709c.exe 57 PID 880 wrote to memory of 3788 880 e57709c.exe 58 PID 880 wrote to memory of 3884 880 e57709c.exe 59 PID 880 wrote to memory of 3952 880 e57709c.exe 60 PID 880 wrote to memory of 4028 880 e57709c.exe 61 PID 880 wrote to memory of 4132 880 e57709c.exe 62 PID 880 wrote to memory of 1584 880 e57709c.exe 75 PID 880 wrote to memory of 1088 880 e57709c.exe 76 PID 880 wrote to memory of 1980 880 e57709c.exe 81 PID 880 wrote to memory of 4504 880 e57709c.exe 82 PID 880 wrote to memory of 4504 880 e57709c.exe 82 PID 4504 wrote to memory of 3944 4504 rundll32.exe 84 PID 4504 wrote to memory of 3944 4504 rundll32.exe 84 PID 4504 wrote to memory of 3944 4504 rundll32.exe 84 PID 880 wrote to memory of 788 880 e57709c.exe 8 PID 880 wrote to memory of 792 880 e57709c.exe 9 PID 880 wrote to memory of 376 880 e57709c.exe 13 PID 880 wrote to memory of 2652 880 e57709c.exe 44 PID 880 wrote to memory of 2664 880 e57709c.exe 45 PID 880 wrote to memory of 2852 880 e57709c.exe 51 PID 880 wrote to memory of 3392 880 e57709c.exe 56 PID 880 wrote to memory of 3604 880 e57709c.exe 57 PID 880 wrote to memory of 3788 880 e57709c.exe 58 PID 880 wrote to memory of 3884 880 e57709c.exe 59 PID 880 wrote to memory of 3952 880 e57709c.exe 60 PID 880 wrote to memory of 4028 880 e57709c.exe 61 PID 880 wrote to memory of 4132 880 e57709c.exe 62 PID 880 wrote to memory of 1584 880 e57709c.exe 75 PID 880 wrote to memory of 1088 880 e57709c.exe 76 PID 880 wrote to memory of 1980 880 e57709c.exe 81 PID 880 wrote to memory of 3944 880 e57709c.exe 84 PID 880 wrote to memory of 3944 880 e57709c.exe 84 PID 4504 wrote to memory of 2620 4504 rundll32.exe 85 PID 4504 wrote to memory of 2620 4504 rundll32.exe 85 PID 4504 wrote to memory of 2620 4504 rundll32.exe 85 PID 2620 wrote to memory of 788 2620 e579dd6.exe 8 PID 2620 wrote to memory of 792 2620 e579dd6.exe 9 PID 2620 wrote to memory of 376 2620 e579dd6.exe 13 PID 2620 wrote to memory of 2652 2620 e579dd6.exe 44 PID 2620 wrote to memory of 2664 2620 e579dd6.exe 45 PID 2620 wrote to memory of 2852 2620 e579dd6.exe 51 PID 2620 wrote to memory of 3392 2620 e579dd6.exe 56 PID 2620 wrote to memory of 3604 2620 e579dd6.exe 57 PID 2620 wrote to memory of 3788 2620 e579dd6.exe 58 PID 2620 wrote to memory of 3884 2620 e579dd6.exe 59 PID 2620 wrote to memory of 3952 2620 e579dd6.exe 60 PID 2620 wrote to memory of 4028 2620 e579dd6.exe 61 PID 2620 wrote to memory of 4132 2620 e579dd6.exe 62 PID 2620 wrote to memory of 1584 2620 e579dd6.exe 75 PID 2620 wrote to memory of 1088 2620 e579dd6.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57709c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579dd6.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2852
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\e57709c.exeC:\Users\Admin\AppData\Local\Temp\e57709c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:880
-
-
C:\Users\Admin\AppData\Local\Temp\e5771e4.exeC:\Users\Admin\AppData\Local\Temp\e5771e4.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\e579dd6.exeC:\Users\Admin\AppData\Local\Temp\e579dd6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2620
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3788
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3952
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4132
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1584
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1088
Network
-
Remote address:8.8.8.8:53Request85.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.12.20.2.in-addr.arpaIN PTRResponse107.12.20.2.in-addr.arpaIN PTRa2-20-12-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request20.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
70 B 145 B 1 1
DNS Request
85.49.80.91.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
107.12.20.2.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
20.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5fb4e48b9d496385bbd771d6f1904dc18
SHA199eee6583e1c8ce473e6661fe8e13cfaf710fbf4
SHA2567cdd27c69b5b168ea5532de6a6c5534f256792002c4752f583f6504f5f0bbce4
SHA512b1796ecde3c28b31093ecfa2d18361918a636f60dc1afb38d88fea7d019c9d5cee2b72fbb678751d02ea3225f8ea5137c8979fed4264033340f003a5f51b5669
-
Filesize
257B
MD5aa71af6e4a3a11ba41b05d8308867e3b
SHA11574460c2d1b0fc724105cc4596a9cf4f3728ff4
SHA25626600c9c47b3f79015a40b277f9e9b949f57b8fdb8ec8fb1df9471e663672114
SHA512cffbdbdeab9a6763c802c44d63b95fefb4a0d09fc986d477fc59c29c1a7601e907924b2bb47a54971368a9f94c345fe1a560a0e0b9d791b21a0d7c6d238d70d6