Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 23:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1846b9dbbf940d21f082548e08f885ea3f8a9dff51a6bd70b7059d2c026d7788.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
1846b9dbbf940d21f082548e08f885ea3f8a9dff51a6bd70b7059d2c026d7788.dll
-
Size
120KB
-
MD5
3b75efc01263a7261178365ce8443fad
-
SHA1
5f27347a519056415edaac7e1447472f6d2baf50
-
SHA256
1846b9dbbf940d21f082548e08f885ea3f8a9dff51a6bd70b7059d2c026d7788
-
SHA512
3ec22c12b96c203cce6a89b09159b23d3a3fa2dc4cacfb7852573f2e930d6a68f1e2c1515682efa68081bc6e4e6bcf2f1edfcb7c35cb61c572a971d8428861b3
-
SSDEEP
3072:R1knIc3dOlrowGtnjWVGmLW8vT6vyn/nyBTG:RGnZOlROjDz8rpnA6
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bd26.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d8cc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d8cc.exe -
Executes dropped EXE 4 IoCs
pid Process 540 e57bd26.exe 1124 e57be2f.exe 2000 e57d8ad.exe 4352 e57d8cc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bd26.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d8cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bd26.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d8cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bd26.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e57bd26.exe File opened (read-only) \??\M: e57bd26.exe File opened (read-only) \??\S: e57bd26.exe File opened (read-only) \??\G: e57bd26.exe File opened (read-only) \??\H: e57bd26.exe File opened (read-only) \??\K: e57bd26.exe File opened (read-only) \??\R: e57bd26.exe File opened (read-only) \??\E: e57d8cc.exe File opened (read-only) \??\G: e57d8cc.exe File opened (read-only) \??\E: e57bd26.exe File opened (read-only) \??\N: e57bd26.exe File opened (read-only) \??\P: e57bd26.exe File opened (read-only) \??\Q: e57bd26.exe File opened (read-only) \??\T: e57bd26.exe File opened (read-only) \??\I: e57bd26.exe File opened (read-only) \??\J: e57bd26.exe File opened (read-only) \??\O: e57bd26.exe -
resource yara_rule behavioral2/memory/540-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-13-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-18-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-29-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-34-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-28-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-42-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-43-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-58-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-60-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-61-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-75-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-76-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-79-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-81-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-84-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-85-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-89-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-97-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-99-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-100-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/540-103-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4352-143-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4352-174-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57bd26.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57bd26.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57bd26.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57bd26.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57bd74 e57bd26.exe File opened for modification C:\Windows\SYSTEM.INI e57bd26.exe File created C:\Windows\e580d88 e57d8cc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bd26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57be2f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d8ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d8cc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 540 e57bd26.exe 540 e57bd26.exe 540 e57bd26.exe 540 e57bd26.exe 4352 e57d8cc.exe 4352 e57d8cc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe Token: SeDebugPrivilege 540 e57bd26.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 848 wrote to memory of 2100 848 rundll32.exe 82 PID 848 wrote to memory of 2100 848 rundll32.exe 82 PID 848 wrote to memory of 2100 848 rundll32.exe 82 PID 2100 wrote to memory of 540 2100 rundll32.exe 83 PID 2100 wrote to memory of 540 2100 rundll32.exe 83 PID 2100 wrote to memory of 540 2100 rundll32.exe 83 PID 540 wrote to memory of 760 540 e57bd26.exe 8 PID 540 wrote to memory of 764 540 e57bd26.exe 9 PID 540 wrote to memory of 60 540 e57bd26.exe 13 PID 540 wrote to memory of 2552 540 e57bd26.exe 44 PID 540 wrote to memory of 2632 540 e57bd26.exe 45 PID 540 wrote to memory of 2844 540 e57bd26.exe 49 PID 540 wrote to memory of 3488 540 e57bd26.exe 56 PID 540 wrote to memory of 3676 540 e57bd26.exe 57 PID 540 wrote to memory of 3876 540 e57bd26.exe 58 PID 540 wrote to memory of 3972 540 e57bd26.exe 59 PID 540 wrote to memory of 4040 540 e57bd26.exe 60 PID 540 wrote to memory of 2832 540 e57bd26.exe 61 PID 540 wrote to memory of 4112 540 e57bd26.exe 62 PID 540 wrote to memory of 456 540 e57bd26.exe 74 PID 540 wrote to memory of 3344 540 e57bd26.exe 76 PID 540 wrote to memory of 848 540 e57bd26.exe 81 PID 540 wrote to memory of 2100 540 e57bd26.exe 82 PID 540 wrote to memory of 2100 540 e57bd26.exe 82 PID 2100 wrote to memory of 1124 2100 rundll32.exe 84 PID 2100 wrote to memory of 1124 2100 rundll32.exe 84 PID 2100 wrote to memory of 1124 2100 rundll32.exe 84 PID 2100 wrote to memory of 2000 2100 rundll32.exe 85 PID 2100 wrote to memory of 2000 2100 rundll32.exe 85 PID 2100 wrote to memory of 2000 2100 rundll32.exe 85 PID 2100 wrote to memory of 4352 2100 rundll32.exe 86 PID 2100 wrote to memory of 4352 2100 rundll32.exe 86 PID 2100 wrote to memory of 4352 2100 rundll32.exe 86 PID 540 wrote to memory of 760 540 e57bd26.exe 8 PID 540 wrote to memory of 764 540 e57bd26.exe 9 PID 540 wrote to memory of 60 540 e57bd26.exe 13 PID 540 wrote to memory of 2552 540 e57bd26.exe 44 PID 540 wrote to memory of 2632 540 e57bd26.exe 45 PID 540 wrote to memory of 2844 540 e57bd26.exe 49 PID 540 wrote to memory of 3488 540 e57bd26.exe 56 PID 540 wrote to memory of 3676 540 e57bd26.exe 57 PID 540 wrote to memory of 3876 540 e57bd26.exe 58 PID 540 wrote to memory of 3972 540 e57bd26.exe 59 PID 540 wrote to memory of 4040 540 e57bd26.exe 60 PID 540 wrote to memory of 2832 540 e57bd26.exe 61 PID 540 wrote to memory of 4112 540 e57bd26.exe 62 PID 540 wrote to memory of 456 540 e57bd26.exe 74 PID 540 wrote to memory of 3344 540 e57bd26.exe 76 PID 540 wrote to memory of 1124 540 e57bd26.exe 84 PID 540 wrote to memory of 1124 540 e57bd26.exe 84 PID 540 wrote to memory of 2000 540 e57bd26.exe 85 PID 540 wrote to memory of 2000 540 e57bd26.exe 85 PID 540 wrote to memory of 4352 540 e57bd26.exe 86 PID 540 wrote to memory of 4352 540 e57bd26.exe 86 PID 4352 wrote to memory of 760 4352 e57d8cc.exe 8 PID 4352 wrote to memory of 764 4352 e57d8cc.exe 9 PID 4352 wrote to memory of 60 4352 e57d8cc.exe 13 PID 4352 wrote to memory of 2552 4352 e57d8cc.exe 44 PID 4352 wrote to memory of 2632 4352 e57d8cc.exe 45 PID 4352 wrote to memory of 2844 4352 e57d8cc.exe 49 PID 4352 wrote to memory of 3488 4352 e57d8cc.exe 56 PID 4352 wrote to memory of 3676 4352 e57d8cc.exe 57 PID 4352 wrote to memory of 3876 4352 e57d8cc.exe 58 PID 4352 wrote to memory of 3972 4352 e57d8cc.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bd26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d8cc.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2632
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2844
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1846b9dbbf940d21f082548e08f885ea3f8a9dff51a6bd70b7059d2c026d7788.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1846b9dbbf940d21f082548e08f885ea3f8a9dff51a6bd70b7059d2c026d7788.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\e57bd26.exeC:\Users\Admin\AppData\Local\Temp\e57bd26.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\e57be2f.exeC:\Users\Admin\AppData\Local\Temp\e57be2f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1124
-
-
C:\Users\Admin\AppData\Local\Temp\e57d8ad.exeC:\Users\Admin\AppData\Local\Temp\e57d8ad.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\e57d8cc.exeC:\Users\Admin\AppData\Local\Temp\e57d8cc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4352
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3676
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4040
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:456
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3344
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD576ac762d075165cf232ed31c1dc83fc7
SHA131432bb5af1d95cb834cf2bd20dc7bf7ca4b86b7
SHA25687f4bbf3debd47212f492a59b242b47a63a513f0eab07605ea1c7e8c0d534147
SHA5120bb53447b83b33e10b8fafe03b347573390185b700ec233dd97cf7c2474fd7b5ddcf14df3fb594ee767069bc20496f51ca47e43981071c992dfcef0b9311fd24
-
Filesize
257B
MD587132d331080b4c67b3371c6d4a5c9dc
SHA175dde1d89b431c978cd9e518596c22912c93fc00
SHA2568f972d6fd5a371d3ec569576dbd2e8975bea6ed3fd02220b8630b82ffd623562
SHA51216c376d2e7e215a076dcef498086879bdcb671c48184cee618891315996c2892b1bbe4217c29d04cab2b3eaa85fce608f89d8fef5e654e03f975f8f6aa15e81b