Analysis
-
max time kernel
97s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
36cd061070451befa70c113c53e025b57baccb5fccf37c13e636778e503252bf.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
36cd061070451befa70c113c53e025b57baccb5fccf37c13e636778e503252bf.dll
-
Size
120KB
-
MD5
afcc637b8deea850f9dff9af3b792b0d
-
SHA1
9a95e9a7eeec1bd7b54b978525ee855d29197e8f
-
SHA256
36cd061070451befa70c113c53e025b57baccb5fccf37c13e636778e503252bf
-
SHA512
ece2edf926430f4504519957490830702f40abcfc06523d204a0a136ab37a9171c1ff1ec3d39f3a708f14cb1170bab7e21f3dc132017f96528f4d4f90dfb59f0
-
SSDEEP
3072:TDGP7+7YeTWfnLG+rEuwKAmudVwDDegbmD1w8V:TDGHeTwLncNdVdDO8V
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576031.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576031.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578117.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578117.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578117.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578117.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578117.exe -
Executes dropped EXE 4 IoCs
pid Process 4352 e575e2d.exe 4448 e576031.exe 1436 e578117.exe 4956 e578155.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575e2d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578117.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578117.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576031.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578117.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e575e2d.exe File opened (read-only) \??\G: e575e2d.exe File opened (read-only) \??\I: e575e2d.exe File opened (read-only) \??\N: e575e2d.exe File opened (read-only) \??\O: e575e2d.exe File opened (read-only) \??\H: e575e2d.exe File opened (read-only) \??\J: e575e2d.exe File opened (read-only) \??\K: e575e2d.exe File opened (read-only) \??\L: e575e2d.exe File opened (read-only) \??\M: e575e2d.exe -
resource yara_rule behavioral2/memory/4352-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-20-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-22-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-21-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-24-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-31-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-53-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-67-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-70-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-71-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-73-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-74-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-77-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-79-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-82-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4352-83-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/4448-112-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/4448-127-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e575e2d.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e575e2d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e575e2d.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e575f85 e575e2d.exe File opened for modification C:\Windows\SYSTEM.INI e575e2d.exe File created C:\Windows\e57af6a e576031.exe File created C:\Windows\e57cfb4 e578117.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e575e2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e576031.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578117.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578155.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4352 e575e2d.exe 4352 e575e2d.exe 4352 e575e2d.exe 4352 e575e2d.exe 4448 e576031.exe 4448 e576031.exe 1436 e578117.exe 1436 e578117.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe Token: SeDebugPrivilege 4352 e575e2d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2576 wrote to memory of 3580 2576 rundll32.exe 85 PID 2576 wrote to memory of 3580 2576 rundll32.exe 85 PID 2576 wrote to memory of 3580 2576 rundll32.exe 85 PID 3580 wrote to memory of 4352 3580 rundll32.exe 86 PID 3580 wrote to memory of 4352 3580 rundll32.exe 86 PID 3580 wrote to memory of 4352 3580 rundll32.exe 86 PID 4352 wrote to memory of 796 4352 e575e2d.exe 8 PID 4352 wrote to memory of 804 4352 e575e2d.exe 9 PID 4352 wrote to memory of 380 4352 e575e2d.exe 13 PID 4352 wrote to memory of 2396 4352 e575e2d.exe 42 PID 4352 wrote to memory of 2424 4352 e575e2d.exe 43 PID 4352 wrote to memory of 2516 4352 e575e2d.exe 44 PID 4352 wrote to memory of 3516 4352 e575e2d.exe 56 PID 4352 wrote to memory of 3624 4352 e575e2d.exe 57 PID 4352 wrote to memory of 3820 4352 e575e2d.exe 58 PID 4352 wrote to memory of 3908 4352 e575e2d.exe 59 PID 4352 wrote to memory of 3972 4352 e575e2d.exe 60 PID 4352 wrote to memory of 4052 4352 e575e2d.exe 61 PID 4352 wrote to memory of 2588 4352 e575e2d.exe 62 PID 4352 wrote to memory of 4924 4352 e575e2d.exe 75 PID 4352 wrote to memory of 2332 4352 e575e2d.exe 76 PID 4352 wrote to memory of 2060 4352 e575e2d.exe 77 PID 4352 wrote to memory of 2412 4352 e575e2d.exe 78 PID 4352 wrote to memory of 1556 4352 e575e2d.exe 83 PID 4352 wrote to memory of 2576 4352 e575e2d.exe 84 PID 4352 wrote to memory of 3580 4352 e575e2d.exe 85 PID 4352 wrote to memory of 3580 4352 e575e2d.exe 85 PID 3580 wrote to memory of 4448 3580 rundll32.exe 87 PID 3580 wrote to memory of 4448 3580 rundll32.exe 87 PID 3580 wrote to memory of 4448 3580 rundll32.exe 87 PID 3580 wrote to memory of 1436 3580 rundll32.exe 88 PID 3580 wrote to memory of 1436 3580 rundll32.exe 88 PID 3580 wrote to memory of 1436 3580 rundll32.exe 88 PID 3580 wrote to memory of 4956 3580 rundll32.exe 89 PID 3580 wrote to memory of 4956 3580 rundll32.exe 89 PID 3580 wrote to memory of 4956 3580 rundll32.exe 89 PID 4352 wrote to memory of 796 4352 e575e2d.exe 8 PID 4352 wrote to memory of 804 4352 e575e2d.exe 9 PID 4352 wrote to memory of 380 4352 e575e2d.exe 13 PID 4352 wrote to memory of 2396 4352 e575e2d.exe 42 PID 4352 wrote to memory of 2424 4352 e575e2d.exe 43 PID 4352 wrote to memory of 2516 4352 e575e2d.exe 44 PID 4352 wrote to memory of 3516 4352 e575e2d.exe 56 PID 4352 wrote to memory of 3624 4352 e575e2d.exe 57 PID 4352 wrote to memory of 3820 4352 e575e2d.exe 58 PID 4352 wrote to memory of 3908 4352 e575e2d.exe 59 PID 4352 wrote to memory of 3972 4352 e575e2d.exe 60 PID 4352 wrote to memory of 4052 4352 e575e2d.exe 61 PID 4352 wrote to memory of 2588 4352 e575e2d.exe 62 PID 4352 wrote to memory of 4924 4352 e575e2d.exe 75 PID 4352 wrote to memory of 2332 4352 e575e2d.exe 76 PID 4352 wrote to memory of 2060 4352 e575e2d.exe 77 PID 4352 wrote to memory of 2412 4352 e575e2d.exe 78 PID 4352 wrote to memory of 4448 4352 e575e2d.exe 87 PID 4352 wrote to memory of 4448 4352 e575e2d.exe 87 PID 4352 wrote to memory of 1436 4352 e575e2d.exe 88 PID 4352 wrote to memory of 1436 4352 e575e2d.exe 88 PID 4352 wrote to memory of 4956 4352 e575e2d.exe 89 PID 4352 wrote to memory of 4956 4352 e575e2d.exe 89 PID 4448 wrote to memory of 796 4448 e576031.exe 8 PID 4448 wrote to memory of 804 4448 e576031.exe 9 PID 4448 wrote to memory of 380 4448 e576031.exe 13 PID 4448 wrote to memory of 2396 4448 e576031.exe 42 PID 4448 wrote to memory of 2424 4448 e576031.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575e2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576031.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578117.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2424
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2516
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3516
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36cd061070451befa70c113c53e025b57baccb5fccf37c13e636778e503252bf.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36cd061070451befa70c113c53e025b57baccb5fccf37c13e636778e503252bf.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\e575e2d.exeC:\Users\Admin\AppData\Local\Temp\e575e2d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4352
-
-
C:\Users\Admin\AppData\Local\Temp\e576031.exeC:\Users\Admin\AppData\Local\Temp\e576031.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4448
-
-
C:\Users\Admin\AppData\Local\Temp\e578117.exeC:\Users\Admin\AppData\Local\Temp\e578117.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1436
-
-
C:\Users\Admin\AppData\Local\Temp\e578155.exeC:\Users\Admin\AppData\Local\Temp\e578155.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4956
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2588
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2332
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2412
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1556
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f0f464ff41b8a407163ff4abff2074b4
SHA14464331f744c837654feabda8fdc8efd095c38d5
SHA25638aab24416f12360022175eeaca2d4bb5e9f97fdd70126f97cd3c1a20fb655c7
SHA5128bef55808611938de869aa7ba8cc69426780b3a8a57688454756c742b1aa714082f3c4c0821f2a9ded25bbecf995d84efa4fd2b48d68f4e935336eabe00927a4
-
Filesize
256B
MD5e4d109abd67e3edb10675f7c3a498519
SHA1624b3e106af51bc3a02e8bb27036015f872ded65
SHA256ba655322e9b9ef1478acfed3e635926a0aade2035847322e742e06975e77b515
SHA5128201acf9605db6e47dc1366649cba4c622710fd6c9d82a611b34366d4cfa73aa8c3c7df20555c3a32546320c11c7f9beecc1f4f45e86dad531c1bcedd02c746d