Analysis
-
max time kernel
91s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6460a933a130436cafc6ddd84e45bb7adf74a6bbe71badc08375549c9e01b9ecN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
6460a933a130436cafc6ddd84e45bb7adf74a6bbe71badc08375549c9e01b9ecN.dll
-
Size
120KB
-
MD5
dd3fd8786ef2467698507ac6c14311b0
-
SHA1
33180e9e372d8bbdbb6f82bbcf9a6358a1361496
-
SHA256
6460a933a130436cafc6ddd84e45bb7adf74a6bbe71badc08375549c9e01b9ec
-
SHA512
dd5dbfe35743d85f955619b4c631fd9fe941b8b703b4083d04f6c549d0017676771e4a723dd4d8494a8b08562d0b3a8c4aa02d5fa21ea376a262b2e8e0650ddd
-
SSDEEP
3072:DurJV73HZfBR7qQEgUCiJTmv7jUcVzh7:UL5f7jETCiYnj3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e58020e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e58020e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e58020e.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58020e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d7a3.exe -
Executes dropped EXE 4 IoCs
pid Process 3604 e57d63c.exe 1164 e57d7a3.exe 2752 e5801b1.exe 3916 e58020e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e58020e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e58020e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e58020e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d7a3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58020e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d7a3.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57d63c.exe File opened (read-only) \??\N: e57d63c.exe File opened (read-only) \??\E: e57d7a3.exe File opened (read-only) \??\E: e57d63c.exe File opened (read-only) \??\H: e57d63c.exe File opened (read-only) \??\I: e57d63c.exe File opened (read-only) \??\K: e57d63c.exe File opened (read-only) \??\L: e57d63c.exe File opened (read-only) \??\M: e57d63c.exe File opened (read-only) \??\G: e57d63c.exe -
resource yara_rule behavioral2/memory/3604-6-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-17-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-30-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-21-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-12-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-31-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-32-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-39-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-40-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-46-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-61-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-62-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-64-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-65-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-67-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-68-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-71-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-73-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3604-77-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/1164-103-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1164-101-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1164-106-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1164-141-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57d63c.exe File created C:\Windows\e58265f e57d7a3.exe File created C:\Windows\e584f15 e58020e.exe File created C:\Windows\e57d68a e57d63c.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d63c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d7a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5801b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e58020e.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3604 e57d63c.exe 3604 e57d63c.exe 3604 e57d63c.exe 3604 e57d63c.exe 1164 e57d7a3.exe 1164 e57d7a3.exe 3916 e58020e.exe 3916 e58020e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe Token: SeDebugPrivilege 3604 e57d63c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3172 wrote to memory of 3820 3172 rundll32.exe 85 PID 3172 wrote to memory of 3820 3172 rundll32.exe 85 PID 3172 wrote to memory of 3820 3172 rundll32.exe 85 PID 3820 wrote to memory of 3604 3820 rundll32.exe 86 PID 3820 wrote to memory of 3604 3820 rundll32.exe 86 PID 3820 wrote to memory of 3604 3820 rundll32.exe 86 PID 3604 wrote to memory of 772 3604 e57d63c.exe 8 PID 3604 wrote to memory of 780 3604 e57d63c.exe 9 PID 3604 wrote to memory of 316 3604 e57d63c.exe 13 PID 3604 wrote to memory of 2516 3604 e57d63c.exe 44 PID 3604 wrote to memory of 2632 3604 e57d63c.exe 45 PID 3604 wrote to memory of 2768 3604 e57d63c.exe 47 PID 3604 wrote to memory of 3452 3604 e57d63c.exe 56 PID 3604 wrote to memory of 3656 3604 e57d63c.exe 57 PID 3604 wrote to memory of 3860 3604 e57d63c.exe 58 PID 3604 wrote to memory of 3956 3604 e57d63c.exe 59 PID 3604 wrote to memory of 4020 3604 e57d63c.exe 60 PID 3604 wrote to memory of 1000 3604 e57d63c.exe 61 PID 3604 wrote to memory of 4116 3604 e57d63c.exe 62 PID 3604 wrote to memory of 1208 3604 e57d63c.exe 74 PID 3604 wrote to memory of 3696 3604 e57d63c.exe 76 PID 3604 wrote to memory of 3388 3604 e57d63c.exe 83 PID 3604 wrote to memory of 3172 3604 e57d63c.exe 84 PID 3604 wrote to memory of 3820 3604 e57d63c.exe 85 PID 3604 wrote to memory of 3820 3604 e57d63c.exe 85 PID 3820 wrote to memory of 1164 3820 rundll32.exe 87 PID 3820 wrote to memory of 1164 3820 rundll32.exe 87 PID 3820 wrote to memory of 1164 3820 rundll32.exe 87 PID 3604 wrote to memory of 772 3604 e57d63c.exe 8 PID 3604 wrote to memory of 780 3604 e57d63c.exe 9 PID 3604 wrote to memory of 316 3604 e57d63c.exe 13 PID 3604 wrote to memory of 2516 3604 e57d63c.exe 44 PID 3604 wrote to memory of 2632 3604 e57d63c.exe 45 PID 3604 wrote to memory of 2768 3604 e57d63c.exe 47 PID 3604 wrote to memory of 3452 3604 e57d63c.exe 56 PID 3604 wrote to memory of 3656 3604 e57d63c.exe 57 PID 3604 wrote to memory of 3860 3604 e57d63c.exe 58 PID 3604 wrote to memory of 3956 3604 e57d63c.exe 59 PID 3604 wrote to memory of 4020 3604 e57d63c.exe 60 PID 3604 wrote to memory of 1000 3604 e57d63c.exe 61 PID 3604 wrote to memory of 4116 3604 e57d63c.exe 62 PID 3604 wrote to memory of 1208 3604 e57d63c.exe 74 PID 3604 wrote to memory of 3696 3604 e57d63c.exe 76 PID 3604 wrote to memory of 3388 3604 e57d63c.exe 83 PID 3604 wrote to memory of 3172 3604 e57d63c.exe 84 PID 3604 wrote to memory of 1164 3604 e57d63c.exe 87 PID 3604 wrote to memory of 1164 3604 e57d63c.exe 87 PID 3820 wrote to memory of 2752 3820 rundll32.exe 89 PID 3820 wrote to memory of 2752 3820 rundll32.exe 89 PID 3820 wrote to memory of 2752 3820 rundll32.exe 89 PID 3820 wrote to memory of 3916 3820 rundll32.exe 90 PID 3820 wrote to memory of 3916 3820 rundll32.exe 90 PID 3820 wrote to memory of 3916 3820 rundll32.exe 90 PID 1164 wrote to memory of 772 1164 e57d7a3.exe 8 PID 1164 wrote to memory of 780 1164 e57d7a3.exe 9 PID 1164 wrote to memory of 316 1164 e57d7a3.exe 13 PID 1164 wrote to memory of 2516 1164 e57d7a3.exe 44 PID 1164 wrote to memory of 2632 1164 e57d7a3.exe 45 PID 1164 wrote to memory of 2768 1164 e57d7a3.exe 47 PID 1164 wrote to memory of 3452 1164 e57d7a3.exe 56 PID 1164 wrote to memory of 3656 1164 e57d7a3.exe 57 PID 1164 wrote to memory of 3860 1164 e57d7a3.exe 58 PID 1164 wrote to memory of 3956 1164 e57d7a3.exe 59 PID 1164 wrote to memory of 4020 1164 e57d7a3.exe 60 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d63c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d7a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58020e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2632
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2768
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6460a933a130436cafc6ddd84e45bb7adf74a6bbe71badc08375549c9e01b9ecN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6460a933a130436cafc6ddd84e45bb7adf74a6bbe71badc08375549c9e01b9ecN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\e57d63c.exeC:\Users\Admin\AppData\Local\Temp\e57d63c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\e57d7a3.exeC:\Users\Admin\AppData\Local\Temp\e57d7a3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\e5801b1.exeC:\Users\Admin\AppData\Local\Temp\e5801b1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\e58020e.exeC:\Users\Admin\AppData\Local\Temp\e58020e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3916
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3656
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3860
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4116
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1208
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3696
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3388
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD53e855b9f3d04aea3734834662a3f978d
SHA1ed0e9cc66ac0bf1837277fa1d9fbf1705534639e
SHA2565b22abf153c0189b046a41ac73e0181fa32558c12da0b61fcad6c623165ea500
SHA5124ee4a17f50e929d1c73c9133cce1a081ab750837cad3035b2815b49f086812de5eb69a633c3770e153e3873df016f28cc5a83f60a1c07c7f866f487d847613a1
-
Filesize
257B
MD5e2ff0329522a6e73f9f25211ee99ed55
SHA1cc312deb9a51ee9d3c4ae0f8d55d1fd662b816a7
SHA256280367a09549208c33884d463475fa3c657650700aa3be5a035a9a93a70b5425
SHA512d137d7b432d0625d001fd2497aeb36df7cd545f56f6a5577636c80d8a0bfffd1bd2c0bc7a9de9af24a97bbba4afba3aaa9f263714a87e2231011f9605b823f0b