Analysis
-
max time kernel
96s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2024 01:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab52f4804fefb4da6358e702db19d96b1cff9aa7a3a0420ddb670b403125bd0a.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
ab52f4804fefb4da6358e702db19d96b1cff9aa7a3a0420ddb670b403125bd0a.dll
-
Size
120KB
-
MD5
9d46ce1a9b473724c45c5ad4dba426aa
-
SHA1
b98e24f522fb0353846dbe7363213bc78f73a4ed
-
SHA256
ab52f4804fefb4da6358e702db19d96b1cff9aa7a3a0420ddb670b403125bd0a
-
SHA512
afd3618b7266289e4f363907ef624f4a97c82206b2b5b4dbc1d381da00eea55fc805228a9b5b5262bf62f36fb843d4836c34ca48d35649b90f1f583633019731
-
SSDEEP
3072:5g5aDTt75iAkJSFzVUH/XuXx5u8JYE19P:5g58TZ51F2fsx5bF
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b258.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b258.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d8fb.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d8fb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b258.exe -
Executes dropped EXE 3 IoCs
pid Process 3240 e57b258.exe 2616 e57b3cf.exe 388 e57d8fb.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d8fb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d8fb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b258.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d8fb.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57b258.exe File opened (read-only) \??\N: e57b258.exe File opened (read-only) \??\P: e57b258.exe File opened (read-only) \??\Q: e57b258.exe File opened (read-only) \??\E: e57b258.exe File opened (read-only) \??\I: e57b258.exe File opened (read-only) \??\J: e57b258.exe File opened (read-only) \??\K: e57b258.exe File opened (read-only) \??\L: e57b258.exe File opened (read-only) \??\M: e57b258.exe File opened (read-only) \??\O: e57b258.exe File opened (read-only) \??\G: e57b258.exe -
resource yara_rule behavioral2/memory/3240-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-27-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-33-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-18-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-17-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-19-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-42-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-43-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-61-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-63-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-64-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-66-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-68-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-71-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-72-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-75-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-80-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-81-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3240-83-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/388-117-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx behavioral2/memory/388-131-0x0000000000BA0000-0x0000000001C5A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e57b258.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57b258.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57b258.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b2c5 e57b258.exe File opened for modification C:\Windows\SYSTEM.INI e57b258.exe File created C:\Windows\e582759 e57d8fb.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b258.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b3cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d8fb.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3240 e57b258.exe 3240 e57b258.exe 3240 e57b258.exe 3240 e57b258.exe 388 e57d8fb.exe 388 e57d8fb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe Token: SeDebugPrivilege 3240 e57b258.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3372 wrote to memory of 4024 3372 rundll32.exe 83 PID 3372 wrote to memory of 4024 3372 rundll32.exe 83 PID 3372 wrote to memory of 4024 3372 rundll32.exe 83 PID 4024 wrote to memory of 3240 4024 rundll32.exe 84 PID 4024 wrote to memory of 3240 4024 rundll32.exe 84 PID 4024 wrote to memory of 3240 4024 rundll32.exe 84 PID 3240 wrote to memory of 788 3240 e57b258.exe 8 PID 3240 wrote to memory of 796 3240 e57b258.exe 9 PID 3240 wrote to memory of 380 3240 e57b258.exe 13 PID 3240 wrote to memory of 2468 3240 e57b258.exe 42 PID 3240 wrote to memory of 2480 3240 e57b258.exe 43 PID 3240 wrote to memory of 2656 3240 e57b258.exe 46 PID 3240 wrote to memory of 3568 3240 e57b258.exe 56 PID 3240 wrote to memory of 3696 3240 e57b258.exe 57 PID 3240 wrote to memory of 3868 3240 e57b258.exe 58 PID 3240 wrote to memory of 3980 3240 e57b258.exe 59 PID 3240 wrote to memory of 384 3240 e57b258.exe 60 PID 3240 wrote to memory of 2848 3240 e57b258.exe 61 PID 3240 wrote to memory of 4004 3240 e57b258.exe 62 PID 3240 wrote to memory of 2176 3240 e57b258.exe 64 PID 3240 wrote to memory of 2664 3240 e57b258.exe 75 PID 3240 wrote to memory of 1584 3240 e57b258.exe 81 PID 3240 wrote to memory of 3372 3240 e57b258.exe 82 PID 3240 wrote to memory of 4024 3240 e57b258.exe 83 PID 3240 wrote to memory of 4024 3240 e57b258.exe 83 PID 4024 wrote to memory of 2616 4024 rundll32.exe 85 PID 4024 wrote to memory of 2616 4024 rundll32.exe 85 PID 4024 wrote to memory of 2616 4024 rundll32.exe 85 PID 4024 wrote to memory of 388 4024 rundll32.exe 86 PID 4024 wrote to memory of 388 4024 rundll32.exe 86 PID 4024 wrote to memory of 388 4024 rundll32.exe 86 PID 3240 wrote to memory of 788 3240 e57b258.exe 8 PID 3240 wrote to memory of 796 3240 e57b258.exe 9 PID 3240 wrote to memory of 380 3240 e57b258.exe 13 PID 3240 wrote to memory of 2468 3240 e57b258.exe 42 PID 3240 wrote to memory of 2480 3240 e57b258.exe 43 PID 3240 wrote to memory of 2656 3240 e57b258.exe 46 PID 3240 wrote to memory of 3568 3240 e57b258.exe 56 PID 3240 wrote to memory of 3696 3240 e57b258.exe 57 PID 3240 wrote to memory of 3868 3240 e57b258.exe 58 PID 3240 wrote to memory of 3980 3240 e57b258.exe 59 PID 3240 wrote to memory of 384 3240 e57b258.exe 60 PID 3240 wrote to memory of 2848 3240 e57b258.exe 61 PID 3240 wrote to memory of 4004 3240 e57b258.exe 62 PID 3240 wrote to memory of 2176 3240 e57b258.exe 64 PID 3240 wrote to memory of 2664 3240 e57b258.exe 75 PID 3240 wrote to memory of 2616 3240 e57b258.exe 85 PID 3240 wrote to memory of 2616 3240 e57b258.exe 85 PID 3240 wrote to memory of 388 3240 e57b258.exe 86 PID 3240 wrote to memory of 388 3240 e57b258.exe 86 PID 388 wrote to memory of 788 388 e57d8fb.exe 8 PID 388 wrote to memory of 796 388 e57d8fb.exe 9 PID 388 wrote to memory of 380 388 e57d8fb.exe 13 PID 388 wrote to memory of 2468 388 e57d8fb.exe 42 PID 388 wrote to memory of 2480 388 e57d8fb.exe 43 PID 388 wrote to memory of 2656 388 e57d8fb.exe 46 PID 388 wrote to memory of 3568 388 e57d8fb.exe 56 PID 388 wrote to memory of 3696 388 e57d8fb.exe 57 PID 388 wrote to memory of 3868 388 e57d8fb.exe 58 PID 388 wrote to memory of 3980 388 e57d8fb.exe 59 PID 388 wrote to memory of 384 388 e57d8fb.exe 60 PID 388 wrote to memory of 2848 388 e57d8fb.exe 61 PID 388 wrote to memory of 4004 388 e57d8fb.exe 62 PID 388 wrote to memory of 2176 388 e57d8fb.exe 64 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d8fb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b258.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2480
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2656
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3568
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab52f4804fefb4da6358e702db19d96b1cff9aa7a3a0420ddb670b403125bd0a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab52f4804fefb4da6358e702db19d96b1cff9aa7a3a0420ddb670b403125bd0a.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\e57b258.exeC:\Users\Admin\AppData\Local\Temp\e57b258.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3240
-
-
C:\Users\Admin\AppData\Local\Temp\e57b3cf.exeC:\Users\Admin\AppData\Local\Temp\e57b3cf.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\e57d8fb.exeC:\Users\Admin\AppData\Local\Temp\e57d8fb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:388
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3696
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3868
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:384
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2176
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2664
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1584
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD51469b1dc1b521f71c86643fe247918c9
SHA1792ce5e47a327d32e90da3582ec9c08923c8eaef
SHA256f2b4692914b0f3d7c852d67828c730267965dc5ce30968307c6edf9a355ae02d
SHA5120f629f0a8eb67f60519cd147e6e67aae108e0263b6b4d7cd6444613d57c103399fd13f03476822c5c268396f465a411465b1b195c843fff10ddabc03185d883a
-
Filesize
256B
MD570d273ee7754de8d8a468191cbcf400f
SHA199b212275d3b0d92d4a2425eefcfeaecdde545fd
SHA25626aecb245e9cdd888fae0fdaddd8045d09d8c907c01714062ed355c862cd4fad
SHA512f84e41619247e938a9250b1ed2c48ffc5815d3aa99f1676e979e5f51a81af06f085a6d2855fb64fcc04c0cb083a6b9bb55824d97bab8ca3315ac664ca68a504f