Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2024 03:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e10eb5e3b9b57dbfe2de08417797f5244015476fe6051bd1a337972f1fb1279a.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
e10eb5e3b9b57dbfe2de08417797f5244015476fe6051bd1a337972f1fb1279a.dll
-
Size
120KB
-
MD5
59de271ac98c02584c098508a72581ff
-
SHA1
34082a61f82daf66f6404f9ec58871730c001dca
-
SHA256
e10eb5e3b9b57dbfe2de08417797f5244015476fe6051bd1a337972f1fb1279a
-
SHA512
78697ebe879a29f2ac922bd1f9a9bfccf343937e4ea61dcc4bda8630d883e2e8dfce5e4a2bd5a03ddbaa1f5f2da59f62460e4ac1a5b7ac26c5ada72ab8b41de0
-
SSDEEP
1536:FDJLeDCOMhWY7essl3CNi+pwGk8FAS0pGzQoTXACzp6WTQhAGA9z6xFt5lvC:N1UYdisslyc+pG8FSX8SW8U9z6Dvl
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a568.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a568.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a75c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a75c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a75c.exe -
Executes dropped EXE 3 IoCs
pid Process 1724 e57a568.exe 1088 e57a75c.exe 2568 e57c0df.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a75c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a75c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a75c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a568.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a75c.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57a568.exe File opened (read-only) \??\H: e57a568.exe File opened (read-only) \??\R: e57a568.exe File opened (read-only) \??\G: e57a568.exe File opened (read-only) \??\I: e57a568.exe File opened (read-only) \??\J: e57a568.exe File opened (read-only) \??\K: e57a568.exe File opened (read-only) \??\L: e57a568.exe File opened (read-only) \??\M: e57a568.exe File opened (read-only) \??\O: e57a568.exe File opened (read-only) \??\P: e57a568.exe File opened (read-only) \??\N: e57a568.exe File opened (read-only) \??\Q: e57a568.exe File opened (read-only) \??\S: e57a568.exe File opened (read-only) \??\T: e57a568.exe -
resource yara_rule behavioral2/memory/1724-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-18-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-21-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-22-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-20-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-19-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-40-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-42-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-43-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-51-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-56-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-57-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-59-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-69-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-72-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-73-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-76-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-77-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-80-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-81-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-83-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-85-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-88-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1724-90-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/1088-120-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1088-133-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e57a568.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57a568.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57a568.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a568.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57a568.exe File created C:\Windows\e57f5e9 e57a75c.exe File created C:\Windows\e57a5b6 e57a568.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a568.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a75c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c0df.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1724 e57a568.exe 1724 e57a568.exe 1724 e57a568.exe 1724 e57a568.exe 1088 e57a75c.exe 1088 e57a75c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe Token: SeDebugPrivilege 1724 e57a568.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5108 wrote to memory of 2096 5108 rundll32.exe 84 PID 5108 wrote to memory of 2096 5108 rundll32.exe 84 PID 5108 wrote to memory of 2096 5108 rundll32.exe 84 PID 2096 wrote to memory of 1724 2096 rundll32.exe 85 PID 2096 wrote to memory of 1724 2096 rundll32.exe 85 PID 2096 wrote to memory of 1724 2096 rundll32.exe 85 PID 1724 wrote to memory of 788 1724 e57a568.exe 8 PID 1724 wrote to memory of 796 1724 e57a568.exe 9 PID 1724 wrote to memory of 380 1724 e57a568.exe 13 PID 1724 wrote to memory of 3016 1724 e57a568.exe 50 PID 1724 wrote to memory of 3064 1724 e57a568.exe 51 PID 1724 wrote to memory of 1408 1724 e57a568.exe 52 PID 1724 wrote to memory of 3448 1724 e57a568.exe 56 PID 1724 wrote to memory of 3572 1724 e57a568.exe 57 PID 1724 wrote to memory of 3764 1724 e57a568.exe 58 PID 1724 wrote to memory of 3852 1724 e57a568.exe 59 PID 1724 wrote to memory of 3916 1724 e57a568.exe 60 PID 1724 wrote to memory of 4000 1724 e57a568.exe 61 PID 1724 wrote to memory of 4148 1724 e57a568.exe 62 PID 1724 wrote to memory of 1828 1724 e57a568.exe 74 PID 1724 wrote to memory of 2032 1724 e57a568.exe 76 PID 1724 wrote to memory of 2896 1724 e57a568.exe 77 PID 1724 wrote to memory of 4100 1724 e57a568.exe 82 PID 1724 wrote to memory of 5108 1724 e57a568.exe 83 PID 1724 wrote to memory of 2096 1724 e57a568.exe 84 PID 1724 wrote to memory of 2096 1724 e57a568.exe 84 PID 2096 wrote to memory of 1088 2096 rundll32.exe 86 PID 2096 wrote to memory of 1088 2096 rundll32.exe 86 PID 2096 wrote to memory of 1088 2096 rundll32.exe 86 PID 2096 wrote to memory of 2568 2096 rundll32.exe 90 PID 2096 wrote to memory of 2568 2096 rundll32.exe 90 PID 2096 wrote to memory of 2568 2096 rundll32.exe 90 PID 1724 wrote to memory of 788 1724 e57a568.exe 8 PID 1724 wrote to memory of 796 1724 e57a568.exe 9 PID 1724 wrote to memory of 380 1724 e57a568.exe 13 PID 1724 wrote to memory of 3016 1724 e57a568.exe 50 PID 1724 wrote to memory of 3064 1724 e57a568.exe 51 PID 1724 wrote to memory of 1408 1724 e57a568.exe 52 PID 1724 wrote to memory of 3448 1724 e57a568.exe 56 PID 1724 wrote to memory of 3572 1724 e57a568.exe 57 PID 1724 wrote to memory of 3764 1724 e57a568.exe 58 PID 1724 wrote to memory of 3852 1724 e57a568.exe 59 PID 1724 wrote to memory of 3916 1724 e57a568.exe 60 PID 1724 wrote to memory of 4000 1724 e57a568.exe 61 PID 1724 wrote to memory of 4148 1724 e57a568.exe 62 PID 1724 wrote to memory of 1828 1724 e57a568.exe 74 PID 1724 wrote to memory of 2032 1724 e57a568.exe 76 PID 1724 wrote to memory of 2896 1724 e57a568.exe 77 PID 1724 wrote to memory of 1088 1724 e57a568.exe 86 PID 1724 wrote to memory of 1088 1724 e57a568.exe 86 PID 1724 wrote to memory of 2568 1724 e57a568.exe 90 PID 1724 wrote to memory of 2568 1724 e57a568.exe 90 PID 1088 wrote to memory of 788 1088 e57a75c.exe 8 PID 1088 wrote to memory of 796 1088 e57a75c.exe 9 PID 1088 wrote to memory of 380 1088 e57a75c.exe 13 PID 1088 wrote to memory of 3016 1088 e57a75c.exe 50 PID 1088 wrote to memory of 3064 1088 e57a75c.exe 51 PID 1088 wrote to memory of 1408 1088 e57a75c.exe 52 PID 1088 wrote to memory of 3448 1088 e57a75c.exe 56 PID 1088 wrote to memory of 3572 1088 e57a75c.exe 57 PID 1088 wrote to memory of 3764 1088 e57a75c.exe 58 PID 1088 wrote to memory of 3852 1088 e57a75c.exe 59 PID 1088 wrote to memory of 3916 1088 e57a75c.exe 60 PID 1088 wrote to memory of 4000 1088 e57a75c.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a568.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a75c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3064
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1408
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e10eb5e3b9b57dbfe2de08417797f5244015476fe6051bd1a337972f1fb1279a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e10eb5e3b9b57dbfe2de08417797f5244015476fe6051bd1a337972f1fb1279a.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\e57a568.exeC:\Users\Admin\AppData\Local\Temp\e57a568.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\e57a75c.exeC:\Users\Admin\AppData\Local\Temp\e57a75c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\e57c0df.exeC:\Users\Admin\AppData\Local\Temp\e57c0df.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2896
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4100
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD555951778b9f3b375cb35c914095ddb6b
SHA14bf6939e3ed0ab4c551f38e40cc931990238b130
SHA256f0583c01ebb95f4377276b4cfa54c25ec4993dac20ef5dfb1c95fbe6d524f425
SHA512af223711ba74034f2048ae4e96c85a4a9f997768444f8642f448bbe05ef731f1c1c87c8a68df587a3e1393ed52ac5af7c1b6f30ca0a7d071d44ac4d6cb06b159
-
Filesize
257B
MD58e8868ded29fb0a2b33631e3689ec64c
SHA1b5f0c24063c6334c44acb23e03c47fe292d68997
SHA256e570e27f43c9542cc09aa1318224f2bcfd3fb9d586b2f34d9b4a9d57d9798cf5
SHA51225e22926af555c790a513d3d9433ed7533abc599a29173f042f337d6e953e0dbbdc723526c8bf36d84aa17f76d543c35e4ce2f43b65aeafba782bf37dba61ae1