Analysis
-
max time kernel
95s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2024 04:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb6e0d5db2624fa6b29ac2dfe00bb3b2f381c93bda734a7e38dda444ae2f3d30.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
fb6e0d5db2624fa6b29ac2dfe00bb3b2f381c93bda734a7e38dda444ae2f3d30.dll
-
Size
120KB
-
MD5
a8577dc41daa73c88527ebb1a096542b
-
SHA1
bd6bf58afb2ce7ac8ede4d0ff7538df5c3fe2513
-
SHA256
fb6e0d5db2624fa6b29ac2dfe00bb3b2f381c93bda734a7e38dda444ae2f3d30
-
SHA512
6562701682789a7310310acecf30f37a5b9061aad04d0adb2b8bd7ab394ecee53855509e8e0cd7778ba89bb871e5b3edca5bf7ec068d8e98d1ede6e467664a73
-
SSDEEP
3072:lSB500WXOG2FGhasWjP0s53/y0J6qcCszey5WFma:c40WXKgasWjPR5y04qcC9ycv
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579e92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a028.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579e92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a028.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cd52.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cd52.exe -
Executes dropped EXE 4 IoCs
pid Process 3824 e579e92.exe 3600 e57a028.exe 3132 e57cd52.exe 4708 e57cd72.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a028.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579e92.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a028.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57cd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579e92.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cd52.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e579e92.exe File opened (read-only) \??\I: e579e92.exe File opened (read-only) \??\K: e579e92.exe File opened (read-only) \??\M: e579e92.exe File opened (read-only) \??\N: e579e92.exe File opened (read-only) \??\E: e579e92.exe File opened (read-only) \??\H: e579e92.exe File opened (read-only) \??\J: e579e92.exe File opened (read-only) \??\L: e579e92.exe -
resource yara_rule behavioral2/memory/3824-6-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-13-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-12-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-24-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-19-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-25-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-29-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-39-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-40-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-46-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-47-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-61-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-63-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-64-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-65-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-67-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-69-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-71-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-75-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3824-78-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3600-96-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3600-98-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3600-130-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e58178a e57cd52.exe File created C:\Windows\e579ee0 e579e92.exe File opened for modification C:\Windows\SYSTEM.INI e579e92.exe File created C:\Windows\e57ef32 e57a028.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cd72.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579e92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cd52.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3824 e579e92.exe 3824 e579e92.exe 3824 e579e92.exe 3824 e579e92.exe 3600 e57a028.exe 3600 e57a028.exe 3132 e57cd52.exe 3132 e57cd52.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe Token: SeDebugPrivilege 3824 e579e92.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 1180 2180 rundll32.exe 82 PID 2180 wrote to memory of 1180 2180 rundll32.exe 82 PID 2180 wrote to memory of 1180 2180 rundll32.exe 82 PID 1180 wrote to memory of 3824 1180 rundll32.exe 83 PID 1180 wrote to memory of 3824 1180 rundll32.exe 83 PID 1180 wrote to memory of 3824 1180 rundll32.exe 83 PID 3824 wrote to memory of 772 3824 e579e92.exe 8 PID 3824 wrote to memory of 776 3824 e579e92.exe 9 PID 3824 wrote to memory of 316 3824 e579e92.exe 13 PID 3824 wrote to memory of 2848 3824 e579e92.exe 49 PID 3824 wrote to memory of 2892 3824 e579e92.exe 50 PID 3824 wrote to memory of 3028 3824 e579e92.exe 52 PID 3824 wrote to memory of 3420 3824 e579e92.exe 56 PID 3824 wrote to memory of 3564 3824 e579e92.exe 57 PID 3824 wrote to memory of 3744 3824 e579e92.exe 58 PID 3824 wrote to memory of 3836 3824 e579e92.exe 59 PID 3824 wrote to memory of 3900 3824 e579e92.exe 60 PID 3824 wrote to memory of 3992 3824 e579e92.exe 61 PID 3824 wrote to memory of 3868 3824 e579e92.exe 62 PID 3824 wrote to memory of 4420 3824 e579e92.exe 64 PID 3824 wrote to memory of 2692 3824 e579e92.exe 76 PID 3824 wrote to memory of 2180 3824 e579e92.exe 81 PID 3824 wrote to memory of 1180 3824 e579e92.exe 82 PID 3824 wrote to memory of 1180 3824 e579e92.exe 82 PID 1180 wrote to memory of 3600 1180 rundll32.exe 84 PID 1180 wrote to memory of 3600 1180 rundll32.exe 84 PID 1180 wrote to memory of 3600 1180 rundll32.exe 84 PID 3824 wrote to memory of 772 3824 e579e92.exe 8 PID 3824 wrote to memory of 776 3824 e579e92.exe 9 PID 3824 wrote to memory of 316 3824 e579e92.exe 13 PID 3824 wrote to memory of 2848 3824 e579e92.exe 49 PID 3824 wrote to memory of 2892 3824 e579e92.exe 50 PID 3824 wrote to memory of 3028 3824 e579e92.exe 52 PID 3824 wrote to memory of 3420 3824 e579e92.exe 56 PID 3824 wrote to memory of 3564 3824 e579e92.exe 57 PID 3824 wrote to memory of 3744 3824 e579e92.exe 58 PID 3824 wrote to memory of 3836 3824 e579e92.exe 59 PID 3824 wrote to memory of 3900 3824 e579e92.exe 60 PID 3824 wrote to memory of 3992 3824 e579e92.exe 61 PID 3824 wrote to memory of 3868 3824 e579e92.exe 62 PID 3824 wrote to memory of 4420 3824 e579e92.exe 64 PID 3824 wrote to memory of 2692 3824 e579e92.exe 76 PID 3824 wrote to memory of 2180 3824 e579e92.exe 81 PID 3824 wrote to memory of 3600 3824 e579e92.exe 84 PID 3824 wrote to memory of 3600 3824 e579e92.exe 84 PID 1180 wrote to memory of 3132 1180 rundll32.exe 85 PID 1180 wrote to memory of 3132 1180 rundll32.exe 85 PID 1180 wrote to memory of 3132 1180 rundll32.exe 85 PID 1180 wrote to memory of 4708 1180 rundll32.exe 86 PID 1180 wrote to memory of 4708 1180 rundll32.exe 86 PID 1180 wrote to memory of 4708 1180 rundll32.exe 86 PID 3600 wrote to memory of 772 3600 e57a028.exe 8 PID 3600 wrote to memory of 776 3600 e57a028.exe 9 PID 3600 wrote to memory of 316 3600 e57a028.exe 13 PID 3600 wrote to memory of 2848 3600 e57a028.exe 49 PID 3600 wrote to memory of 2892 3600 e57a028.exe 50 PID 3600 wrote to memory of 3028 3600 e57a028.exe 52 PID 3600 wrote to memory of 3420 3600 e57a028.exe 56 PID 3600 wrote to memory of 3564 3600 e57a028.exe 57 PID 3600 wrote to memory of 3744 3600 e57a028.exe 58 PID 3600 wrote to memory of 3836 3600 e57a028.exe 59 PID 3600 wrote to memory of 3900 3600 e57a028.exe 60 PID 3600 wrote to memory of 3992 3600 e57a028.exe 61 PID 3600 wrote to memory of 3868 3600 e57a028.exe 62 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cd52.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2892
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3028
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb6e0d5db2624fa6b29ac2dfe00bb3b2f381c93bda734a7e38dda444ae2f3d30.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb6e0d5db2624fa6b29ac2dfe00bb3b2f381c93bda734a7e38dda444ae2f3d30.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\e579e92.exeC:\Users\Admin\AppData\Local\Temp\e579e92.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\e57a028.exeC:\Users\Admin\AppData\Local\Temp\e57a028.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\e57cd52.exeC:\Users\Admin\AppData\Local\Temp\e57cd52.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\e57cd72.exeC:\Users\Admin\AppData\Local\Temp\e57cd72.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4708
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4420
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2692
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b2da444a7e09539250f78ba3ec70ce98
SHA1a4a6e1ee36a146f43f146498aea30e38243c0b34
SHA2567184e614aefd69846048f1c6ad1e0cde8035fc93d23453a8374b271d6b571362
SHA5128ddeaeb599721bc5a43714418b9d2fbf6842e814de1c6991f73cd6bf2b9d2efc4e7a7710223d312be15508f5bc1928598418e0dc7b8d29a4f42c3abe45ed6864
-
Filesize
257B
MD584e62f4f98e7789896fd2fb498673ee6
SHA167e11dd9d4265128c1762a5775ecaf379eeedc10
SHA2569f9d16a22c10ae6fe0d449b34cb2550e0b1b4c883bfb11f097a2a5f255f1d9a1
SHA51204cd936c137eab1ad7bf9ef5ca7d657f38e6a074383056aaf58d2f21e0097ce202b332fc84a8a9e1bfa062019a171f1ded23e2c0e2c65f7be39bd3a025e5a673