Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2024 13:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a663268f3921c50f9219543ef361ca0845f36397f12bf0b5e6b5e65ecd8977b4.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
a663268f3921c50f9219543ef361ca0845f36397f12bf0b5e6b5e65ecd8977b4.dll
-
Size
120KB
-
MD5
e2ae7a3c25c63697183a2333f96ad23c
-
SHA1
befdaae7e28ca63a907fdc7eb1cf0abaf52cd1cb
-
SHA256
a663268f3921c50f9219543ef361ca0845f36397f12bf0b5e6b5e65ecd8977b4
-
SHA512
fab25328a7ed18bf39422c004ae4714f1f5d127b74a71f22bccdc20f82ee29cddac767542f356a9a05f322997710312dbaa83ca329acf9b304e7c762fbdc6964
-
SSDEEP
3072:spQG4mKVGceRPNoc3Omks+1c0yM6KKsC4aMayz+LRpG:eV4zBe8c3ysOyM6sC4aMayaLjG
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5f9e9a.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f9e9a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f76fe.exe -
Executes dropped EXE 4 IoCs
pid Process 3272 e5f76fe.exe 3628 e5f7856.exe 732 e5f9e9a.exe 3756 e5f9ed9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5f9e9a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5f9e9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5f76fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5f76fe.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f9e9a.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e5f9e9a.exe File opened (read-only) \??\I: e5f9e9a.exe File opened (read-only) \??\G: e5f76fe.exe File opened (read-only) \??\J: e5f76fe.exe File opened (read-only) \??\L: e5f76fe.exe File opened (read-only) \??\N: e5f76fe.exe File opened (read-only) \??\I: e5f76fe.exe File opened (read-only) \??\O: e5f76fe.exe File opened (read-only) \??\P: e5f76fe.exe File opened (read-only) \??\E: e5f9e9a.exe File opened (read-only) \??\G: e5f9e9a.exe File opened (read-only) \??\E: e5f76fe.exe File opened (read-only) \??\K: e5f76fe.exe File opened (read-only) \??\M: e5f76fe.exe File opened (read-only) \??\H: e5f76fe.exe -
resource yara_rule behavioral2/memory/3272-6-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-26-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-27-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-17-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-35-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-33-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-18-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-39-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-40-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-42-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-55-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-72-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-73-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-74-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-77-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-78-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-80-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-82-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-86-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-87-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-88-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3272-93-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/732-125-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/732-166-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5f76fe.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5f76fe.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5f76fe.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5fc7dd e5f9e9a.exe File created C:\Windows\e5f776b e5f76fe.exe File opened for modification C:\Windows\SYSTEM.INI e5f76fe.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f76fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f7856.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f9e9a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5f9ed9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3272 e5f76fe.exe 3272 e5f76fe.exe 3272 e5f76fe.exe 3272 e5f76fe.exe 732 e5f9e9a.exe 732 e5f9e9a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe Token: SeDebugPrivilege 3272 e5f76fe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 64 wrote to memory of 4940 64 rundll32.exe 83 PID 64 wrote to memory of 4940 64 rundll32.exe 83 PID 64 wrote to memory of 4940 64 rundll32.exe 83 PID 4940 wrote to memory of 3272 4940 rundll32.exe 84 PID 4940 wrote to memory of 3272 4940 rundll32.exe 84 PID 4940 wrote to memory of 3272 4940 rundll32.exe 84 PID 3272 wrote to memory of 784 3272 e5f76fe.exe 8 PID 3272 wrote to memory of 788 3272 e5f76fe.exe 9 PID 3272 wrote to memory of 388 3272 e5f76fe.exe 13 PID 3272 wrote to memory of 2128 3272 e5f76fe.exe 49 PID 3272 wrote to memory of 692 3272 e5f76fe.exe 50 PID 3272 wrote to memory of 3148 3272 e5f76fe.exe 51 PID 3272 wrote to memory of 3480 3272 e5f76fe.exe 54 PID 3272 wrote to memory of 3640 3272 e5f76fe.exe 55 PID 3272 wrote to memory of 3844 3272 e5f76fe.exe 56 PID 3272 wrote to memory of 3936 3272 e5f76fe.exe 57 PID 3272 wrote to memory of 4008 3272 e5f76fe.exe 58 PID 3272 wrote to memory of 4084 3272 e5f76fe.exe 59 PID 3272 wrote to memory of 4204 3272 e5f76fe.exe 60 PID 3272 wrote to memory of 4116 3272 e5f76fe.exe 75 PID 3272 wrote to memory of 1728 3272 e5f76fe.exe 76 PID 3272 wrote to memory of 2832 3272 e5f76fe.exe 81 PID 3272 wrote to memory of 64 3272 e5f76fe.exe 82 PID 3272 wrote to memory of 4940 3272 e5f76fe.exe 83 PID 3272 wrote to memory of 4940 3272 e5f76fe.exe 83 PID 4940 wrote to memory of 3628 4940 rundll32.exe 85 PID 4940 wrote to memory of 3628 4940 rundll32.exe 85 PID 4940 wrote to memory of 3628 4940 rundll32.exe 85 PID 4940 wrote to memory of 732 4940 rundll32.exe 86 PID 4940 wrote to memory of 732 4940 rundll32.exe 86 PID 4940 wrote to memory of 732 4940 rundll32.exe 86 PID 4940 wrote to memory of 3756 4940 rundll32.exe 87 PID 4940 wrote to memory of 3756 4940 rundll32.exe 87 PID 4940 wrote to memory of 3756 4940 rundll32.exe 87 PID 3272 wrote to memory of 784 3272 e5f76fe.exe 8 PID 3272 wrote to memory of 788 3272 e5f76fe.exe 9 PID 3272 wrote to memory of 388 3272 e5f76fe.exe 13 PID 3272 wrote to memory of 2128 3272 e5f76fe.exe 49 PID 3272 wrote to memory of 692 3272 e5f76fe.exe 50 PID 3272 wrote to memory of 3148 3272 e5f76fe.exe 51 PID 3272 wrote to memory of 3480 3272 e5f76fe.exe 54 PID 3272 wrote to memory of 3640 3272 e5f76fe.exe 55 PID 3272 wrote to memory of 3844 3272 e5f76fe.exe 56 PID 3272 wrote to memory of 3936 3272 e5f76fe.exe 57 PID 3272 wrote to memory of 4008 3272 e5f76fe.exe 58 PID 3272 wrote to memory of 4084 3272 e5f76fe.exe 59 PID 3272 wrote to memory of 4204 3272 e5f76fe.exe 60 PID 3272 wrote to memory of 4116 3272 e5f76fe.exe 75 PID 3272 wrote to memory of 1728 3272 e5f76fe.exe 76 PID 3272 wrote to memory of 3628 3272 e5f76fe.exe 85 PID 3272 wrote to memory of 3628 3272 e5f76fe.exe 85 PID 3272 wrote to memory of 732 3272 e5f76fe.exe 86 PID 3272 wrote to memory of 732 3272 e5f76fe.exe 86 PID 3272 wrote to memory of 3756 3272 e5f76fe.exe 87 PID 3272 wrote to memory of 3756 3272 e5f76fe.exe 87 PID 3272 wrote to memory of 4320 3272 e5f76fe.exe 88 PID 732 wrote to memory of 784 732 e5f9e9a.exe 8 PID 732 wrote to memory of 788 732 e5f9e9a.exe 9 PID 732 wrote to memory of 388 732 e5f9e9a.exe 13 PID 732 wrote to memory of 2128 732 e5f9e9a.exe 49 PID 732 wrote to memory of 692 732 e5f9e9a.exe 50 PID 732 wrote to memory of 3148 732 e5f9e9a.exe 51 PID 732 wrote to memory of 3480 732 e5f9e9a.exe 54 PID 732 wrote to memory of 3640 732 e5f9e9a.exe 55 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f76fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5f9e9a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:692
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3148
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a663268f3921c50f9219543ef361ca0845f36397f12bf0b5e6b5e65ecd8977b4.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a663268f3921c50f9219543ef361ca0845f36397f12bf0b5e6b5e65ecd8977b4.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\e5f76fe.exeC:\Users\Admin\AppData\Local\Temp\e5f76fe.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\e5f7856.exeC:\Users\Admin\AppData\Local\Temp\e5f7856.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\e5f9e9a.exeC:\Users\Admin\AppData\Local\Temp\e5f9e9a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\e5f9ed9.exeC:\Users\Admin\AppData\Local\Temp\e5f9ed9.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3756
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4084
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4204
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1728
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2832
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4320
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a7a26bad5c2e0c83a6d37c322b126fab
SHA1293c826c00bdb7b6c97591eeeda91a51f1b5476a
SHA2566f4c7c57d57054abd053f6d51fa5301241b5ffa3ec2095722af160713618bdd4
SHA512ed276ee549a6683f92b64c2dc235079fdb293f4f21ed64dd9a11afb5377f7995a5505fdbc979871ddacd2fe7c485ca57f3251574f9af41c6077a59f3928bb1b1
-
Filesize
257B
MD5ea12ee45f11dffc485733cc785adef25
SHA1421d903ebc3b16159a7967cbba7d6dc94a93d77f
SHA256dde331c2a4a82f5cb58902e138c3dbbd04a50a398d96149b6bed7fb9a822075d
SHA512e2092a335826900097a4abdd5d76bd93fd6d2b3446b67a71877fa3fcb3f2e49c579b43255fe80fa0372215efbaf0fc12c041240a192fb19d379d8f5aa0e0410d