Analysis
-
max time kernel
32s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 15:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1701aceee01a907ba0d53490dc4ce503544f29055281b03df336ab55802d4d36.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
1701aceee01a907ba0d53490dc4ce503544f29055281b03df336ab55802d4d36.dll
-
Size
120KB
-
MD5
68423a63a66b84389eeff0fe0a13a6b3
-
SHA1
831223b0d0547e6f184ba9234d5e6a9b8ceb6d9b
-
SHA256
1701aceee01a907ba0d53490dc4ce503544f29055281b03df336ab55802d4d36
-
SHA512
d3a9bfb74f6e111b3ee9219d1784241bdafc217bbf873a0b7e3a8a4686df2108ffeb4378a00f6c4da2ded6afa5d7caa902dc4342ef7ed90ee38bdeebe774f879
-
SSDEEP
1536:IEil8QW5MBa3RsXA2bcidvaS/bkRDbsg3/8OWK+2h/zzyvfaPGhukDhRMNKCRq:IEe8EB4wpdikkRDI+/uKh/BGMoMKCRq
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ac4d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dcd3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dcd3.exe -
Executes dropped EXE 4 IoCs
pid Process 4008 e57ac4d.exe 208 e57ae51.exe 3564 e57dcd3.exe 1524 e57dd12.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dcd3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dcd3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57dcd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dcd3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dcd3.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57ac4d.exe File opened (read-only) \??\E: e57dcd3.exe File opened (read-only) \??\G: e57dcd3.exe File opened (read-only) \??\E: e57ac4d.exe File opened (read-only) \??\G: e57ac4d.exe File opened (read-only) \??\H: e57ac4d.exe File opened (read-only) \??\J: e57ac4d.exe File opened (read-only) \??\K: e57ac4d.exe File opened (read-only) \??\L: e57ac4d.exe File opened (read-only) \??\M: e57ac4d.exe File opened (read-only) \??\H: e57dcd3.exe File opened (read-only) \??\I: e57dcd3.exe -
resource yara_rule behavioral2/memory/4008-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-17-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-28-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-20-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-19-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-18-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-46-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-61-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-63-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-64-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-66-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-68-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-69-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-71-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4008-74-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3564-102-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3564-118-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/3564-158-0x0000000000860000-0x000000000191A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57acab e57ac4d.exe File opened for modification C:\Windows\SYSTEM.INI e57ac4d.exe File created C:\Windows\e580450 e57dcd3.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ae51.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dcd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dd12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ac4d.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4008 e57ac4d.exe 4008 e57ac4d.exe 4008 e57ac4d.exe 4008 e57ac4d.exe 3564 e57dcd3.exe 3564 e57dcd3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe Token: SeDebugPrivilege 4008 e57ac4d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 1940 1476 rundll32.exe 82 PID 1476 wrote to memory of 1940 1476 rundll32.exe 82 PID 1476 wrote to memory of 1940 1476 rundll32.exe 82 PID 1940 wrote to memory of 4008 1940 rundll32.exe 83 PID 1940 wrote to memory of 4008 1940 rundll32.exe 83 PID 1940 wrote to memory of 4008 1940 rundll32.exe 83 PID 4008 wrote to memory of 780 4008 e57ac4d.exe 8 PID 4008 wrote to memory of 788 4008 e57ac4d.exe 9 PID 4008 wrote to memory of 384 4008 e57ac4d.exe 13 PID 4008 wrote to memory of 2768 4008 e57ac4d.exe 49 PID 4008 wrote to memory of 2808 4008 e57ac4d.exe 50 PID 4008 wrote to memory of 3032 4008 e57ac4d.exe 52 PID 4008 wrote to memory of 3412 4008 e57ac4d.exe 56 PID 4008 wrote to memory of 3572 4008 e57ac4d.exe 57 PID 4008 wrote to memory of 3768 4008 e57ac4d.exe 58 PID 4008 wrote to memory of 3864 4008 e57ac4d.exe 59 PID 4008 wrote to memory of 3924 4008 e57ac4d.exe 60 PID 4008 wrote to memory of 4036 4008 e57ac4d.exe 61 PID 4008 wrote to memory of 4124 4008 e57ac4d.exe 62 PID 4008 wrote to memory of 3484 4008 e57ac4d.exe 74 PID 4008 wrote to memory of 3188 4008 e57ac4d.exe 75 PID 4008 wrote to memory of 4924 4008 e57ac4d.exe 80 PID 4008 wrote to memory of 1476 4008 e57ac4d.exe 81 PID 4008 wrote to memory of 1940 4008 e57ac4d.exe 82 PID 4008 wrote to memory of 1940 4008 e57ac4d.exe 82 PID 1940 wrote to memory of 208 1940 rundll32.exe 84 PID 1940 wrote to memory of 208 1940 rundll32.exe 84 PID 1940 wrote to memory of 208 1940 rundll32.exe 84 PID 4008 wrote to memory of 780 4008 e57ac4d.exe 8 PID 4008 wrote to memory of 788 4008 e57ac4d.exe 9 PID 4008 wrote to memory of 384 4008 e57ac4d.exe 13 PID 4008 wrote to memory of 2768 4008 e57ac4d.exe 49 PID 4008 wrote to memory of 2808 4008 e57ac4d.exe 50 PID 4008 wrote to memory of 3032 4008 e57ac4d.exe 52 PID 4008 wrote to memory of 3412 4008 e57ac4d.exe 56 PID 4008 wrote to memory of 3572 4008 e57ac4d.exe 57 PID 4008 wrote to memory of 3768 4008 e57ac4d.exe 58 PID 4008 wrote to memory of 3864 4008 e57ac4d.exe 59 PID 4008 wrote to memory of 3924 4008 e57ac4d.exe 60 PID 4008 wrote to memory of 4036 4008 e57ac4d.exe 61 PID 4008 wrote to memory of 4124 4008 e57ac4d.exe 62 PID 4008 wrote to memory of 3484 4008 e57ac4d.exe 74 PID 4008 wrote to memory of 3188 4008 e57ac4d.exe 75 PID 4008 wrote to memory of 4924 4008 e57ac4d.exe 80 PID 4008 wrote to memory of 1476 4008 e57ac4d.exe 81 PID 4008 wrote to memory of 208 4008 e57ac4d.exe 84 PID 4008 wrote to memory of 208 4008 e57ac4d.exe 84 PID 1940 wrote to memory of 3564 1940 rundll32.exe 87 PID 1940 wrote to memory of 3564 1940 rundll32.exe 87 PID 1940 wrote to memory of 3564 1940 rundll32.exe 87 PID 1940 wrote to memory of 1524 1940 rundll32.exe 88 PID 1940 wrote to memory of 1524 1940 rundll32.exe 88 PID 1940 wrote to memory of 1524 1940 rundll32.exe 88 PID 3564 wrote to memory of 780 3564 e57dcd3.exe 8 PID 3564 wrote to memory of 788 3564 e57dcd3.exe 9 PID 3564 wrote to memory of 384 3564 e57dcd3.exe 13 PID 3564 wrote to memory of 2768 3564 e57dcd3.exe 49 PID 3564 wrote to memory of 2808 3564 e57dcd3.exe 50 PID 3564 wrote to memory of 3032 3564 e57dcd3.exe 52 PID 3564 wrote to memory of 3412 3564 e57dcd3.exe 56 PID 3564 wrote to memory of 3572 3564 e57dcd3.exe 57 PID 3564 wrote to memory of 3768 3564 e57dcd3.exe 58 PID 3564 wrote to memory of 3864 3564 e57dcd3.exe 59 PID 3564 wrote to memory of 3924 3564 e57dcd3.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dcd3.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2808
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3032
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1701aceee01a907ba0d53490dc4ce503544f29055281b03df336ab55802d4d36.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1701aceee01a907ba0d53490dc4ce503544f29055281b03df336ab55802d4d36.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\e57ac4d.exeC:\Users\Admin\AppData\Local\Temp\e57ac4d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4008
-
-
C:\Users\Admin\AppData\Local\Temp\e57ae51.exeC:\Users\Admin\AppData\Local\Temp\e57ae51.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:208
-
-
C:\Users\Admin\AppData\Local\Temp\e57dcd3.exeC:\Users\Admin\AppData\Local\Temp\e57dcd3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3564
-
-
C:\Users\Admin\AppData\Local\Temp\e57dd12.exeC:\Users\Admin\AppData\Local\Temp\e57dd12.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3484
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3188
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4924
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f0e0c32a358f0660226ee499af623f32
SHA12eccc8d013453e73914167cb4703254669ced875
SHA25642aeeba547267f2db2f30e8f3797cae47c84fa6f176695fe7a8169558ab925a2
SHA5128686161a9a762385423fd0da2200058d860f8c70f8cb8943fb12dc43e1ed05f8cd1cb8ed096aff98a14ef94d745340b8d5bf0440b84b7dfb09a990b4c184382a
-
Filesize
257B
MD5b85758b8f0da46abd4e98f5bc3dd31a1
SHA1b738622f690c4d236582bf401f576c9051e4913a
SHA25659dde7afcfaf731ff8be6e2f2eeb9e51be448dabcc0e12f4e6fcea493a4fc299
SHA5129f9be11bcb90526b6cd7c45e8540ed0dc5709bfe96ee86fe7cb21b2a3cfc0f32fc8d496e8c9f0d1b750b720d21e2373eccea59273da3afb2f29d4fe9a61f669f