Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2024 16:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8dd7421e4132520ea7a5055e0ccfb7050e1255e2f117ac393242804eb0685d9aN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
8dd7421e4132520ea7a5055e0ccfb7050e1255e2f117ac393242804eb0685d9aN.dll
-
Size
120KB
-
MD5
481003003903f4847cf68640eefb9af0
-
SHA1
f1fa71b857aadef84cda592d75ad719e34b355d3
-
SHA256
8dd7421e4132520ea7a5055e0ccfb7050e1255e2f117ac393242804eb0685d9a
-
SHA512
13066331883d1a83a14c69941c82fb8199c3774632728549f2add92bfad9d86590905f3cf4698c5a8bbfd8d9330189b026ce8aab7fa2a2033d604584029d4595
-
SSDEEP
3072:IhnMttJyxvM2+7Haak5XpaTcs423ox3ppB:IWfJyxvML7HwHkcA3MB
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f05b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f05b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f05b.exe -
Executes dropped EXE 4 IoCs
pid Process 1616 e57c8be.exe 516 e57c9c8.exe 2588 e57f04b.exe 4484 e57f05b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f05b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c8be.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f05b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c8be.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f05b.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57c8be.exe File opened (read-only) \??\I: e57f05b.exe File opened (read-only) \??\K: e57c8be.exe File opened (read-only) \??\N: e57c8be.exe File opened (read-only) \??\O: e57c8be.exe File opened (read-only) \??\G: e57f05b.exe File opened (read-only) \??\M: e57c8be.exe File opened (read-only) \??\E: e57f05b.exe File opened (read-only) \??\E: e57c8be.exe File opened (read-only) \??\G: e57c8be.exe File opened (read-only) \??\I: e57c8be.exe File opened (read-only) \??\J: e57c8be.exe File opened (read-only) \??\L: e57c8be.exe File opened (read-only) \??\H: e57f05b.exe -
resource yara_rule behavioral2/memory/1616-8-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-10-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-9-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-11-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-31-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-24-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-33-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-25-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-6-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-34-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-35-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-36-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-37-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-38-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-39-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-40-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-55-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-71-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-73-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-75-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-76-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-77-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-80-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-82-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-88-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1616-92-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/4484-129-0x0000000000BB0000-0x0000000001C6A000-memory.dmp upx behavioral2/memory/4484-164-0x0000000000BB0000-0x0000000001C6A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57c8be.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57c8be.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57c8be.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c91c e57c8be.exe File opened for modification C:\Windows\SYSTEM.INI e57c8be.exe File created C:\Windows\e58196f e57f05b.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c8be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c9c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f04b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f05b.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1616 e57c8be.exe 1616 e57c8be.exe 1616 e57c8be.exe 1616 e57c8be.exe 4484 e57f05b.exe 4484 e57f05b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe Token: SeDebugPrivilege 1616 e57c8be.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 3604 1736 rundll32.exe 83 PID 1736 wrote to memory of 3604 1736 rundll32.exe 83 PID 1736 wrote to memory of 3604 1736 rundll32.exe 83 PID 3604 wrote to memory of 1616 3604 rundll32.exe 84 PID 3604 wrote to memory of 1616 3604 rundll32.exe 84 PID 3604 wrote to memory of 1616 3604 rundll32.exe 84 PID 1616 wrote to memory of 792 1616 e57c8be.exe 9 PID 1616 wrote to memory of 800 1616 e57c8be.exe 10 PID 1616 wrote to memory of 420 1616 e57c8be.exe 13 PID 1616 wrote to memory of 2596 1616 e57c8be.exe 44 PID 1616 wrote to memory of 2644 1616 e57c8be.exe 45 PID 1616 wrote to memory of 2808 1616 e57c8be.exe 48 PID 1616 wrote to memory of 3520 1616 e57c8be.exe 56 PID 1616 wrote to memory of 3648 1616 e57c8be.exe 57 PID 1616 wrote to memory of 3824 1616 e57c8be.exe 58 PID 1616 wrote to memory of 3916 1616 e57c8be.exe 59 PID 1616 wrote to memory of 3992 1616 e57c8be.exe 60 PID 1616 wrote to memory of 4072 1616 e57c8be.exe 61 PID 1616 wrote to memory of 3576 1616 e57c8be.exe 62 PID 1616 wrote to memory of 396 1616 e57c8be.exe 64 PID 1616 wrote to memory of 672 1616 e57c8be.exe 76 PID 1616 wrote to memory of 2776 1616 e57c8be.exe 81 PID 1616 wrote to memory of 1736 1616 e57c8be.exe 82 PID 1616 wrote to memory of 3604 1616 e57c8be.exe 83 PID 1616 wrote to memory of 3604 1616 e57c8be.exe 83 PID 3604 wrote to memory of 516 3604 rundll32.exe 85 PID 3604 wrote to memory of 516 3604 rundll32.exe 85 PID 3604 wrote to memory of 516 3604 rundll32.exe 85 PID 3604 wrote to memory of 2588 3604 rundll32.exe 86 PID 3604 wrote to memory of 2588 3604 rundll32.exe 86 PID 3604 wrote to memory of 2588 3604 rundll32.exe 86 PID 3604 wrote to memory of 4484 3604 rundll32.exe 87 PID 3604 wrote to memory of 4484 3604 rundll32.exe 87 PID 3604 wrote to memory of 4484 3604 rundll32.exe 87 PID 1616 wrote to memory of 792 1616 e57c8be.exe 9 PID 1616 wrote to memory of 800 1616 e57c8be.exe 10 PID 1616 wrote to memory of 420 1616 e57c8be.exe 13 PID 1616 wrote to memory of 2596 1616 e57c8be.exe 44 PID 1616 wrote to memory of 2644 1616 e57c8be.exe 45 PID 1616 wrote to memory of 2808 1616 e57c8be.exe 48 PID 1616 wrote to memory of 3520 1616 e57c8be.exe 56 PID 1616 wrote to memory of 3648 1616 e57c8be.exe 57 PID 1616 wrote to memory of 3824 1616 e57c8be.exe 58 PID 1616 wrote to memory of 3916 1616 e57c8be.exe 59 PID 1616 wrote to memory of 3992 1616 e57c8be.exe 60 PID 1616 wrote to memory of 4072 1616 e57c8be.exe 61 PID 1616 wrote to memory of 3576 1616 e57c8be.exe 62 PID 1616 wrote to memory of 396 1616 e57c8be.exe 64 PID 1616 wrote to memory of 672 1616 e57c8be.exe 76 PID 1616 wrote to memory of 2776 1616 e57c8be.exe 81 PID 1616 wrote to memory of 516 1616 e57c8be.exe 85 PID 1616 wrote to memory of 516 1616 e57c8be.exe 85 PID 1616 wrote to memory of 2588 1616 e57c8be.exe 86 PID 1616 wrote to memory of 2588 1616 e57c8be.exe 86 PID 1616 wrote to memory of 4484 1616 e57c8be.exe 87 PID 1616 wrote to memory of 4484 1616 e57c8be.exe 87 PID 4484 wrote to memory of 792 4484 e57f05b.exe 9 PID 4484 wrote to memory of 800 4484 e57f05b.exe 10 PID 4484 wrote to memory of 420 4484 e57f05b.exe 13 PID 4484 wrote to memory of 2596 4484 e57f05b.exe 44 PID 4484 wrote to memory of 2644 4484 e57f05b.exe 45 PID 4484 wrote to memory of 2808 4484 e57f05b.exe 48 PID 4484 wrote to memory of 3520 4484 e57f05b.exe 56 PID 4484 wrote to memory of 3648 4484 e57f05b.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c8be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f05b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:420
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2644
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2808
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd7421e4132520ea7a5055e0ccfb7050e1255e2f117ac393242804eb0685d9aN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd7421e4132520ea7a5055e0ccfb7050e1255e2f117ac393242804eb0685d9aN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\e57c8be.exeC:\Users\Admin\AppData\Local\Temp\e57c8be.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\e57c9c8.exeC:\Users\Admin\AppData\Local\Temp\e57c9c8.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:516
-
-
C:\Users\Admin\AppData\Local\Temp\e57f04b.exeC:\Users\Admin\AppData\Local\Temp\e57f04b.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\e57f05b.exeC:\Users\Admin\AppData\Local\Temp\e57f05b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4484
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:396
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:672
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2776
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5eb8eba38d3ce21cd0feb14afcf9bbb7e
SHA130773e27df3ad3008dfcc19e57fdada0e9bf92a5
SHA2567fc93dfb7161fba289cd1f01c7973d364c05f4079aeb8cc6aba6a4199aa77f7d
SHA5126f35e07a7fba278dbbf1b64438ada4f2a6727fcb4c3835d84e5a82f962e815d6835f04076c0d02a4215c07dcc00df0ec553db89574bba98926ff6be43e74599c
-
Filesize
257B
MD5020216bbc750828364b8f2b61dedb8da
SHA1375d66f69117e1b0c9e31471c96c933bdc94d5ab
SHA256223f1d435da4fadf4e834241514271157d5edbc196249c173188b826ad455475
SHA5122a121cde0e6c2c517f42f00b0541cb6019375f7bc00e5d58c50e16f12b5d867f89c3503b1e9f23724ae7cb1f3837e5a8941295562ec74c454aa3508d98b4f01e