Analysis
-
max time kernel
92s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2024 18:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fa0a201222587ebb78cae5f84fbdceec6f5bbfebba3409245a228692653489e6N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
fa0a201222587ebb78cae5f84fbdceec6f5bbfebba3409245a228692653489e6N.dll
-
Size
120KB
-
MD5
772c69864cdfd922de58aacd065d5390
-
SHA1
1d76e70cc63d9b082a8e1b67d409a47ea93e4c52
-
SHA256
fa0a201222587ebb78cae5f84fbdceec6f5bbfebba3409245a228692653489e6
-
SHA512
dc53c5cf486a931d32f18ccb5b6132dbd761beffb369cab74693885228a437d3b48b2de3dc426f0ebd94bcf64aa5bd2391af77658be43fe82219ad726717a349
-
SSDEEP
3072:5qxOMupR5NCza/6rg7imqZDg4fIOdm0zYgM8:tMuv5kVE7iPZDxfG0g8
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ccb6.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ccb6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ccb6.exe -
Executes dropped EXE 4 IoCs
pid Process 1224 e57cb10.exe 2852 e57ccb6.exe 5088 e57e678.exe 2688 e57e697.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cb10.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ccb6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ccb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ccb6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ccb6.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57cb10.exe File opened (read-only) \??\K: e57cb10.exe File opened (read-only) \??\P: e57cb10.exe File opened (read-only) \??\Q: e57cb10.exe File opened (read-only) \??\S: e57cb10.exe File opened (read-only) \??\E: e57cb10.exe File opened (read-only) \??\G: e57cb10.exe File opened (read-only) \??\I: e57cb10.exe File opened (read-only) \??\H: e57cb10.exe File opened (read-only) \??\N: e57cb10.exe File opened (read-only) \??\L: e57cb10.exe File opened (read-only) \??\R: e57cb10.exe File opened (read-only) \??\M: e57cb10.exe File opened (read-only) \??\O: e57cb10.exe -
resource yara_rule behavioral2/memory/1224-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-22-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-31-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-23-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-12-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-25-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-32-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-41-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-55-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-57-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-59-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-72-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-74-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-75-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-79-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-81-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-83-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-84-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-86-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-88-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-94-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-99-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/1224-102-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2852-131-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/2852-150-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57cb10.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57cb10.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57cb10.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57cb10.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57cb6e e57cb10.exe File opened for modification C:\Windows\SYSTEM.INI e57cb10.exe File created C:\Windows\e581c9b e57ccb6.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e678.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e697.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cb10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ccb6.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1224 e57cb10.exe 1224 e57cb10.exe 1224 e57cb10.exe 1224 e57cb10.exe 2852 e57ccb6.exe 2852 e57ccb6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe Token: SeDebugPrivilege 1224 e57cb10.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1768 2476 rundll32.exe 85 PID 2476 wrote to memory of 1768 2476 rundll32.exe 85 PID 2476 wrote to memory of 1768 2476 rundll32.exe 85 PID 1768 wrote to memory of 1224 1768 rundll32.exe 86 PID 1768 wrote to memory of 1224 1768 rundll32.exe 86 PID 1768 wrote to memory of 1224 1768 rundll32.exe 86 PID 1224 wrote to memory of 764 1224 e57cb10.exe 8 PID 1224 wrote to memory of 772 1224 e57cb10.exe 9 PID 1224 wrote to memory of 332 1224 e57cb10.exe 13 PID 1224 wrote to memory of 2900 1224 e57cb10.exe 49 PID 1224 wrote to memory of 2992 1224 e57cb10.exe 51 PID 1224 wrote to memory of 2780 1224 e57cb10.exe 52 PID 1224 wrote to memory of 3452 1224 e57cb10.exe 55 PID 1224 wrote to memory of 3620 1224 e57cb10.exe 57 PID 1224 wrote to memory of 3824 1224 e57cb10.exe 58 PID 1224 wrote to memory of 3920 1224 e57cb10.exe 59 PID 1224 wrote to memory of 3980 1224 e57cb10.exe 60 PID 1224 wrote to memory of 4076 1224 e57cb10.exe 61 PID 1224 wrote to memory of 4216 1224 e57cb10.exe 62 PID 1224 wrote to memory of 2156 1224 e57cb10.exe 74 PID 1224 wrote to memory of 4072 1224 e57cb10.exe 76 PID 1224 wrote to memory of 636 1224 e57cb10.exe 83 PID 1224 wrote to memory of 2476 1224 e57cb10.exe 84 PID 1224 wrote to memory of 1768 1224 e57cb10.exe 85 PID 1224 wrote to memory of 1768 1224 e57cb10.exe 85 PID 1768 wrote to memory of 2852 1768 rundll32.exe 87 PID 1768 wrote to memory of 2852 1768 rundll32.exe 87 PID 1768 wrote to memory of 2852 1768 rundll32.exe 87 PID 1768 wrote to memory of 5088 1768 rundll32.exe 89 PID 1768 wrote to memory of 5088 1768 rundll32.exe 89 PID 1768 wrote to memory of 5088 1768 rundll32.exe 89 PID 1768 wrote to memory of 2688 1768 rundll32.exe 90 PID 1768 wrote to memory of 2688 1768 rundll32.exe 90 PID 1768 wrote to memory of 2688 1768 rundll32.exe 90 PID 1224 wrote to memory of 764 1224 e57cb10.exe 8 PID 1224 wrote to memory of 772 1224 e57cb10.exe 9 PID 1224 wrote to memory of 332 1224 e57cb10.exe 13 PID 1224 wrote to memory of 2900 1224 e57cb10.exe 49 PID 1224 wrote to memory of 2992 1224 e57cb10.exe 51 PID 1224 wrote to memory of 2780 1224 e57cb10.exe 52 PID 1224 wrote to memory of 3452 1224 e57cb10.exe 55 PID 1224 wrote to memory of 3620 1224 e57cb10.exe 57 PID 1224 wrote to memory of 3824 1224 e57cb10.exe 58 PID 1224 wrote to memory of 3920 1224 e57cb10.exe 59 PID 1224 wrote to memory of 3980 1224 e57cb10.exe 60 PID 1224 wrote to memory of 4076 1224 e57cb10.exe 61 PID 1224 wrote to memory of 4216 1224 e57cb10.exe 62 PID 1224 wrote to memory of 2156 1224 e57cb10.exe 74 PID 1224 wrote to memory of 4072 1224 e57cb10.exe 76 PID 1224 wrote to memory of 2852 1224 e57cb10.exe 87 PID 1224 wrote to memory of 2852 1224 e57cb10.exe 87 PID 1224 wrote to memory of 5088 1224 e57cb10.exe 89 PID 1224 wrote to memory of 5088 1224 e57cb10.exe 89 PID 1224 wrote to memory of 2688 1224 e57cb10.exe 90 PID 1224 wrote to memory of 2688 1224 e57cb10.exe 90 PID 2852 wrote to memory of 764 2852 e57ccb6.exe 8 PID 2852 wrote to memory of 772 2852 e57ccb6.exe 9 PID 2852 wrote to memory of 332 2852 e57ccb6.exe 13 PID 2852 wrote to memory of 2900 2852 e57ccb6.exe 49 PID 2852 wrote to memory of 2992 2852 e57ccb6.exe 51 PID 2852 wrote to memory of 2780 2852 e57ccb6.exe 52 PID 2852 wrote to memory of 3452 2852 e57ccb6.exe 55 PID 2852 wrote to memory of 3620 2852 e57ccb6.exe 57 PID 2852 wrote to memory of 3824 2852 e57ccb6.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cb10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ccb6.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2992
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2780
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa0a201222587ebb78cae5f84fbdceec6f5bbfebba3409245a228692653489e6N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa0a201222587ebb78cae5f84fbdceec6f5bbfebba3409245a228692653489e6N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\e57cb10.exeC:\Users\Admin\AppData\Local\Temp\e57cb10.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224
-
-
C:\Users\Admin\AppData\Local\Temp\e57ccb6.exeC:\Users\Admin\AppData\Local\Temp\e57ccb6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\e57e678.exeC:\Users\Admin\AppData\Local\Temp\e57e678.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\e57e697.exeC:\Users\Admin\AppData\Local\Temp\e57e697.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3620
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4216
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2156
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:636
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD546d8ffe7be9f2d08d3691e09b57cad3c
SHA143f96c7fd65da0f308942ff0c75e3fdbca9bb09a
SHA256e15cf7075b95bfb788cb3fd4c3d57efbfeaa3a9fbeba9a377e626d9a2bf39667
SHA512d16ef967b906b8fd208cf44b8cbe90390e5909cf2dc8c47c51159d62444cbb97657ff68ff736afd300eaddc83048a07b25213d58df22a11393a80e21b2b39153
-
Filesize
257B
MD597d74b70c93901cdcbedfd66ec88281e
SHA1aa672366cac93bae737774419d4955473a1cd62c
SHA25673e4c7379d05120cd6ac1577a8ffca6a824f8ad4e7c4b93be3f71711b82b48fe
SHA5120aaca657fd9c4e09c2f804c0f1a1d41b139b9a794710238e65ddb22d34d05331283edda4849ddd846fecefea23f24b34f1471d72662ef0ab94a1039e371fefda