Analysis
-
max time kernel
32s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 09:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2997a852ab69a853bd89984fa565602fc56f35cad991d8d433c164949d48cabb.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
2997a852ab69a853bd89984fa565602fc56f35cad991d8d433c164949d48cabb.dll
-
Size
120KB
-
MD5
1fae1302799e92ea43cd1b5cb9350ab9
-
SHA1
6293e3d25982b7f0ce4a1c780722cffd71f61853
-
SHA256
2997a852ab69a853bd89984fa565602fc56f35cad991d8d433c164949d48cabb
-
SHA512
254bf12d4a3e6642fee1712b63e219813f529a9fe52e84b3d33fd5eea7033fe034486bbc25ba1d94d0a8bb84fe03d41329b93e6b9fe30b0c6ceeaa74d5a3d52a
-
SSDEEP
1536:Ug/JzJ21qktSQN/XJvmqvIALdDAvZfBFOpwY/a3p9YoQ8VNieAhE8Ja3Rt:z/FJ2ntSQN/Xhmqvz+ffwa5PIeAhEFb
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57fb67.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57fb67.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57fb67.exe -
Executes dropped EXE 4 IoCs
pid Process 1440 e57c97a.exe 2584 e57cae1.exe 1060 e57fb67.exe 3988 e57fbc5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57fb67.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57fb67.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57fb67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c97a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57fb67.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57c97a.exe File opened (read-only) \??\L: e57c97a.exe File opened (read-only) \??\I: e57fb67.exe File opened (read-only) \??\E: e57fb67.exe File opened (read-only) \??\G: e57fb67.exe File opened (read-only) \??\H: e57fb67.exe File opened (read-only) \??\E: e57c97a.exe File opened (read-only) \??\G: e57c97a.exe File opened (read-only) \??\H: e57c97a.exe File opened (read-only) \??\N: e57c97a.exe File opened (read-only) \??\K: e57c97a.exe File opened (read-only) \??\J: e57fb67.exe File opened (read-only) \??\I: e57c97a.exe File opened (read-only) \??\M: e57c97a.exe -
resource yara_rule behavioral2/memory/1440-6-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-10-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-9-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-17-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-26-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-33-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-31-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-18-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-11-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-8-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-35-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-34-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-36-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-37-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-38-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-44-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-46-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-61-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-62-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-64-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-65-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-66-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-69-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-72-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1440-89-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/1060-117-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/1060-158-0x0000000000750000-0x000000000180A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c9d8 e57c97a.exe File opened for modification C:\Windows\SYSTEM.INI e57c97a.exe File created C:\Windows\e5822d5 e57fb67.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cae1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57fb67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57fbc5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c97a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1440 e57c97a.exe 1440 e57c97a.exe 1440 e57c97a.exe 1440 e57c97a.exe 1060 e57fb67.exe 1060 e57fb67.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe Token: SeDebugPrivilege 1440 e57c97a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4932 3580 rundll32.exe 82 PID 3580 wrote to memory of 4932 3580 rundll32.exe 82 PID 3580 wrote to memory of 4932 3580 rundll32.exe 82 PID 4932 wrote to memory of 1440 4932 rundll32.exe 83 PID 4932 wrote to memory of 1440 4932 rundll32.exe 83 PID 4932 wrote to memory of 1440 4932 rundll32.exe 83 PID 1440 wrote to memory of 780 1440 e57c97a.exe 8 PID 1440 wrote to memory of 788 1440 e57c97a.exe 9 PID 1440 wrote to memory of 60 1440 e57c97a.exe 13 PID 1440 wrote to memory of 2644 1440 e57c97a.exe 44 PID 1440 wrote to memory of 2680 1440 e57c97a.exe 45 PID 1440 wrote to memory of 2792 1440 e57c97a.exe 47 PID 1440 wrote to memory of 3452 1440 e57c97a.exe 56 PID 1440 wrote to memory of 3588 1440 e57c97a.exe 57 PID 1440 wrote to memory of 3780 1440 e57c97a.exe 58 PID 1440 wrote to memory of 3876 1440 e57c97a.exe 59 PID 1440 wrote to memory of 3940 1440 e57c97a.exe 60 PID 1440 wrote to memory of 4020 1440 e57c97a.exe 61 PID 1440 wrote to memory of 2960 1440 e57c97a.exe 62 PID 1440 wrote to memory of 4396 1440 e57c97a.exe 75 PID 1440 wrote to memory of 1624 1440 e57c97a.exe 76 PID 1440 wrote to memory of 3580 1440 e57c97a.exe 81 PID 1440 wrote to memory of 4932 1440 e57c97a.exe 82 PID 1440 wrote to memory of 4932 1440 e57c97a.exe 82 PID 4932 wrote to memory of 2584 4932 rundll32.exe 84 PID 4932 wrote to memory of 2584 4932 rundll32.exe 84 PID 4932 wrote to memory of 2584 4932 rundll32.exe 84 PID 1440 wrote to memory of 780 1440 e57c97a.exe 8 PID 1440 wrote to memory of 788 1440 e57c97a.exe 9 PID 1440 wrote to memory of 60 1440 e57c97a.exe 13 PID 1440 wrote to memory of 2644 1440 e57c97a.exe 44 PID 1440 wrote to memory of 2680 1440 e57c97a.exe 45 PID 1440 wrote to memory of 2792 1440 e57c97a.exe 47 PID 1440 wrote to memory of 3452 1440 e57c97a.exe 56 PID 1440 wrote to memory of 3588 1440 e57c97a.exe 57 PID 1440 wrote to memory of 3780 1440 e57c97a.exe 58 PID 1440 wrote to memory of 3876 1440 e57c97a.exe 59 PID 1440 wrote to memory of 3940 1440 e57c97a.exe 60 PID 1440 wrote to memory of 4020 1440 e57c97a.exe 61 PID 1440 wrote to memory of 2960 1440 e57c97a.exe 62 PID 1440 wrote to memory of 4396 1440 e57c97a.exe 75 PID 1440 wrote to memory of 1624 1440 e57c97a.exe 76 PID 1440 wrote to memory of 3580 1440 e57c97a.exe 81 PID 1440 wrote to memory of 2584 1440 e57c97a.exe 84 PID 1440 wrote to memory of 2584 1440 e57c97a.exe 84 PID 4932 wrote to memory of 1060 4932 rundll32.exe 85 PID 4932 wrote to memory of 1060 4932 rundll32.exe 85 PID 4932 wrote to memory of 1060 4932 rundll32.exe 85 PID 4932 wrote to memory of 3988 4932 rundll32.exe 86 PID 4932 wrote to memory of 3988 4932 rundll32.exe 86 PID 4932 wrote to memory of 3988 4932 rundll32.exe 86 PID 1060 wrote to memory of 780 1060 e57fb67.exe 8 PID 1060 wrote to memory of 788 1060 e57fb67.exe 9 PID 1060 wrote to memory of 60 1060 e57fb67.exe 13 PID 1060 wrote to memory of 2644 1060 e57fb67.exe 44 PID 1060 wrote to memory of 2680 1060 e57fb67.exe 45 PID 1060 wrote to memory of 2792 1060 e57fb67.exe 47 PID 1060 wrote to memory of 3452 1060 e57fb67.exe 56 PID 1060 wrote to memory of 3588 1060 e57fb67.exe 57 PID 1060 wrote to memory of 3780 1060 e57fb67.exe 58 PID 1060 wrote to memory of 3876 1060 e57fb67.exe 59 PID 1060 wrote to memory of 3940 1060 e57fb67.exe 60 PID 1060 wrote to memory of 4020 1060 e57fb67.exe 61 PID 1060 wrote to memory of 2960 1060 e57fb67.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c97a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57fb67.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2792
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2997a852ab69a853bd89984fa565602fc56f35cad991d8d433c164949d48cabb.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2997a852ab69a853bd89984fa565602fc56f35cad991d8d433c164949d48cabb.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\e57c97a.exeC:\Users\Admin\AppData\Local\Temp\e57c97a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1440
-
-
C:\Users\Admin\AppData\Local\Temp\e57cae1.exeC:\Users\Admin\AppData\Local\Temp\e57cae1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\e57fb67.exeC:\Users\Admin\AppData\Local\Temp\e57fb67.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\e57fbc5.exeC:\Users\Admin\AppData\Local\Temp\e57fbc5.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3988
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2960
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4396
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD538a7367776b3770f2e42e9087fe531af
SHA155e971b8769062d98731c074094b78fe4494dd34
SHA256f6307a5cb91762f54042cf91280fa402fa965412dcc7d43f5b245622c6d8a2af
SHA512ab6ac39836e226cebf062468015f9845e6fbe66f631afb87fa8505e4602e0082f1312a898a100003d3d70d7f6126979999543cecf2a3b51132d8f649dc372eda
-
Filesize
257B
MD5d15ff0b0f174172b131d7b735c78991a
SHA1e5532b2acf0188e9353be9db4775a256d23fa3aa
SHA2569565b0310f26a98fde400c08d5effbe153811077c377754a83369d5485dd2d89
SHA512f06186c83457d805d3b4f4743c8d0aadc43896072fa9dc318ac4e83c26f700841fb2f00835b1e4de6f768b83ce0fed704a5105e5672a623322eeadefdaf24053