Analysis
-
max time kernel
95s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
150 seconds
General
-
Target
23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc.dll
-
Size
120KB
-
MD5
e751947f1cc4c44cfbe30351f1e88ab6
-
SHA1
acbb382a6bfe409cf11905193433e80934dce53f
-
SHA256
23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc
-
SHA512
a34f33c6cd223145fb723d18115ada4980a2842cc85b4f2c996de280ac2db741a384a226a425f56b21f2ccc1800cf4c4d97485bfdd879935885f9fe9ccf8ac9d
-
SSDEEP
3072:I0ih6tvRfkxpQAyb1l/41e2epBeLTtg0hBuAxj5n:ILyvl4pQAybr417epBqlhBT5n
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b3fe.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b3fe.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b3fe.exe -
Executes dropped EXE 3 IoCs
pid Process 4772 e578f5f.exe 2452 e5790c6.exe 2988 e57b3fe.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b3fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5790c6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578f5f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b3fe.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578f5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b3fe.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e578f5f.exe File opened (read-only) \??\J: e578f5f.exe File opened (read-only) \??\N: e578f5f.exe File opened (read-only) \??\E: e578f5f.exe File opened (read-only) \??\H: e578f5f.exe File opened (read-only) \??\I: e578f5f.exe File opened (read-only) \??\K: e578f5f.exe File opened (read-only) \??\L: e578f5f.exe File opened (read-only) \??\M: e578f5f.exe -
resource yara_rule behavioral2/memory/4772-6-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-12-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-13-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-27-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-31-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-14-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-34-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-8-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-35-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-57-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-60-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-61-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-63-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-65-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-66-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-67-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-71-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-73-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4772-76-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2452-105-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/2452-109-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/2988-121-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/2988-136-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e578f5f.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e578f5f.exe File opened for modification C:\Program Files\7-Zip\7z.exe e578f5f.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e578fad e578f5f.exe File opened for modification C:\Windows\SYSTEM.INI e578f5f.exe File created C:\Windows\e57e00f e5790c6.exe File created C:\Windows\e58026c e57b3fe.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b3fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578f5f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5790c6.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4772 e578f5f.exe 4772 e578f5f.exe 4772 e578f5f.exe 4772 e578f5f.exe 2988 e57b3fe.exe 2988 e57b3fe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe Token: SeDebugPrivilege 4772 e578f5f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3284 wrote to memory of 3892 3284 rundll32.exe 82 PID 3284 wrote to memory of 3892 3284 rundll32.exe 82 PID 3284 wrote to memory of 3892 3284 rundll32.exe 82 PID 3892 wrote to memory of 4772 3892 rundll32.exe 83 PID 3892 wrote to memory of 4772 3892 rundll32.exe 83 PID 3892 wrote to memory of 4772 3892 rundll32.exe 83 PID 4772 wrote to memory of 776 4772 e578f5f.exe 8 PID 4772 wrote to memory of 772 4772 e578f5f.exe 9 PID 4772 wrote to memory of 60 4772 e578f5f.exe 13 PID 4772 wrote to memory of 2644 4772 e578f5f.exe 44 PID 4772 wrote to memory of 2660 4772 e578f5f.exe 45 PID 4772 wrote to memory of 2784 4772 e578f5f.exe 48 PID 4772 wrote to memory of 3412 4772 e578f5f.exe 55 PID 4772 wrote to memory of 3640 4772 e578f5f.exe 57 PID 4772 wrote to memory of 3824 4772 e578f5f.exe 58 PID 4772 wrote to memory of 3916 4772 e578f5f.exe 59 PID 4772 wrote to memory of 3984 4772 e578f5f.exe 60 PID 4772 wrote to memory of 4076 4772 e578f5f.exe 61 PID 4772 wrote to memory of 3656 4772 e578f5f.exe 62 PID 4772 wrote to memory of 3832 4772 e578f5f.exe 74 PID 4772 wrote to memory of 552 4772 e578f5f.exe 76 PID 4772 wrote to memory of 3284 4772 e578f5f.exe 81 PID 4772 wrote to memory of 3892 4772 e578f5f.exe 82 PID 4772 wrote to memory of 3892 4772 e578f5f.exe 82 PID 3892 wrote to memory of 2452 3892 rundll32.exe 84 PID 3892 wrote to memory of 2452 3892 rundll32.exe 84 PID 3892 wrote to memory of 2452 3892 rundll32.exe 84 PID 3892 wrote to memory of 2988 3892 rundll32.exe 85 PID 3892 wrote to memory of 2988 3892 rundll32.exe 85 PID 3892 wrote to memory of 2988 3892 rundll32.exe 85 PID 4772 wrote to memory of 776 4772 e578f5f.exe 8 PID 4772 wrote to memory of 772 4772 e578f5f.exe 9 PID 4772 wrote to memory of 60 4772 e578f5f.exe 13 PID 4772 wrote to memory of 2644 4772 e578f5f.exe 44 PID 4772 wrote to memory of 2660 4772 e578f5f.exe 45 PID 4772 wrote to memory of 2784 4772 e578f5f.exe 48 PID 4772 wrote to memory of 3412 4772 e578f5f.exe 55 PID 4772 wrote to memory of 3640 4772 e578f5f.exe 57 PID 4772 wrote to memory of 3824 4772 e578f5f.exe 58 PID 4772 wrote to memory of 3916 4772 e578f5f.exe 59 PID 4772 wrote to memory of 3984 4772 e578f5f.exe 60 PID 4772 wrote to memory of 4076 4772 e578f5f.exe 61 PID 4772 wrote to memory of 3656 4772 e578f5f.exe 62 PID 4772 wrote to memory of 3832 4772 e578f5f.exe 74 PID 4772 wrote to memory of 552 4772 e578f5f.exe 76 PID 4772 wrote to memory of 2452 4772 e578f5f.exe 84 PID 4772 wrote to memory of 2452 4772 e578f5f.exe 84 PID 4772 wrote to memory of 2988 4772 e578f5f.exe 85 PID 4772 wrote to memory of 2988 4772 e578f5f.exe 85 PID 2988 wrote to memory of 776 2988 e57b3fe.exe 8 PID 2988 wrote to memory of 772 2988 e57b3fe.exe 9 PID 2988 wrote to memory of 60 2988 e57b3fe.exe 13 PID 2988 wrote to memory of 2644 2988 e57b3fe.exe 44 PID 2988 wrote to memory of 2660 2988 e57b3fe.exe 45 PID 2988 wrote to memory of 2784 2988 e57b3fe.exe 48 PID 2988 wrote to memory of 3412 2988 e57b3fe.exe 55 PID 2988 wrote to memory of 3640 2988 e57b3fe.exe 57 PID 2988 wrote to memory of 3824 2988 e57b3fe.exe 58 PID 2988 wrote to memory of 3916 2988 e57b3fe.exe 59 PID 2988 wrote to memory of 3984 2988 e57b3fe.exe 60 PID 2988 wrote to memory of 4076 2988 e57b3fe.exe 61 PID 2988 wrote to memory of 3656 2988 e57b3fe.exe 62 PID 2988 wrote to memory of 3832 2988 e57b3fe.exe 74 PID 2988 wrote to memory of 552 2988 e57b3fe.exe 76 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5790c6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b3fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578f5f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2660
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2784
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\e578f5f.exeC:\Users\Admin\AppData\Local\Temp\e578f5f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\e5790c6.exeC:\Users\Admin\AppData\Local\Temp\e5790c6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\e57b3fe.exeC:\Users\Admin\AppData\Local\Temp\e57b3fe.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2988
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3656
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:552
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD507d19f85e0b8b2f4aa4e58c1164163e0
SHA1170d1a88a6a86520313471679ee4f5a2f7c2fc32
SHA256939436aca10023493e211c2de845af339abfc27ec7ca096e62d33d9b1f69c96a
SHA5121ace9fb9a716115a4572b9bb6ba57716e3e220b4e09e429951a5690eccba70d81a0dff6c24c0f3e67d36704d43b55e20e687f0de5665d835d3fe9a31a9d4645d
-
Filesize
257B
MD5628249ac3e16c9c157a353ed5253da88
SHA1d69c8e73a697922e4317a3e9df0ab5e0470508f7
SHA256622e8f0b6461f3b718f083c58241f38a88e4ab41c10b443310a7e3ddfcd392ba
SHA512248bc843a67940a17e6fd5329a19e4faa08175b1556f1180f968678d94ca85f957df0a59891ae0e9a9534be7004694eb3a32da86f2536844565f54434b85c0e4