Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2025 03:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9735c73b0bc215481b7e859036939c730c105c5b1cf2d4a94221a8ab2a558ba.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
c9735c73b0bc215481b7e859036939c730c105c5b1cf2d4a94221a8ab2a558ba.dll
-
Size
120KB
-
MD5
c11b5d7620a61799eb4e0a5bed6c76e2
-
SHA1
0841887aa8c410ce72458f45ddfef9b36df43912
-
SHA256
c9735c73b0bc215481b7e859036939c730c105c5b1cf2d4a94221a8ab2a558ba
-
SHA512
2a5d7495cab155348b82927fea50e5bfb85aac7bdd66d031c516c338a4bc088ffdac19a2e1cee8acd057c589977a8841d86b7093c768e7d38b324f83580adad2
-
SSDEEP
3072:5HrX3XqDHdckNDSEt8sPnzhBYC/aWJ+q:5LwdckkEt8sP7YCCWUq
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57be7d.exe -
Sality family
-
UAC bypass 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a2f7.exe -
Windows security bypass 2 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a4ac.exe -
Executes dropped EXE 4 IoCs
pid Process 3964 e57a2f7.exe 5068 e57a4ac.exe 4808 e57be5e.exe 2808 e57be7d.exe -
Windows security modification 2 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a2f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a2f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57be7d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57be7d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57be7d.exe -
Checks whether UAC is enabled 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57be7d.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57a2f7.exe File opened (read-only) \??\I: e57a2f7.exe File opened (read-only) \??\L: e57a2f7.exe File opened (read-only) \??\M: e57a2f7.exe File opened (read-only) \??\S: e57a2f7.exe File opened (read-only) \??\H: e57a2f7.exe File opened (read-only) \??\K: e57a2f7.exe File opened (read-only) \??\O: e57a2f7.exe File opened (read-only) \??\P: e57a2f7.exe File opened (read-only) \??\Q: e57a2f7.exe File opened (read-only) \??\J: e57a2f7.exe File opened (read-only) \??\R: e57a2f7.exe File opened (read-only) \??\E: e57a2f7.exe File opened (read-only) \??\N: e57a2f7.exe -
resource yara_rule behavioral2/memory/3964-8-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-6-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-10-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-18-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-17-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-11-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-12-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-21-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-9-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-31-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-24-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-35-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-36-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-37-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-38-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-39-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-41-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-42-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-57-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-59-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-60-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-74-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-76-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-79-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-80-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-82-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-83-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-84-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-88-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-90-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-92-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3964-93-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/5068-131-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/5068-145-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57a2f7.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a2f7.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57a2f7.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57a2f7.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e57f4c0 e57a4ac.exe File created C:\Windows\e580d88 e57be7d.exe File created C:\Windows\e57a354 e57a2f7.exe File opened for modification C:\Windows\SYSTEM.INI e57a2f7.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a2f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a4ac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57be5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57be7d.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3964 e57a2f7.exe 3964 e57a2f7.exe 3964 e57a2f7.exe 3964 e57a2f7.exe 5068 e57a4ac.exe 5068 e57a4ac.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe Token: SeDebugPrivilege 3964 e57a2f7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3084 wrote to memory of 2036 3084 rundll32.exe 83 PID 3084 wrote to memory of 2036 3084 rundll32.exe 83 PID 3084 wrote to memory of 2036 3084 rundll32.exe 83 PID 2036 wrote to memory of 3964 2036 rundll32.exe 84 PID 2036 wrote to memory of 3964 2036 rundll32.exe 84 PID 2036 wrote to memory of 3964 2036 rundll32.exe 84 PID 3964 wrote to memory of 776 3964 e57a2f7.exe 8 PID 3964 wrote to memory of 784 3964 e57a2f7.exe 9 PID 3964 wrote to memory of 380 3964 e57a2f7.exe 13 PID 3964 wrote to memory of 2972 3964 e57a2f7.exe 51 PID 3964 wrote to memory of 3044 3964 e57a2f7.exe 52 PID 3964 wrote to memory of 3112 3964 e57a2f7.exe 53 PID 3964 wrote to memory of 3436 3964 e57a2f7.exe 56 PID 3964 wrote to memory of 3548 3964 e57a2f7.exe 57 PID 3964 wrote to memory of 3768 3964 e57a2f7.exe 58 PID 3964 wrote to memory of 3880 3964 e57a2f7.exe 59 PID 3964 wrote to memory of 3944 3964 e57a2f7.exe 60 PID 3964 wrote to memory of 4064 3964 e57a2f7.exe 61 PID 3964 wrote to memory of 4176 3964 e57a2f7.exe 62 PID 3964 wrote to memory of 2792 3964 e57a2f7.exe 75 PID 3964 wrote to memory of 3480 3964 e57a2f7.exe 76 PID 3964 wrote to memory of 4112 3964 e57a2f7.exe 81 PID 3964 wrote to memory of 3084 3964 e57a2f7.exe 82 PID 3964 wrote to memory of 2036 3964 e57a2f7.exe 83 PID 3964 wrote to memory of 2036 3964 e57a2f7.exe 83 PID 2036 wrote to memory of 5068 2036 rundll32.exe 85 PID 2036 wrote to memory of 5068 2036 rundll32.exe 85 PID 2036 wrote to memory of 5068 2036 rundll32.exe 85 PID 2036 wrote to memory of 4808 2036 rundll32.exe 87 PID 2036 wrote to memory of 4808 2036 rundll32.exe 87 PID 2036 wrote to memory of 4808 2036 rundll32.exe 87 PID 2036 wrote to memory of 2808 2036 rundll32.exe 88 PID 2036 wrote to memory of 2808 2036 rundll32.exe 88 PID 2036 wrote to memory of 2808 2036 rundll32.exe 88 PID 3964 wrote to memory of 776 3964 e57a2f7.exe 8 PID 3964 wrote to memory of 784 3964 e57a2f7.exe 9 PID 3964 wrote to memory of 380 3964 e57a2f7.exe 13 PID 3964 wrote to memory of 2972 3964 e57a2f7.exe 51 PID 3964 wrote to memory of 3044 3964 e57a2f7.exe 52 PID 3964 wrote to memory of 3112 3964 e57a2f7.exe 53 PID 3964 wrote to memory of 3436 3964 e57a2f7.exe 56 PID 3964 wrote to memory of 3548 3964 e57a2f7.exe 57 PID 3964 wrote to memory of 3768 3964 e57a2f7.exe 58 PID 3964 wrote to memory of 3880 3964 e57a2f7.exe 59 PID 3964 wrote to memory of 3944 3964 e57a2f7.exe 60 PID 3964 wrote to memory of 4064 3964 e57a2f7.exe 61 PID 3964 wrote to memory of 4176 3964 e57a2f7.exe 62 PID 3964 wrote to memory of 2792 3964 e57a2f7.exe 75 PID 3964 wrote to memory of 3480 3964 e57a2f7.exe 76 PID 3964 wrote to memory of 5068 3964 e57a2f7.exe 85 PID 3964 wrote to memory of 5068 3964 e57a2f7.exe 85 PID 3964 wrote to memory of 4808 3964 e57a2f7.exe 87 PID 3964 wrote to memory of 4808 3964 e57a2f7.exe 87 PID 3964 wrote to memory of 2808 3964 e57a2f7.exe 88 PID 3964 wrote to memory of 2808 3964 e57a2f7.exe 88 PID 5068 wrote to memory of 776 5068 e57a4ac.exe 8 PID 5068 wrote to memory of 784 5068 e57a4ac.exe 9 PID 5068 wrote to memory of 380 5068 e57a4ac.exe 13 PID 5068 wrote to memory of 2972 5068 e57a4ac.exe 51 PID 5068 wrote to memory of 3044 5068 e57a4ac.exe 52 PID 5068 wrote to memory of 3112 5068 e57a4ac.exe 53 PID 5068 wrote to memory of 3436 5068 e57a4ac.exe 56 PID 5068 wrote to memory of 3548 5068 e57a4ac.exe 57 PID 5068 wrote to memory of 3768 5068 e57a4ac.exe 58 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a2f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a4ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57be7d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3044
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3112
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9735c73b0bc215481b7e859036939c730c105c5b1cf2d4a94221a8ab2a558ba.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9735c73b0bc215481b7e859036939c730c105c5b1cf2d4a94221a8ab2a558ba.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\e57a2f7.exeC:\Users\Admin\AppData\Local\Temp\e57a2f7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3964
-
-
C:\Users\Admin\AppData\Local\Temp\e57a4ac.exeC:\Users\Admin\AppData\Local\Temp\e57a4ac.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\e57be5e.exeC:\Users\Admin\AppData\Local\Temp\e57be5e.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\e57be7d.exeC:\Users\Admin\AppData\Local\Temp\e57be7d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2808
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3880
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2792
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3480
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4112
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5199d9473e4b3f59b252d4639fb4b62fb
SHA1d01656ffc1bab44f5447df0204da44d18cf5b61f
SHA256f012acb89166ec8fa716392629c71d5a5d24c7299c3db5f0e18e27ed06228c98
SHA512db8205e34f96d62b74e7fb115a624b3f3c57ee6ed999c57fdaf22652b9330a31c741825bb37f06ce1361b6bdb72b9e3cccbc3fdc6b40e3e81d0acc960156f15f
-
Filesize
257B
MD5e13846a6c96c8ea6c13c4490a68eca82
SHA1c75a67e487448026211916f2151af3dc374c85ec
SHA25607047234cd71d11861fd6b5217afe8ff83c65f5ad755104208af4e6484485a0b
SHA5124ff71c566bf64622ca0b2034bb921df02482172728497c2593535cc1c179c51ad9104af234e0718705f82884699a88382f9a8e6f8da6c3eb9fcc311582f2e070