Analysis
-
max time kernel
32s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2025 12:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
33a86b709a20c41c563b36ac253672c4c2465d90f28538453bb8a1fb3aa38810N.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
33a86b709a20c41c563b36ac253672c4c2465d90f28538453bb8a1fb3aa38810N.dll
-
Size
120KB
-
MD5
5b9d74025bfba7483544b9eefead7d70
-
SHA1
f95be7e474d4e0515733ebf00e27b839699c793d
-
SHA256
33a86b709a20c41c563b36ac253672c4c2465d90f28538453bb8a1fb3aa38810
-
SHA512
6dc27820b15c525253481ab3090fb08d7c83cf8ba1c2ae070213663d2c4fba23817d3ec71c049d6837c7701947815c90f7438a8bc416c55aafac3dd8bfb3c4ca
-
SSDEEP
1536:fNJL/pVO3EzquguUeIfvpBTIw+VdHnyDe0mP5SodVv5O8ReCiJ1smMZOrvm7oxFg:F7s3BHuuvzYVrP5S0kf1smMZq+UaeO
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bdb2.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57eca2.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57eca2.exe -
Executes dropped EXE 4 IoCs
pid Process 4748 e57bdb2.exe 3648 e57c043.exe 744 e57eca2.exe 4108 e57ecb2.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57eca2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bdb2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57eca2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57eca2.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57eca2.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: e57bdb2.exe File opened (read-only) \??\G: e57eca2.exe File opened (read-only) \??\I: e57eca2.exe File opened (read-only) \??\J: e57eca2.exe File opened (read-only) \??\G: e57bdb2.exe File opened (read-only) \??\H: e57bdb2.exe File opened (read-only) \??\I: e57bdb2.exe File opened (read-only) \??\M: e57bdb2.exe File opened (read-only) \??\E: e57eca2.exe File opened (read-only) \??\H: e57eca2.exe File opened (read-only) \??\E: e57bdb2.exe File opened (read-only) \??\J: e57bdb2.exe File opened (read-only) \??\L: e57bdb2.exe -
resource yara_rule behavioral2/memory/4748-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-18-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-19-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-20-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-21-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-28-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-58-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-62-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-63-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-65-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-66-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-68-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-70-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-71-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4748-75-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/744-97-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/744-155-0x00000000007D0000-0x000000000188A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57be10 e57bdb2.exe File opened for modification C:\Windows\SYSTEM.INI e57bdb2.exe File created C:\Windows\e5813f0 e57eca2.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c043.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57eca2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ecb2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bdb2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4748 e57bdb2.exe 4748 e57bdb2.exe 4748 e57bdb2.exe 4748 e57bdb2.exe 744 e57eca2.exe 744 e57eca2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe Token: SeDebugPrivilege 4748 e57bdb2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2968 wrote to memory of 3360 2968 rundll32.exe 83 PID 2968 wrote to memory of 3360 2968 rundll32.exe 83 PID 2968 wrote to memory of 3360 2968 rundll32.exe 83 PID 3360 wrote to memory of 4748 3360 rundll32.exe 85 PID 3360 wrote to memory of 4748 3360 rundll32.exe 85 PID 3360 wrote to memory of 4748 3360 rundll32.exe 85 PID 4748 wrote to memory of 804 4748 e57bdb2.exe 9 PID 4748 wrote to memory of 808 4748 e57bdb2.exe 10 PID 4748 wrote to memory of 384 4748 e57bdb2.exe 13 PID 4748 wrote to memory of 2892 4748 e57bdb2.exe 49 PID 4748 wrote to memory of 3000 4748 e57bdb2.exe 50 PID 4748 wrote to memory of 2844 4748 e57bdb2.exe 52 PID 4748 wrote to memory of 3412 4748 e57bdb2.exe 56 PID 4748 wrote to memory of 3520 4748 e57bdb2.exe 57 PID 4748 wrote to memory of 3712 4748 e57bdb2.exe 58 PID 4748 wrote to memory of 3800 4748 e57bdb2.exe 59 PID 4748 wrote to memory of 3864 4748 e57bdb2.exe 60 PID 4748 wrote to memory of 3956 4748 e57bdb2.exe 61 PID 4748 wrote to memory of 3652 4748 e57bdb2.exe 62 PID 4748 wrote to memory of 388 4748 e57bdb2.exe 64 PID 4748 wrote to memory of 3828 4748 e57bdb2.exe 76 PID 4748 wrote to memory of 2012 4748 e57bdb2.exe 80 PID 4748 wrote to memory of 3884 4748 e57bdb2.exe 81 PID 4748 wrote to memory of 2968 4748 e57bdb2.exe 82 PID 4748 wrote to memory of 3360 4748 e57bdb2.exe 83 PID 4748 wrote to memory of 3360 4748 e57bdb2.exe 83 PID 4748 wrote to memory of 3816 4748 e57bdb2.exe 84 PID 3360 wrote to memory of 3648 3360 rundll32.exe 86 PID 3360 wrote to memory of 3648 3360 rundll32.exe 86 PID 3360 wrote to memory of 3648 3360 rundll32.exe 86 PID 4748 wrote to memory of 804 4748 e57bdb2.exe 9 PID 4748 wrote to memory of 808 4748 e57bdb2.exe 10 PID 4748 wrote to memory of 384 4748 e57bdb2.exe 13 PID 4748 wrote to memory of 2892 4748 e57bdb2.exe 49 PID 4748 wrote to memory of 3000 4748 e57bdb2.exe 50 PID 4748 wrote to memory of 2844 4748 e57bdb2.exe 52 PID 4748 wrote to memory of 3412 4748 e57bdb2.exe 56 PID 4748 wrote to memory of 3520 4748 e57bdb2.exe 57 PID 4748 wrote to memory of 3712 4748 e57bdb2.exe 58 PID 4748 wrote to memory of 3800 4748 e57bdb2.exe 59 PID 4748 wrote to memory of 3864 4748 e57bdb2.exe 60 PID 4748 wrote to memory of 3956 4748 e57bdb2.exe 61 PID 4748 wrote to memory of 3652 4748 e57bdb2.exe 62 PID 4748 wrote to memory of 388 4748 e57bdb2.exe 64 PID 4748 wrote to memory of 3828 4748 e57bdb2.exe 76 PID 4748 wrote to memory of 2012 4748 e57bdb2.exe 80 PID 4748 wrote to memory of 3884 4748 e57bdb2.exe 81 PID 4748 wrote to memory of 2968 4748 e57bdb2.exe 82 PID 4748 wrote to memory of 3648 4748 e57bdb2.exe 86 PID 4748 wrote to memory of 3648 4748 e57bdb2.exe 86 PID 4748 wrote to memory of 1536 4748 e57bdb2.exe 87 PID 4748 wrote to memory of 3908 4748 e57bdb2.exe 88 PID 4748 wrote to memory of 2276 4748 e57bdb2.exe 89 PID 3360 wrote to memory of 744 3360 rundll32.exe 91 PID 3360 wrote to memory of 744 3360 rundll32.exe 91 PID 3360 wrote to memory of 744 3360 rundll32.exe 91 PID 3360 wrote to memory of 4108 3360 rundll32.exe 92 PID 3360 wrote to memory of 4108 3360 rundll32.exe 92 PID 3360 wrote to memory of 4108 3360 rundll32.exe 92 PID 744 wrote to memory of 804 744 e57eca2.exe 9 PID 744 wrote to memory of 808 744 e57eca2.exe 10 PID 744 wrote to memory of 384 744 e57eca2.exe 13 PID 744 wrote to memory of 2892 744 e57eca2.exe 49 PID 744 wrote to memory of 3000 744 e57eca2.exe 50 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bdb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57eca2.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3000
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2844
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33a86b709a20c41c563b36ac253672c4c2465d90f28538453bb8a1fb3aa38810N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33a86b709a20c41c563b36ac253672c4c2465d90f28538453bb8a1fb3aa38810N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\e57bdb2.exeC:\Users\Admin\AppData\Local\Temp\e57bdb2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4748
-
-
C:\Users\Admin\AppData\Local\Temp\e57c043.exeC:\Users\Admin\AppData\Local\Temp\e57c043.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648
-
-
C:\Users\Admin\AppData\Local\Temp\e57eca2.exeC:\Users\Admin\AppData\Local\Temp\e57eca2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:744
-
-
C:\Users\Admin\AppData\Local\Temp\e57ecb2.exeC:\Users\Admin\AppData\Local\Temp\e57ecb2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4108
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3520
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3712
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3800
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3864
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3652
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:388
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3828
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2012
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3884
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1536
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2276
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5abccd0e729863d4e8b853e31828a25d2
SHA16a084bbffec2861a6fa653be1be23375d10cf372
SHA2564d59362f5b2e6a4e757286d66b3171dc6a3eabcdaf3d43cf63a6aa87add2fccb
SHA5127c71a7b76dc7ae0cdfc6afac544c15284387ecd27ea1f8f9ce7978dbe566ec42bd08f65ad56512a3c993511ac5d6e01632087a4a32602bfc9d2ae0d8a9a661c8
-
Filesize
257B
MD5be00b1e4df5a9fbc27605a5da4957f00
SHA1fa778b2b4899cee4fc2cd7cfbc9637e5f54f426c
SHA256680fbd6e529ff2824de06ff7f3bc03b5c48e0aa7742beacaf65e7ec9cfdee7ba
SHA5127f7cf4cb48b6e09fdb47aab0e740b6464f35868aa691153d00e2a02f417db4a98c8a9582c142fe316271d1bc3e6e635f2a7c8c74750e9d79fd00b3f54c69ab22