Analysis
-
max time kernel
134s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2025 01:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_832b9b8f5c4f23933374172eaed1ac8a.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
JaffaCakes118_832b9b8f5c4f23933374172eaed1ac8a.dll
-
Size
120KB
-
MD5
832b9b8f5c4f23933374172eaed1ac8a
-
SHA1
dc95c69c660de23d40362c516f70cbaf28dda65d
-
SHA256
9ee2297c614985a528d18bb2b020d5e1336beb81e17063ec1a0dd2766222eb26
-
SHA512
c969deb4a80d531cf45ac634f9b73401ee5774b7b19346a386c6b0d534067fd182a8bd3f7279f7575741c3f6c8fa23f2ac39f0212d798b55955c0908ce046180
-
SSDEEP
3072:hnJBV/BvGDm5nW4TBHrEWomoVlBe83uOb:hJBV/BjnW4TBHrEWOBe9c
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c091.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c091.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57dc27.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dc27.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c091.exe -
Executes dropped EXE 3 IoCs
pid Process 3608 e57c091.exe 2680 e57c2b4.exe 1028 e57dc27.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c091.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57dc27.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57dc27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c091.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dc27.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57c091.exe File opened (read-only) \??\G: e57c091.exe File opened (read-only) \??\H: e57c091.exe File opened (read-only) \??\I: e57c091.exe File opened (read-only) \??\L: e57c091.exe File opened (read-only) \??\M: e57c091.exe File opened (read-only) \??\N: e57c091.exe File opened (read-only) \??\O: e57c091.exe File opened (read-only) \??\E: e57dc27.exe File opened (read-only) \??\J: e57c091.exe File opened (read-only) \??\K: e57c091.exe File opened (read-only) \??\P: e57c091.exe File opened (read-only) \??\R: e57c091.exe File opened (read-only) \??\T: e57c091.exe File opened (read-only) \??\Q: e57c091.exe File opened (read-only) \??\S: e57c091.exe -
resource yara_rule behavioral2/memory/3608-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-17-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-18-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-19-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-20-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-21-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-41-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-42-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-52-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-54-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-56-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-57-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-58-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-70-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-71-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-74-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-75-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-78-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-79-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-80-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-82-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-88-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3608-93-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1028-123-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1028-157-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57c091.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57c091.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57c091.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57c091.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c0df e57c091.exe File opened for modification C:\Windows\SYSTEM.INI e57c091.exe File created C:\Windows\e5811fc e57dc27.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c2b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57dc27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c091.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3608 e57c091.exe 3608 e57c091.exe 3608 e57c091.exe 3608 e57c091.exe 1028 e57dc27.exe 1028 e57dc27.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe Token: SeDebugPrivilege 3608 e57c091.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3616 wrote to memory of 3972 3616 rundll32.exe 84 PID 3616 wrote to memory of 3972 3616 rundll32.exe 84 PID 3616 wrote to memory of 3972 3616 rundll32.exe 84 PID 3972 wrote to memory of 3608 3972 rundll32.exe 85 PID 3972 wrote to memory of 3608 3972 rundll32.exe 85 PID 3972 wrote to memory of 3608 3972 rundll32.exe 85 PID 3608 wrote to memory of 776 3608 e57c091.exe 8 PID 3608 wrote to memory of 784 3608 e57c091.exe 9 PID 3608 wrote to memory of 384 3608 e57c091.exe 13 PID 3608 wrote to memory of 2556 3608 e57c091.exe 44 PID 3608 wrote to memory of 2576 3608 e57c091.exe 45 PID 3608 wrote to memory of 3008 3608 e57c091.exe 52 PID 3608 wrote to memory of 3436 3608 e57c091.exe 56 PID 3608 wrote to memory of 3572 3608 e57c091.exe 57 PID 3608 wrote to memory of 3764 3608 e57c091.exe 58 PID 3608 wrote to memory of 3852 3608 e57c091.exe 59 PID 3608 wrote to memory of 3920 3608 e57c091.exe 60 PID 3608 wrote to memory of 4000 3608 e57c091.exe 61 PID 3608 wrote to memory of 4152 3608 e57c091.exe 62 PID 3608 wrote to memory of 4992 3608 e57c091.exe 74 PID 3608 wrote to memory of 116 3608 e57c091.exe 76 PID 3608 wrote to memory of 3616 3608 e57c091.exe 83 PID 3608 wrote to memory of 3972 3608 e57c091.exe 84 PID 3608 wrote to memory of 3972 3608 e57c091.exe 84 PID 3972 wrote to memory of 2680 3972 rundll32.exe 86 PID 3972 wrote to memory of 2680 3972 rundll32.exe 86 PID 3972 wrote to memory of 2680 3972 rundll32.exe 86 PID 3972 wrote to memory of 1028 3972 rundll32.exe 87 PID 3972 wrote to memory of 1028 3972 rundll32.exe 87 PID 3972 wrote to memory of 1028 3972 rundll32.exe 87 PID 3608 wrote to memory of 776 3608 e57c091.exe 8 PID 3608 wrote to memory of 784 3608 e57c091.exe 9 PID 3608 wrote to memory of 384 3608 e57c091.exe 13 PID 3608 wrote to memory of 2556 3608 e57c091.exe 44 PID 3608 wrote to memory of 2576 3608 e57c091.exe 45 PID 3608 wrote to memory of 3008 3608 e57c091.exe 52 PID 3608 wrote to memory of 3436 3608 e57c091.exe 56 PID 3608 wrote to memory of 3572 3608 e57c091.exe 57 PID 3608 wrote to memory of 3764 3608 e57c091.exe 58 PID 3608 wrote to memory of 3852 3608 e57c091.exe 59 PID 3608 wrote to memory of 3920 3608 e57c091.exe 60 PID 3608 wrote to memory of 4000 3608 e57c091.exe 61 PID 3608 wrote to memory of 4152 3608 e57c091.exe 62 PID 3608 wrote to memory of 4992 3608 e57c091.exe 74 PID 3608 wrote to memory of 116 3608 e57c091.exe 76 PID 3608 wrote to memory of 2680 3608 e57c091.exe 86 PID 3608 wrote to memory of 2680 3608 e57c091.exe 86 PID 3608 wrote to memory of 1028 3608 e57c091.exe 87 PID 3608 wrote to memory of 1028 3608 e57c091.exe 87 PID 1028 wrote to memory of 776 1028 e57dc27.exe 8 PID 1028 wrote to memory of 784 1028 e57dc27.exe 9 PID 1028 wrote to memory of 384 1028 e57dc27.exe 13 PID 1028 wrote to memory of 2556 1028 e57dc27.exe 44 PID 1028 wrote to memory of 2576 1028 e57dc27.exe 45 PID 1028 wrote to memory of 3008 1028 e57dc27.exe 52 PID 1028 wrote to memory of 3436 1028 e57dc27.exe 56 PID 1028 wrote to memory of 3572 1028 e57dc27.exe 57 PID 1028 wrote to memory of 3764 1028 e57dc27.exe 58 PID 1028 wrote to memory of 3852 1028 e57dc27.exe 59 PID 1028 wrote to memory of 3920 1028 e57dc27.exe 60 PID 1028 wrote to memory of 4000 1028 e57dc27.exe 61 PID 1028 wrote to memory of 4152 1028 e57dc27.exe 62 PID 1028 wrote to memory of 4992 1028 e57dc27.exe 74 PID 1028 wrote to memory of 116 1028 e57dc27.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57dc27.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3008
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832b9b8f5c4f23933374172eaed1ac8a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832b9b8f5c4f23933374172eaed1ac8a.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\e57c091.exeC:\Users\Admin\AppData\Local\Temp\e57c091.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3608
-
-
C:\Users\Admin\AppData\Local\Temp\e57c2b4.exeC:\Users\Admin\AppData\Local\Temp\e57c2b4.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\e57dc27.exeC:\Users\Admin\AppData\Local\Temp\e57dc27.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1028
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4152
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:116
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b12eb4934a8b51b9fab9ac07cb434316
SHA1f072cf8b5975d3e1d776bbe210f90da8b243712d
SHA25642dea6375a29df2c62ce0f10441b2bddf78774dfb20102f3d3db14cea32a167d
SHA512b3b3310c417e88d70ca9f3ee53936d6a47b0059b1c49b93995106ea356664318729e26e78a8b3f2013f730f761e12063da5b80c7ababd23a72ba2f27f894d230
-
Filesize
257B
MD5b575e17985027b04f03a717dde52bb8f
SHA1141ad1e4013764f8aa3824a00798eda14d78a023
SHA256ddbb53e73259b4304e8053975cc1e01327be4f5e18e58e0c5903d8c9928f2ab8
SHA51279f8312080220b34bf848a2d42e7111ed3f5542f6a0880b01851d536618e1d78baba1bea0d46185d7e2dc552669c86c6e267cc83e1661fe3708ba6c24cf31bdf