Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2025 15:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99bN.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
120 seconds
General
-
Target
2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99bN.dll
-
Size
120KB
-
MD5
1551b8b305f4869b1211172f5515cc40
-
SHA1
b4983ba6ffcc839e2415b419754f1dab5c55ce95
-
SHA256
2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99b
-
SHA512
338a3a3c7de1b13a14b631fc8a0d7956f88fa6dd92aa06f8a8043b7be5b9b51e4980b05fd2d5590b48eff21ea609d915172edee62b013b9bae1fed902e41d879
-
SSDEEP
3072:VEgVV7VOvSMIlJxeJsBcQpCzxUamtiCF:VhDsIP0JA8FUaOi
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a21c.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bdc2.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a21c.exe -
Executes dropped EXE 4 IoCs
pid Process 4656 e57a21c.exe 2532 e57a374.exe 1468 e57bdb2.exe 3384 e57bdc2.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bdc2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bdc2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a21c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bdc2.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bdc2.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57a21c.exe File opened (read-only) \??\I: e57a21c.exe File opened (read-only) \??\R: e57a21c.exe File opened (read-only) \??\S: e57a21c.exe File opened (read-only) \??\J: e57a21c.exe File opened (read-only) \??\L: e57a21c.exe File opened (read-only) \??\Q: e57a21c.exe File opened (read-only) \??\T: e57a21c.exe File opened (read-only) \??\H: e57a21c.exe File opened (read-only) \??\M: e57a21c.exe File opened (read-only) \??\G: e57a21c.exe File opened (read-only) \??\K: e57a21c.exe File opened (read-only) \??\N: e57a21c.exe File opened (read-only) \??\O: e57a21c.exe File opened (read-only) \??\P: e57a21c.exe -
resource yara_rule behavioral2/memory/4656-6-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-9-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-12-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-11-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-23-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-27-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-13-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-10-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-8-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-32-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-35-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-34-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-36-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-37-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-38-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-40-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-41-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-56-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-58-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-59-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-73-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-74-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-77-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-79-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-82-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-83-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-87-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-86-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-89-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-92-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-99-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4656-96-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3384-137-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3384-143-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57a21c.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a21c.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57a21c.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57a21c.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a26a e57a21c.exe File opened for modification C:\Windows\SYSTEM.INI e57a21c.exe File created C:\Windows\e580c30 e57bdc2.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a21c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a374.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bdb2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bdc2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4656 e57a21c.exe 4656 e57a21c.exe 4656 e57a21c.exe 4656 e57a21c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe Token: SeDebugPrivilege 4656 e57a21c.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2588 wrote to memory of 5064 2588 rundll32.exe 82 PID 2588 wrote to memory of 5064 2588 rundll32.exe 82 PID 2588 wrote to memory of 5064 2588 rundll32.exe 82 PID 5064 wrote to memory of 4656 5064 rundll32.exe 83 PID 5064 wrote to memory of 4656 5064 rundll32.exe 83 PID 5064 wrote to memory of 4656 5064 rundll32.exe 83 PID 4656 wrote to memory of 776 4656 e57a21c.exe 8 PID 4656 wrote to memory of 784 4656 e57a21c.exe 9 PID 4656 wrote to memory of 64 4656 e57a21c.exe 13 PID 4656 wrote to memory of 2820 4656 e57a21c.exe 49 PID 4656 wrote to memory of 2852 4656 e57a21c.exe 50 PID 4656 wrote to memory of 2964 4656 e57a21c.exe 51 PID 4656 wrote to memory of 3416 4656 e57a21c.exe 56 PID 4656 wrote to memory of 3552 4656 e57a21c.exe 57 PID 4656 wrote to memory of 3736 4656 e57a21c.exe 58 PID 4656 wrote to memory of 3824 4656 e57a21c.exe 59 PID 4656 wrote to memory of 3888 4656 e57a21c.exe 60 PID 4656 wrote to memory of 3968 4656 e57a21c.exe 61 PID 4656 wrote to memory of 3352 4656 e57a21c.exe 62 PID 4656 wrote to memory of 2108 4656 e57a21c.exe 75 PID 4656 wrote to memory of 4836 4656 e57a21c.exe 76 PID 4656 wrote to memory of 2588 4656 e57a21c.exe 81 PID 4656 wrote to memory of 5064 4656 e57a21c.exe 82 PID 4656 wrote to memory of 5064 4656 e57a21c.exe 82 PID 5064 wrote to memory of 2532 5064 rundll32.exe 84 PID 5064 wrote to memory of 2532 5064 rundll32.exe 84 PID 5064 wrote to memory of 2532 5064 rundll32.exe 84 PID 5064 wrote to memory of 1468 5064 rundll32.exe 85 PID 5064 wrote to memory of 1468 5064 rundll32.exe 85 PID 5064 wrote to memory of 1468 5064 rundll32.exe 85 PID 5064 wrote to memory of 3384 5064 rundll32.exe 86 PID 5064 wrote to memory of 3384 5064 rundll32.exe 86 PID 5064 wrote to memory of 3384 5064 rundll32.exe 86 PID 4656 wrote to memory of 776 4656 e57a21c.exe 8 PID 4656 wrote to memory of 784 4656 e57a21c.exe 9 PID 4656 wrote to memory of 64 4656 e57a21c.exe 13 PID 4656 wrote to memory of 2820 4656 e57a21c.exe 49 PID 4656 wrote to memory of 2852 4656 e57a21c.exe 50 PID 4656 wrote to memory of 2964 4656 e57a21c.exe 51 PID 4656 wrote to memory of 3416 4656 e57a21c.exe 56 PID 4656 wrote to memory of 3552 4656 e57a21c.exe 57 PID 4656 wrote to memory of 3736 4656 e57a21c.exe 58 PID 4656 wrote to memory of 3824 4656 e57a21c.exe 59 PID 4656 wrote to memory of 3888 4656 e57a21c.exe 60 PID 4656 wrote to memory of 3968 4656 e57a21c.exe 61 PID 4656 wrote to memory of 3352 4656 e57a21c.exe 62 PID 4656 wrote to memory of 2108 4656 e57a21c.exe 75 PID 4656 wrote to memory of 4836 4656 e57a21c.exe 76 PID 4656 wrote to memory of 2532 4656 e57a21c.exe 84 PID 4656 wrote to memory of 2532 4656 e57a21c.exe 84 PID 4656 wrote to memory of 1468 4656 e57a21c.exe 85 PID 4656 wrote to memory of 1468 4656 e57a21c.exe 85 PID 4656 wrote to memory of 3384 4656 e57a21c.exe 86 PID 4656 wrote to memory of 3384 4656 e57a21c.exe 86 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bdc2.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2820
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2852
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2964
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99bN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99bN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\e57a21c.exeC:\Users\Admin\AppData\Local\Temp\e57a21c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\e57a374.exeC:\Users\Admin\AppData\Local\Temp\e57a374.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\e57bdb2.exeC:\Users\Admin\AppData\Local\Temp\e57bdb2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468
-
-
C:\Users\Admin\AppData\Local\Temp\e57bdc2.exeC:\Users\Admin\AppData\Local\Temp\e57bdc2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:3384
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3352
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2108
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4836
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c0081356aa7eb83b569d1dc436539689
SHA1d2fb32ae802241f45b6718a7de81677ad4b42fb9
SHA256fbc155647df3e3c2a2a46ba030b9313fb2b13836b7e7dfffde8145c569e875e5
SHA5128637cda220d3ef7a7a3689cfb93bd39af19cf28f05eba3e5176802d011c0d64422c14477a8096b3df902147318cb26c5ffe2c9ccdd779baeddb86817e90f8a38
-
Filesize
257B
MD5377ac2f41009cda4cead9babf6c67b37
SHA1607c4ed4060a06ca01021b1328206ef22cc10aff
SHA256c76dd99adf7621adeacd95482578be80a8c9b213e8ad0048d632f12f177a05c5
SHA512093d92786c0ba3805eab9e8facf3e81a5c6e54f15a8947dbe3cc1a70a8ab977279241c6e649c2454c98511d32114bdea0a318ac3c926fd4f578868fd2bee7201