Analysis
-
max time kernel
92s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 12:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db390d4ebbca244a2704bf0898953df7284c593678ce96fe0c23dd8ca0a85936.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
db390d4ebbca244a2704bf0898953df7284c593678ce96fe0c23dd8ca0a85936.dll
-
Size
120KB
-
MD5
2e30ac9c0b6f3bc56b3be9a201d2ee0a
-
SHA1
0b7aa2016915650f796fc538d981c9195744cad1
-
SHA256
db390d4ebbca244a2704bf0898953df7284c593678ce96fe0c23dd8ca0a85936
-
SHA512
81c32d01f628317dacbe1b5747505687ce5416bc51eb959d2215422e9023f68cf19b6b866563aeb306053c59c05a3dc95f08a28b4c1841b7915232dd70c93943
-
SSDEEP
3072:X0oOdPsX1e+EZNr5py8NDIl6blsG1ZKl0wM7:X0oOkXc+EZfp9N8sR11ZlwM7
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e58482f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e58482f.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58482f.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e58482f.exe -
Executes dropped EXE 4 IoCs
pid Process 3676 e581fe7.exe 4560 e58211f.exe 2484 e584810.exe 2516 e58482f.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e581fe7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e58482f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e58482f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e581fe7.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58482f.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e581fe7.exe File opened (read-only) \??\J: e581fe7.exe File opened (read-only) \??\N: e581fe7.exe File opened (read-only) \??\O: e581fe7.exe File opened (read-only) \??\H: e58482f.exe File opened (read-only) \??\E: e581fe7.exe File opened (read-only) \??\G: e581fe7.exe File opened (read-only) \??\I: e581fe7.exe File opened (read-only) \??\E: e58482f.exe File opened (read-only) \??\K: e581fe7.exe File opened (read-only) \??\G: e58482f.exe File opened (read-only) \??\I: e58482f.exe File opened (read-only) \??\J: e58482f.exe File opened (read-only) \??\L: e581fe7.exe File opened (read-only) \??\M: e581fe7.exe -
resource yara_rule behavioral2/memory/3676-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-22-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-12-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-18-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-33-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-13-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-24-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-41-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-68-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-69-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-71-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-72-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-74-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-76-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-78-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-80-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-82-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-86-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3676-87-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2516-122-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/2516-165-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e581fe7.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e581fe7.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e581fe7.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e581fe7.exe File created C:\Windows\e587097 e58482f.exe File created C:\Windows\e582035 e581fe7.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e581fe7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e58211f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e584810.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e58482f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3676 e581fe7.exe 3676 e581fe7.exe 3676 e581fe7.exe 3676 e581fe7.exe 2516 e58482f.exe 2516 e58482f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe Token: SeDebugPrivilege 3676 e581fe7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 2384 5096 rundll32.exe 86 PID 5096 wrote to memory of 2384 5096 rundll32.exe 86 PID 5096 wrote to memory of 2384 5096 rundll32.exe 86 PID 2384 wrote to memory of 3676 2384 rundll32.exe 87 PID 2384 wrote to memory of 3676 2384 rundll32.exe 87 PID 2384 wrote to memory of 3676 2384 rundll32.exe 87 PID 3676 wrote to memory of 788 3676 e581fe7.exe 8 PID 3676 wrote to memory of 796 3676 e581fe7.exe 9 PID 3676 wrote to memory of 336 3676 e581fe7.exe 13 PID 3676 wrote to memory of 3012 3676 e581fe7.exe 50 PID 3676 wrote to memory of 3028 3676 e581fe7.exe 51 PID 3676 wrote to memory of 3112 3676 e581fe7.exe 53 PID 3676 wrote to memory of 3440 3676 e581fe7.exe 56 PID 3676 wrote to memory of 3584 3676 e581fe7.exe 57 PID 3676 wrote to memory of 3760 3676 e581fe7.exe 58 PID 3676 wrote to memory of 3848 3676 e581fe7.exe 59 PID 3676 wrote to memory of 3912 3676 e581fe7.exe 60 PID 3676 wrote to memory of 4024 3676 e581fe7.exe 61 PID 3676 wrote to memory of 3196 3676 e581fe7.exe 62 PID 3676 wrote to memory of 4940 3676 e581fe7.exe 74 PID 3676 wrote to memory of 4952 3676 e581fe7.exe 76 PID 3676 wrote to memory of 640 3676 e581fe7.exe 83 PID 3676 wrote to memory of 1444 3676 e581fe7.exe 84 PID 3676 wrote to memory of 5096 3676 e581fe7.exe 85 PID 3676 wrote to memory of 2384 3676 e581fe7.exe 86 PID 3676 wrote to memory of 2384 3676 e581fe7.exe 86 PID 2384 wrote to memory of 4560 2384 rundll32.exe 88 PID 2384 wrote to memory of 4560 2384 rundll32.exe 88 PID 2384 wrote to memory of 4560 2384 rundll32.exe 88 PID 2384 wrote to memory of 2484 2384 rundll32.exe 95 PID 2384 wrote to memory of 2484 2384 rundll32.exe 95 PID 2384 wrote to memory of 2484 2384 rundll32.exe 95 PID 2384 wrote to memory of 2516 2384 rundll32.exe 96 PID 2384 wrote to memory of 2516 2384 rundll32.exe 96 PID 2384 wrote to memory of 2516 2384 rundll32.exe 96 PID 3676 wrote to memory of 788 3676 e581fe7.exe 8 PID 3676 wrote to memory of 796 3676 e581fe7.exe 9 PID 3676 wrote to memory of 336 3676 e581fe7.exe 13 PID 3676 wrote to memory of 3012 3676 e581fe7.exe 50 PID 3676 wrote to memory of 3028 3676 e581fe7.exe 51 PID 3676 wrote to memory of 3112 3676 e581fe7.exe 53 PID 3676 wrote to memory of 3440 3676 e581fe7.exe 56 PID 3676 wrote to memory of 3584 3676 e581fe7.exe 57 PID 3676 wrote to memory of 3760 3676 e581fe7.exe 58 PID 3676 wrote to memory of 3848 3676 e581fe7.exe 59 PID 3676 wrote to memory of 3912 3676 e581fe7.exe 60 PID 3676 wrote to memory of 4024 3676 e581fe7.exe 61 PID 3676 wrote to memory of 3196 3676 e581fe7.exe 62 PID 3676 wrote to memory of 4940 3676 e581fe7.exe 74 PID 3676 wrote to memory of 4952 3676 e581fe7.exe 76 PID 3676 wrote to memory of 640 3676 e581fe7.exe 83 PID 3676 wrote to memory of 1444 3676 e581fe7.exe 84 PID 3676 wrote to memory of 4560 3676 e581fe7.exe 88 PID 3676 wrote to memory of 4560 3676 e581fe7.exe 88 PID 3676 wrote to memory of 3288 3676 e581fe7.exe 90 PID 3676 wrote to memory of 3336 3676 e581fe7.exe 91 PID 3676 wrote to memory of 208 3676 e581fe7.exe 92 PID 3676 wrote to memory of 2484 3676 e581fe7.exe 95 PID 3676 wrote to memory of 2484 3676 e581fe7.exe 95 PID 3676 wrote to memory of 2516 3676 e581fe7.exe 96 PID 3676 wrote to memory of 2516 3676 e581fe7.exe 96 PID 2516 wrote to memory of 788 2516 e58482f.exe 8 PID 2516 wrote to memory of 796 2516 e58482f.exe 9 PID 2516 wrote to memory of 336 2516 e58482f.exe 13 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e581fe7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58482f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3028
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3112
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db390d4ebbca244a2704bf0898953df7284c593678ce96fe0c23dd8ca0a85936.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db390d4ebbca244a2704bf0898953df7284c593678ce96fe0c23dd8ca0a85936.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\e581fe7.exeC:\Users\Admin\AppData\Local\Temp\e581fe7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3676
-
-
C:\Users\Admin\AppData\Local\Temp\e58211f.exeC:\Users\Admin\AppData\Local\Temp\e58211f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\e584810.exeC:\Users\Admin\AppData\Local\Temp\e584810.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\e58482f.exeC:\Users\Admin\AppData\Local\Temp\e58482f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2516
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3196
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4952
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:640
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1444
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3288
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3336
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:208
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57a615d32227eb404d983e8abb055b2c2
SHA1261e3bb9215d8ad3ad3ad3933c837fce582b595e
SHA256c6cc13d3e023c4f62aea46a414c60cc8972b50041bfe36987f5b2d839764663f
SHA5120b2d4dc6d431049b868a4142ec92e2c65d4a6705277eac4d6d52669b3631c3735d0ca444428900eaea3ad98142479ff47b412e68113157c1f5a64105e3b862e8
-
Filesize
257B
MD56138c9efd1b704dd272cf10034475687
SHA1b3c1eb1f549ae4e45bc82526bf9ce955ef83de64
SHA25625f019147cd8f21f47c62d2be7a07e0df59a19b551c8f272bbfef5e25565193b
SHA5128fffc5daa8271e005cb5818a542a7730aba66fee0caed01d25fa456a9cb125c37e4ac90f62c33ae7ae3074654ca624187d4ed3ce271ce9bdaca59647eb8be188