Analysis
-
max time kernel
94s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d.dll
Resource
win7-20240220-en
General
-
Target
a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d.dll
-
Size
120KB
-
MD5
9ef7044c48cbc23ec9de7ad3c9ff7018
-
SHA1
ba12f3db93a25ef85bb3b4a73f6f5ec480472d41
-
SHA256
a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d
-
SHA512
dabec67e818929805a155b7824d855e707d25cacee24d7868b25be8a53b5ae4ba2c04ea720f1aff576b1db6443e898a84a407f1790c52651ad0afaa6a8cb9134
-
SSDEEP
3072:zB1l3evcfobtq8IW1M66FmNxCSvjgu6nKaff:d1luvs2qNrkCSvjLKB
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e573df3.exee573c8c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573df3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573df3.exe -
Processes:
e573c8c.exee573df3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573df3.exe -
Processes:
e573c8c.exee573df3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573df3.exe -
Executes dropped EXE 3 IoCs
Processes:
e573c8c.exee573df3.exee575851.exepid process 4420 e573c8c.exe 4296 e573df3.exe 3568 e575851.exe -
Processes:
resource yara_rule behavioral2/memory/4420-6-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-8-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-20-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-28-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-18-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-32-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-29-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-34-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-9-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-10-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-35-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-36-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-37-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-38-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-40-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-39-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-42-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-43-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-52-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-54-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-55-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-65-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-67-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-70-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-72-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-74-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-77-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-78-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-79-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-80-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-81-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4420-83-0x0000000000750000-0x000000000180A000-memory.dmp upx behavioral2/memory/4296-114-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/4296-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Processes:
e573c8c.exee573df3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573c8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573df3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573df3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573c8c.exe -
Processes:
e573c8c.exee573df3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573df3.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573c8c.exedescription ioc process File opened (read-only) \??\K: e573c8c.exe File opened (read-only) \??\R: e573c8c.exe File opened (read-only) \??\I: e573c8c.exe File opened (read-only) \??\J: e573c8c.exe File opened (read-only) \??\M: e573c8c.exe File opened (read-only) \??\N: e573c8c.exe File opened (read-only) \??\P: e573c8c.exe File opened (read-only) \??\G: e573c8c.exe File opened (read-only) \??\H: e573c8c.exe File opened (read-only) \??\Q: e573c8c.exe File opened (read-only) \??\S: e573c8c.exe File opened (read-only) \??\E: e573c8c.exe File opened (read-only) \??\L: e573c8c.exe File opened (read-only) \??\O: e573c8c.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e573c8c.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e573c8c.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573c8c.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573c8c.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e573c8c.exe -
Drops file in Windows directory 3 IoCs
Processes:
e573c8c.exee573df3.exedescription ioc process File created C:\Windows\e573cda e573c8c.exe File opened for modification C:\Windows\SYSTEM.INI e573c8c.exe File created C:\Windows\e578d3c e573df3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e573c8c.exee573df3.exepid process 4420 e573c8c.exe 4420 e573c8c.exe 4420 e573c8c.exe 4420 e573c8c.exe 4296 e573df3.exe 4296 e573df3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573c8c.exedescription pid process Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe Token: SeDebugPrivilege 4420 e573c8c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee573c8c.exee573df3.exedescription pid process target process PID 4956 wrote to memory of 2152 4956 rundll32.exe rundll32.exe PID 4956 wrote to memory of 2152 4956 rundll32.exe rundll32.exe PID 4956 wrote to memory of 2152 4956 rundll32.exe rundll32.exe PID 2152 wrote to memory of 4420 2152 rundll32.exe e573c8c.exe PID 2152 wrote to memory of 4420 2152 rundll32.exe e573c8c.exe PID 2152 wrote to memory of 4420 2152 rundll32.exe e573c8c.exe PID 4420 wrote to memory of 760 4420 e573c8c.exe fontdrvhost.exe PID 4420 wrote to memory of 764 4420 e573c8c.exe fontdrvhost.exe PID 4420 wrote to memory of 1016 4420 e573c8c.exe dwm.exe PID 4420 wrote to memory of 2480 4420 e573c8c.exe sihost.exe PID 4420 wrote to memory of 2500 4420 e573c8c.exe svchost.exe PID 4420 wrote to memory of 2684 4420 e573c8c.exe taskhostw.exe PID 4420 wrote to memory of 3500 4420 e573c8c.exe Explorer.EXE PID 4420 wrote to memory of 3648 4420 e573c8c.exe svchost.exe PID 4420 wrote to memory of 3824 4420 e573c8c.exe DllHost.exe PID 4420 wrote to memory of 3912 4420 e573c8c.exe StartMenuExperienceHost.exe PID 4420 wrote to memory of 3972 4420 e573c8c.exe RuntimeBroker.exe PID 4420 wrote to memory of 4060 4420 e573c8c.exe SearchApp.exe PID 4420 wrote to memory of 3944 4420 e573c8c.exe RuntimeBroker.exe PID 4420 wrote to memory of 456 4420 e573c8c.exe TextInputHost.exe PID 4420 wrote to memory of 2572 4420 e573c8c.exe RuntimeBroker.exe PID 4420 wrote to memory of 4956 4420 e573c8c.exe rundll32.exe PID 4420 wrote to memory of 2152 4420 e573c8c.exe rundll32.exe PID 4420 wrote to memory of 2152 4420 e573c8c.exe rundll32.exe PID 2152 wrote to memory of 4296 2152 rundll32.exe e573df3.exe PID 2152 wrote to memory of 4296 2152 rundll32.exe e573df3.exe PID 2152 wrote to memory of 4296 2152 rundll32.exe e573df3.exe PID 2152 wrote to memory of 3568 2152 rundll32.exe e575851.exe PID 2152 wrote to memory of 3568 2152 rundll32.exe e575851.exe PID 2152 wrote to memory of 3568 2152 rundll32.exe e575851.exe PID 4420 wrote to memory of 760 4420 e573c8c.exe fontdrvhost.exe PID 4420 wrote to memory of 764 4420 e573c8c.exe fontdrvhost.exe PID 4420 wrote to memory of 1016 4420 e573c8c.exe dwm.exe PID 4420 wrote to memory of 2480 4420 e573c8c.exe sihost.exe PID 4420 wrote to memory of 2500 4420 e573c8c.exe svchost.exe PID 4420 wrote to memory of 2684 4420 e573c8c.exe taskhostw.exe PID 4420 wrote to memory of 3500 4420 e573c8c.exe Explorer.EXE PID 4420 wrote to memory of 3648 4420 e573c8c.exe svchost.exe PID 4420 wrote to memory of 3824 4420 e573c8c.exe DllHost.exe PID 4420 wrote to memory of 3912 4420 e573c8c.exe StartMenuExperienceHost.exe PID 4420 wrote to memory of 3972 4420 e573c8c.exe RuntimeBroker.exe PID 4420 wrote to memory of 4060 4420 e573c8c.exe SearchApp.exe PID 4420 wrote to memory of 3944 4420 e573c8c.exe RuntimeBroker.exe PID 4420 wrote to memory of 456 4420 e573c8c.exe TextInputHost.exe PID 4420 wrote to memory of 2572 4420 e573c8c.exe RuntimeBroker.exe PID 4420 wrote to memory of 4296 4420 e573c8c.exe e573df3.exe PID 4420 wrote to memory of 4296 4420 e573c8c.exe e573df3.exe PID 4420 wrote to memory of 3568 4420 e573c8c.exe e575851.exe PID 4420 wrote to memory of 3568 4420 e573c8c.exe e575851.exe PID 4296 wrote to memory of 760 4296 e573df3.exe fontdrvhost.exe PID 4296 wrote to memory of 764 4296 e573df3.exe fontdrvhost.exe PID 4296 wrote to memory of 1016 4296 e573df3.exe dwm.exe PID 4296 wrote to memory of 2480 4296 e573df3.exe sihost.exe PID 4296 wrote to memory of 2500 4296 e573df3.exe svchost.exe PID 4296 wrote to memory of 2684 4296 e573df3.exe taskhostw.exe PID 4296 wrote to memory of 3500 4296 e573df3.exe Explorer.EXE PID 4296 wrote to memory of 3648 4296 e573df3.exe svchost.exe PID 4296 wrote to memory of 3824 4296 e573df3.exe DllHost.exe PID 4296 wrote to memory of 3912 4296 e573df3.exe StartMenuExperienceHost.exe PID 4296 wrote to memory of 3972 4296 e573df3.exe RuntimeBroker.exe PID 4296 wrote to memory of 4060 4296 e573df3.exe SearchApp.exe PID 4296 wrote to memory of 3944 4296 e573df3.exe RuntimeBroker.exe PID 4296 wrote to memory of 456 4296 e573df3.exe TextInputHost.exe PID 4296 wrote to memory of 2572 4296 e573df3.exe RuntimeBroker.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e573c8c.exee573df3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573c8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573df3.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573c8c.exeC:\Users\Admin\AppData\Local\Temp\e573c8c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573df3.exeC:\Users\Admin\AppData\Local\Temp\e573df3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575851.exeC:\Users\Admin\AppData\Local\Temp\e575851.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573c8c.exeFilesize
97KB
MD5f8ce943a63132ba00860d9756e7a64c3
SHA17c125a935af64429f7ce334147dbabd06da15082
SHA2566ab27171224a781f4baf238794c02b55c517c9c4e7f0a842e1eb6c0fd5530f9a
SHA512a929d6cd8370a26c9636b53ee228046440bee9089586d3129d4acad1744e249efc6382e03b0e3faa71c20e9517ca7d23960e2295d687502578e86d41a2ffc6d7
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5b6b9a7df21ea06b7aa07a1e311fe9b31
SHA10c2b938cc02afa154334c75cec5654a958222ed1
SHA25617540d3d91c17f193bc395185f42cfcba197aa702d96267c4d77b6ea472fa794
SHA5129367449cbaf2991fb6ae3a5906ca490e8bc98be3647f0c488f9c1a14cccb603828f32623d1c66a2ec473eaab928d3d9192f09787a9b589ff729c2203c75e2ec8
-
memory/2152-11-0x00000000014B0000-0x00000000014B2000-memory.dmpFilesize
8KB
-
memory/2152-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2152-17-0x00000000014B0000-0x00000000014B2000-memory.dmpFilesize
8KB
-
memory/2152-12-0x00000000014C0000-0x00000000014C1000-memory.dmpFilesize
4KB
-
memory/2152-21-0x00000000014B0000-0x00000000014B2000-memory.dmpFilesize
8KB
-
memory/3568-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3568-133-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3568-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3568-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3568-60-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4296-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4296-31-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4296-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4296-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4296-114-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/4296-128-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/4296-129-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4420-42-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-18-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-14-0x0000000001A40000-0x0000000001A41000-memory.dmpFilesize
4KB
-
memory/4420-36-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-37-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-38-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-40-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-39-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-10-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-43-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-9-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-52-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-54-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-55-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-19-0x0000000001A30000-0x0000000001A32000-memory.dmpFilesize
8KB
-
memory/4420-22-0x0000000001A30000-0x0000000001A32000-memory.dmpFilesize
8KB
-
memory/4420-34-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-29-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-32-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-35-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-65-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-67-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-70-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-72-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-74-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-77-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-78-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-79-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-80-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-81-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-83-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-93-0x0000000001A30000-0x0000000001A32000-memory.dmpFilesize
8KB
-
memory/4420-102-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4420-28-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-20-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-8-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-6-0x0000000000750000-0x000000000180A000-memory.dmpFilesize
16.7MB
-
memory/4420-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB