Analysis
-
max time kernel
135s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 05:23
Static task
static1
Behavioral task
behavioral1
Sample
fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d.dll
Resource
win7-20240508-en
General
-
Target
fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d.dll
-
Size
120KB
-
MD5
7f979404f5032afe210729b54dfac5ef
-
SHA1
76c90b74cdd29563ddbc26395bec29063df0681b
-
SHA256
fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d
-
SHA512
44a097a577a246c1fd9c49d13b9ef0ecf701e657daaa935236f6da9936ef8907d866ee1e873ee1a754f73b6c26173c9ba765f982ee100d3748078539648e9945
-
SSDEEP
3072:FGE3MnhUaUd/o+Thb7sKGHWwEaFyrpzF:ROhUi+Thb7sKGdVFcF
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
Processes:
e5737d9.exee5756ab.exee5735d5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5756ab.exe -
Processes:
e5737d9.exee5756ab.exee5735d5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5735d5.exe -
Processes:
e5735d5.exee5737d9.exee5756ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5756ab.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 30 IoCs
Processes:
resource yara_rule behavioral2/memory/2124-12-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-20-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-11-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-21-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-22-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-13-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-19-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-10-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-8-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-9-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-6-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-36-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-37-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-38-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-39-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-40-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-50-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-59-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-61-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-62-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-64-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-66-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-68-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-70-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-72-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-73-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-74-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2124-80-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1176-112-0x0000000000B60000-0x0000000001C1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1176-129-0x0000000000B60000-0x0000000001C1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 34 IoCs
Processes:
resource yara_rule behavioral2/memory/2124-12-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-20-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-11-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-21-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-22-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1176-35-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2124-13-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-19-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-10-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-8-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-9-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-6-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-36-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-37-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-38-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-39-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-40-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-50-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-59-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-61-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-62-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-64-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-66-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-68-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-70-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-72-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-73-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-74-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-80-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2124-95-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1176-112-0x0000000000B60000-0x0000000001C1A000-memory.dmp UPX behavioral2/memory/1176-129-0x0000000000B60000-0x0000000001C1A000-memory.dmp UPX behavioral2/memory/1176-130-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/5056-153-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
e5735d5.exee5737d9.exee5756ab.exepid process 2124 e5735d5.exe 1176 e5737d9.exe 5056 e5756ab.exe -
Processes:
resource yara_rule behavioral2/memory/2124-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-20-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-21-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-22-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-13-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-19-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-50-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-59-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-61-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-62-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-64-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-66-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-68-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-70-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-72-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-73-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-74-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2124-80-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1176-112-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1176-129-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Processes:
e5737d9.exee5756ab.exee5735d5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5737d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5756ab.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5756ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5735d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5735d5.exe -
Processes:
e5735d5.exee5737d9.exee5756ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5756ab.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e5735d5.exedescription ioc process File opened (read-only) \??\E: e5735d5.exe File opened (read-only) \??\I: e5735d5.exe File opened (read-only) \??\O: e5735d5.exe File opened (read-only) \??\G: e5735d5.exe File opened (read-only) \??\H: e5735d5.exe File opened (read-only) \??\J: e5735d5.exe File opened (read-only) \??\K: e5735d5.exe File opened (read-only) \??\L: e5735d5.exe File opened (read-only) \??\M: e5735d5.exe File opened (read-only) \??\N: e5735d5.exe File opened (read-only) \??\P: e5735d5.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e5735d5.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e5735d5.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5735d5.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5735d5.exe -
Drops file in Windows directory 4 IoCs
Processes:
e5735d5.exee5737d9.exee5756ab.exedescription ioc process File created C:\Windows\e573623 e5735d5.exe File opened for modification C:\Windows\SYSTEM.INI e5735d5.exe File created C:\Windows\e578666 e5737d9.exe File created C:\Windows\e57a50a e5756ab.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e5735d5.exee5737d9.exepid process 2124 e5735d5.exe 2124 e5735d5.exe 2124 e5735d5.exe 2124 e5735d5.exe 1176 e5737d9.exe 1176 e5737d9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e5735d5.exedescription pid process Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe Token: SeDebugPrivilege 2124 e5735d5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee5735d5.exee5737d9.exedescription pid process target process PID 1168 wrote to memory of 4900 1168 rundll32.exe rundll32.exe PID 1168 wrote to memory of 4900 1168 rundll32.exe rundll32.exe PID 1168 wrote to memory of 4900 1168 rundll32.exe rundll32.exe PID 4900 wrote to memory of 2124 4900 rundll32.exe e5735d5.exe PID 4900 wrote to memory of 2124 4900 rundll32.exe e5735d5.exe PID 4900 wrote to memory of 2124 4900 rundll32.exe e5735d5.exe PID 2124 wrote to memory of 804 2124 e5735d5.exe fontdrvhost.exe PID 2124 wrote to memory of 812 2124 e5735d5.exe fontdrvhost.exe PID 2124 wrote to memory of 396 2124 e5735d5.exe dwm.exe PID 2124 wrote to memory of 2684 2124 e5735d5.exe sihost.exe PID 2124 wrote to memory of 2712 2124 e5735d5.exe svchost.exe PID 2124 wrote to memory of 2844 2124 e5735d5.exe taskhostw.exe PID 2124 wrote to memory of 3572 2124 e5735d5.exe Explorer.EXE PID 2124 wrote to memory of 3724 2124 e5735d5.exe svchost.exe PID 2124 wrote to memory of 3904 2124 e5735d5.exe DllHost.exe PID 2124 wrote to memory of 4004 2124 e5735d5.exe StartMenuExperienceHost.exe PID 2124 wrote to memory of 4068 2124 e5735d5.exe RuntimeBroker.exe PID 2124 wrote to memory of 676 2124 e5735d5.exe SearchApp.exe PID 2124 wrote to memory of 4232 2124 e5735d5.exe RuntimeBroker.exe PID 2124 wrote to memory of 1492 2124 e5735d5.exe TextInputHost.exe PID 2124 wrote to memory of 3788 2124 e5735d5.exe RuntimeBroker.exe PID 2124 wrote to memory of 2184 2124 e5735d5.exe backgroundTaskHost.exe PID 2124 wrote to memory of 368 2124 e5735d5.exe backgroundTaskHost.exe PID 2124 wrote to memory of 1168 2124 e5735d5.exe rundll32.exe PID 2124 wrote to memory of 4900 2124 e5735d5.exe rundll32.exe PID 2124 wrote to memory of 4900 2124 e5735d5.exe rundll32.exe PID 4900 wrote to memory of 1176 4900 rundll32.exe e5737d9.exe PID 4900 wrote to memory of 1176 4900 rundll32.exe e5737d9.exe PID 4900 wrote to memory of 1176 4900 rundll32.exe e5737d9.exe PID 4900 wrote to memory of 5056 4900 rundll32.exe e5756ab.exe PID 4900 wrote to memory of 5056 4900 rundll32.exe e5756ab.exe PID 4900 wrote to memory of 5056 4900 rundll32.exe e5756ab.exe PID 2124 wrote to memory of 804 2124 e5735d5.exe fontdrvhost.exe PID 2124 wrote to memory of 812 2124 e5735d5.exe fontdrvhost.exe PID 2124 wrote to memory of 396 2124 e5735d5.exe dwm.exe PID 2124 wrote to memory of 2684 2124 e5735d5.exe sihost.exe PID 2124 wrote to memory of 2712 2124 e5735d5.exe svchost.exe PID 2124 wrote to memory of 2844 2124 e5735d5.exe taskhostw.exe PID 2124 wrote to memory of 3572 2124 e5735d5.exe Explorer.EXE PID 2124 wrote to memory of 3724 2124 e5735d5.exe svchost.exe PID 2124 wrote to memory of 3904 2124 e5735d5.exe DllHost.exe PID 2124 wrote to memory of 4004 2124 e5735d5.exe StartMenuExperienceHost.exe PID 2124 wrote to memory of 4068 2124 e5735d5.exe RuntimeBroker.exe PID 2124 wrote to memory of 676 2124 e5735d5.exe SearchApp.exe PID 2124 wrote to memory of 4232 2124 e5735d5.exe RuntimeBroker.exe PID 2124 wrote to memory of 1492 2124 e5735d5.exe TextInputHost.exe PID 2124 wrote to memory of 3788 2124 e5735d5.exe RuntimeBroker.exe PID 2124 wrote to memory of 2184 2124 e5735d5.exe backgroundTaskHost.exe PID 2124 wrote to memory of 368 2124 e5735d5.exe backgroundTaskHost.exe PID 2124 wrote to memory of 1176 2124 e5735d5.exe e5737d9.exe PID 2124 wrote to memory of 1176 2124 e5735d5.exe e5737d9.exe PID 2124 wrote to memory of 3196 2124 e5735d5.exe RuntimeBroker.exe PID 2124 wrote to memory of 2200 2124 e5735d5.exe RuntimeBroker.exe PID 2124 wrote to memory of 5056 2124 e5735d5.exe e5756ab.exe PID 2124 wrote to memory of 5056 2124 e5735d5.exe e5756ab.exe PID 2124 wrote to memory of 2088 2124 e5735d5.exe DllHost.exe PID 1176 wrote to memory of 804 1176 e5737d9.exe fontdrvhost.exe PID 1176 wrote to memory of 812 1176 e5737d9.exe fontdrvhost.exe PID 1176 wrote to memory of 396 1176 e5737d9.exe dwm.exe PID 1176 wrote to memory of 2684 1176 e5737d9.exe sihost.exe PID 1176 wrote to memory of 2712 1176 e5737d9.exe svchost.exe PID 1176 wrote to memory of 2844 1176 e5737d9.exe taskhostw.exe PID 1176 wrote to memory of 3572 1176 e5737d9.exe Explorer.EXE PID 1176 wrote to memory of 3724 1176 e5737d9.exe svchost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e5735d5.exee5737d9.exee5756ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5735d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5737d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5756ab.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5735d5.exeC:\Users\Admin\AppData\Local\Temp\e5735d5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5737d9.exeC:\Users\Admin\AppData\Local\Temp\e5737d9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5756ab.exeC:\Users\Admin\AppData\Local\Temp\e5756ab.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5735d5.exeFilesize
97KB
MD528ddf2887997a8b2b4fb1712d2b7f01a
SHA195347684cbc4dbb1cf84413b43d94a72f8e66515
SHA25640fc1393517538b3792263278ba3ac26a8d6a562fcb122693b33c2761e849fa3
SHA5125e6ec1fbb34cb52f0e0d0c0f88f8ab896cd6655c4aed5c05ba4429801701b88c514c867305fe19ce03d0abbc3f43de89de43efe1d79884a335f4c7ff8e60894f
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5cc199e06829a2ffcc0cca4a9e2d148e0
SHA11a5e8ae037e7be1717171a13d1e6c3ccc85bb3da
SHA2566777caef5e685001c484568d7ec77e60e0f9f95f59587eff3ab55097bc749b9f
SHA5124a2d3da4d6d4b35a60dca472f3dcc2e3fa037f7aed07d41545ee6f7e098e9fe3df5fb862610ff6cc7e70b5d96d7e64f71236aafab4d9121c9e24f328080c2749
-
memory/1176-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1176-130-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1176-129-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/1176-112-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/1176-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1176-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1176-52-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2124-40-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-70-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2124-28-0x0000000001A00000-0x0000000001A01000-memory.dmpFilesize
4KB
-
memory/2124-12-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-20-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-11-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-13-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-19-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-10-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-8-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-9-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-6-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-36-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-37-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-38-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-39-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-29-0x00000000019F0000-0x00000000019F2000-memory.dmpFilesize
8KB
-
memory/2124-50-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-95-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2124-34-0x00000000019F0000-0x00000000019F2000-memory.dmpFilesize
8KB
-
memory/2124-80-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-22-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-82-0x00000000019F0000-0x00000000019F2000-memory.dmpFilesize
8KB
-
memory/2124-21-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-59-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-61-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-62-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-64-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-66-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-68-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-74-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-72-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/2124-73-0x00000000007E0000-0x000000000189A000-memory.dmpFilesize
16.7MB
-
memory/4900-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4900-23-0x0000000003D00000-0x0000000003D02000-memory.dmpFilesize
8KB
-
memory/4900-26-0x0000000003E30000-0x0000000003E31000-memory.dmpFilesize
4KB
-
memory/4900-33-0x0000000003D00000-0x0000000003D02000-memory.dmpFilesize
8KB
-
memory/4900-24-0x0000000003D00000-0x0000000003D02000-memory.dmpFilesize
8KB
-
memory/5056-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5056-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5056-54-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5056-153-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB