Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 14:25
Static task
static1
Behavioral task
behavioral1
Sample
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe
Resource
win7-20240611-en
General
-
Target
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe
-
Size
2.9MB
-
MD5
490e1e2c51156303e8dcb5da19960e30
-
SHA1
240f9467766127a248adcaeb814ddc7cff461777
-
SHA256
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8
-
SHA512
1f03f5abae55571a168476f2b21a8d14459ad47da5be340dd6d416f996b25f97fdfe6960d89cd1e0f048ba252249d4a836a690ae2a4c35b096b9c04a1eaca8cd
-
SSDEEP
49152:5esKAvZibeyiuftlobfTEBSUtGHjzUxSs/GS+1u:PKAAe/YtKbfTISYGDz6+E
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe -
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe -
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe -
Processes:
resource yara_rule behavioral2/memory/2260-1-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-5-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-13-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-14-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-12-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-9-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-8-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-4-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-3-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-16-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-15-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-17-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-18-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-19-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-21-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-22-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx behavioral2/memory/2260-24-0x0000000002DB0000-0x0000000003E3E000-memory.dmp upx -
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe -
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription ioc process File opened (read-only) \??\X: e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe File opened (read-only) \??\E: e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe File opened (read-only) \??\G: e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe -
Drops file in Windows directory 1 IoCs
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exepid process 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription pid process Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Token: SeDebugPrivilege 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription pid process target process PID 2260 wrote to memory of 760 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe fontdrvhost.exe PID 2260 wrote to memory of 764 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe fontdrvhost.exe PID 2260 wrote to memory of 1016 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe dwm.exe PID 2260 wrote to memory of 2464 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe sihost.exe PID 2260 wrote to memory of 2476 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe svchost.exe PID 2260 wrote to memory of 2724 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe taskhostw.exe PID 2260 wrote to memory of 3544 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe Explorer.EXE PID 2260 wrote to memory of 3652 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe svchost.exe PID 2260 wrote to memory of 3928 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe DllHost.exe PID 2260 wrote to memory of 4044 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe StartMenuExperienceHost.exe PID 2260 wrote to memory of 1056 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe RuntimeBroker.exe PID 2260 wrote to memory of 2076 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe SearchApp.exe PID 2260 wrote to memory of 4148 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe RuntimeBroker.exe PID 2260 wrote to memory of 3396 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe TextInputHost.exe PID 2260 wrote to memory of 3104 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe RuntimeBroker.exe PID 2260 wrote to memory of 2024 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe msedge.exe PID 2260 wrote to memory of 4120 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe msedge.exe PID 2260 wrote to memory of 936 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe msedge.exe PID 2260 wrote to memory of 3320 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe msedge.exe PID 2260 wrote to memory of 1868 2260 e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe"C:\Users\Admin\AppData\Local\Temp\e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffe9330ceb8,0x7ffe9330cec4,0x7ffe9330ced02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2304,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2528,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3948,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1032 /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2260-0-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/2260-1-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-11-0x00000000048F0000-0x00000000048F2000-memory.dmpFilesize
8KB
-
memory/2260-5-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-13-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-14-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-12-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-9-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-8-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-10-0x00000000048F0000-0x00000000048F2000-memory.dmpFilesize
8KB
-
memory/2260-4-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-7-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/2260-6-0x00000000048F0000-0x00000000048F2000-memory.dmpFilesize
8KB
-
memory/2260-3-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-16-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-15-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-17-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-18-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-19-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-21-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-22-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-32-0x00000000048F0000-0x00000000048F2000-memory.dmpFilesize
8KB
-
memory/2260-24-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-41-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB