Dr.Web EoP

0:00-0:12 Open Windows console and check that active user has no administrative privileges
0:12-0:24 Show actual version of installed Dr.Web Security Space
0:24-0:29 There is a file drweb_eop_upd_dll.dll at user’s desktop (this file and its source code were attached to report for vendor)
0:29-0:34 Show that the directory C:\ProgramData\Doctor Web\Updater\etc contains only 3 files.
0:34-0:47 Copy drweb_eop_upd_dll.dll twice. One is renamed to version.dll, another to cryptui.dll
0:47-0:56 Copy an executable file C:\Program Files\Common Files\Doctor Web\Updater\drwupsrv.exe to the directory with dlls.
0:56-1:00 Start the executable.

When drwupsrv.exe starts, it loads version.dll from its startup directory. The dll creates file C:\ProgramData\Doctor Web\Updater\etc\drwupsrv.xml.new. A user is allowed to create files and folders at path C:\ProgramData due to a special permissive ACL. When the user is to create a file manually (for example, from explorer's context menu), it seems that the Dr.Web Security Space mechanisms restricts the operation in that directory. During the attack, all operations are requested from legit Dr.Web executable called drwupsrv.exe, so the restriction might be bypassed.

1:00-1:22 Show created file and its content. This is the same file as C:\ProgramData\Doctor Web\Updater\etc\drwupsrv.xml, but all paths are changed to the user-controlled folder (C:\Users\User\Desktop\dwtest).
1:22-2:00 Nothing happens (awaiting auto-update that happens every 30 minutes by default).
2:00-2:14 It seems that updater reads created file as a config and tries to update product in the user-controlled folder. Since there is no anything related to product, updater starts to copy whole product to the folder.
Among the files, there is a file named dwservice.exe (placed at user-controlled folder), that starts during updating process with NT AUTHORITY\SYSTEM privilege. The file loads cryptui.dll that was planted at the very beginning. The dll just spawns an interactive console. Show rights via whoami command.