Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
187s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 11:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe
Resource
win7-20220812-en
windows7-x64
17 signatures
150 seconds
General
-
Target
f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe
-
Size
494KB
-
MD5
00b4f16c961d8433284324d25b572800
-
SHA1
370d79c091997e0ac8ecdfd290c44f1dce79aa35
-
SHA256
f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f
-
SHA512
3a7c4e80124e8141b5f8825c276f87b7ae82fa64aa68d2d5c665ee0535ff962eafb519ee0bee2c5ce053b390bc7b488d5343cec285de6ba4523a1d80edf74e80
-
SSDEEP
12288:Gg3M9TO1Fu4+1nkjwCO93AQ/ESLIm5kMK0xTGEhuWEoIyiQ5hx:Gg3M01HRw39pESLI27xTpUWEoIyiQPx
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" DCSHelper.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" DCSHelper.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe -
Executes dropped EXE 4 IoCs
pid Process 1408 DCService.exe 2480 HWDeviceService64.exe 3276 HWDeviceService64.exe 2016 DCSHelper.exe -
resource yara_rule behavioral2/memory/2600-133-0x0000000002380000-0x000000000340E000-memory.dmp upx behavioral2/memory/2600-135-0x0000000002380000-0x000000000340E000-memory.dmp upx behavioral2/memory/2600-146-0x0000000002380000-0x000000000340E000-memory.dmp upx behavioral2/memory/2600-148-0x0000000002380000-0x000000000340E000-memory.dmp upx behavioral2/memory/2016-149-0x0000000002ED0000-0x0000000003F5E000-memory.dmp upx behavioral2/memory/2016-151-0x0000000002ED0000-0x0000000003F5E000-memory.dmp upx behavioral2/memory/2016-152-0x0000000002ED0000-0x0000000003F5E000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation DCService.exe -
Loads dropped DLL 1 IoCs
pid Process 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" DCSHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" DCSHelper.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" DCSHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" DCSHelper.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" DCSHelper.exe -
Enumerates connected drives 3 TTPs 29 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe File opened (read-only) \??\E: DCSHelper.exe File opened (read-only) \??\K: DCSHelper.exe File opened (read-only) \??\T: DCSHelper.exe File opened (read-only) \??\H: f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe File opened (read-only) \??\O: DCSHelper.exe File opened (read-only) \??\S: DCSHelper.exe File opened (read-only) \??\G: DCSHelper.exe File opened (read-only) \??\Q: DCSHelper.exe File opened (read-only) \??\W: DCSHelper.exe File opened (read-only) \??\X: DCSHelper.exe File opened (read-only) \??\F: DCSHelper.exe File opened (read-only) \??\J: DCSHelper.exe File opened (read-only) \??\P: DCSHelper.exe File opened (read-only) \??\R: DCSHelper.exe File opened (read-only) \??\E: f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe File opened (read-only) \??\M: DCSHelper.exe File opened (read-only) \??\G: f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe File opened (read-only) \??\K: f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe File opened (read-only) \??\I: DCSHelper.exe File opened (read-only) \??\L: DCSHelper.exe File opened (read-only) \??\V: DCSHelper.exe File opened (read-only) \??\F: f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe File opened (read-only) \??\J: f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe File opened (read-only) \??\H: DCSHelper.exe File opened (read-only) \??\N: DCSHelper.exe File opened (read-only) \??\U: DCSHelper.exe File opened (read-only) \??\Y: DCSHelper.exe File opened (read-only) \??\Z: DCSHelper.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf DCSHelper.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe DCSHelper.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe DCSHelper.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID HWDeviceService64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 HWDeviceService64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID HWDeviceService64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 HWDeviceService64.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 3276 HWDeviceService64.exe 3276 HWDeviceService64.exe 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe 2016 DCSHelper.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Token: SeDebugPrivilege 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2016 DCSHelper.exe 2016 DCSHelper.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 800 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 9 PID 2600 wrote to memory of 808 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 10 PID 2600 wrote to memory of 376 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 13 PID 2600 wrote to memory of 2372 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 63 PID 2600 wrote to memory of 2408 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 62 PID 2600 wrote to memory of 2460 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 58 PID 2600 wrote to memory of 740 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 50 PID 2600 wrote to memory of 3196 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 49 PID 2600 wrote to memory of 3380 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 48 PID 2600 wrote to memory of 3468 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 47 PID 2600 wrote to memory of 3644 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 46 PID 2600 wrote to memory of 3724 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 45 PID 2600 wrote to memory of 3872 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 44 PID 2600 wrote to memory of 4796 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 41 PID 2600 wrote to memory of 5016 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 27 PID 2600 wrote to memory of 2236 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 26 PID 2600 wrote to memory of 1408 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 81 PID 2600 wrote to memory of 1408 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 81 PID 2600 wrote to memory of 1408 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 81 PID 1408 wrote to memory of 2480 1408 DCService.exe 82 PID 1408 wrote to memory of 2480 1408 DCService.exe 82 PID 3276 wrote to memory of 2016 3276 HWDeviceService64.exe 84 PID 3276 wrote to memory of 2016 3276 HWDeviceService64.exe 84 PID 3276 wrote to memory of 2016 3276 HWDeviceService64.exe 84 PID 2600 wrote to memory of 800 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 9 PID 2600 wrote to memory of 808 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 10 PID 2600 wrote to memory of 376 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 13 PID 2600 wrote to memory of 2372 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 63 PID 2600 wrote to memory of 2408 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 62 PID 2600 wrote to memory of 2460 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 58 PID 2600 wrote to memory of 740 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 50 PID 2600 wrote to memory of 3196 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 49 PID 2600 wrote to memory of 3380 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 48 PID 2600 wrote to memory of 3468 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 47 PID 2600 wrote to memory of 3644 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 46 PID 2600 wrote to memory of 3724 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 45 PID 2600 wrote to memory of 3872 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 44 PID 2600 wrote to memory of 4796 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 41 PID 2600 wrote to memory of 2236 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 26 PID 2600 wrote to memory of 2016 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 84 PID 2600 wrote to memory of 2016 2600 f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe 84 PID 2016 wrote to memory of 800 2016 DCSHelper.exe 9 PID 2016 wrote to memory of 808 2016 DCSHelper.exe 10 PID 2016 wrote to memory of 376 2016 DCSHelper.exe 13 PID 2016 wrote to memory of 2372 2016 DCSHelper.exe 63 PID 2016 wrote to memory of 2408 2016 DCSHelper.exe 62 PID 2016 wrote to memory of 2460 2016 DCSHelper.exe 58 PID 2016 wrote to memory of 740 2016 DCSHelper.exe 50 PID 2016 wrote to memory of 3196 2016 DCSHelper.exe 49 PID 2016 wrote to memory of 3380 2016 DCSHelper.exe 48 PID 2016 wrote to memory of 3468 2016 DCSHelper.exe 47 PID 2016 wrote to memory of 3644 2016 DCSHelper.exe 46 PID 2016 wrote to memory of 3724 2016 DCSHelper.exe 45 PID 2016 wrote to memory of 3872 2016 DCSHelper.exe 44 PID 2016 wrote to memory of 4796 2016 DCSHelper.exe 41 PID 2016 wrote to memory of 2236 2016 DCSHelper.exe 26 PID 2016 wrote to memory of 800 2016 DCSHelper.exe 9 PID 2016 wrote to memory of 808 2016 DCSHelper.exe 10 PID 2016 wrote to memory of 376 2016 DCSHelper.exe 13 PID 2016 wrote to memory of 2372 2016 DCSHelper.exe 63 PID 2016 wrote to memory of 2408 2016 DCSHelper.exe 62 PID 2016 wrote to memory of 2460 2016 DCSHelper.exe 58 PID 2016 wrote to memory of 740 2016 DCSHelper.exe 50 PID 2016 wrote to memory of 3196 2016 DCSHelper.exe 49 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" DCSHelper.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2236
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3872
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3724
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3644
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3468
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3196
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe"C:\Users\Admin\AppData\Local\Temp\f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600 -
C:\ProgramData\DatacardService\DCService.exe"C:\ProgramData\DatacardService\DCService.exe" -install3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\ProgramData\DatacardService\HWDeviceService64.exe"C:\ProgramData\DatacardService\HWDeviceService64.exe" -install4⤵
- Executes dropped EXE
PID:2480
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2408
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2372
-
C:\ProgramData\DatacardService\HWDeviceService64.exe"C:\ProgramData\DatacardService\HWDeviceService64.exe" -/service1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\ProgramData\DatacardService\DCSHelper.exe"C:\ProgramData\DatacardService\DCSHelper.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2016
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD5349ab4f70e2ac44970894e7f03e1576e
SHA15f27448dd78eee8e3c583b57fcfe0969281f007f
SHA256584d84ad7be834b72e3c4548b3e1e25984ccc5f9eaa2245c44cb6bfc63a9d716
SHA512382bf892a97d32bf5c4f30086d6c36ee59ffd0c428da105b821660373bfbc05b1a089717f9c76d1c76fbbc795fdfb68fda203a12cc1c6f17a2f262c838078021
-
Filesize
139KB
MD5903930192dcd755910ca5f8e188cf10f
SHA18f52fe210e94f1299f76f5bc3cbe6340c77b5e91
SHA2561746a56d9b678a4b7c4b74db3a53bd35e0c9e0d35b0f2979956785dae75a57b0
SHA512472b098be907580dc9f6bcd31ba5ad44bb0b537bf1878dc89374ae2c2abb28312b7d8b87dc9389acce296ff5bf97c7dc6666483e836e7029e13398355927ba8b
-
Filesize
338KB
MD5e90da42b87d684debfb73b38a718a006
SHA1f2eb9b7b20f8f0b88578bc8fda8326f12829f8d8
SHA256bb18c63c1982f5cb99c9b65d2b801e8c1909ad7cd0171326dc0015d6b781b451
SHA51269a495c1be253734b1a0958047b70fe93d0b2319c4599420ff84806e17b16e4fe1c9b2f6db69494f14dfe45c9323758670df56215b8695cf4effb9cf0ee638f9
-
Filesize
338KB
MD5e90da42b87d684debfb73b38a718a006
SHA1f2eb9b7b20f8f0b88578bc8fda8326f12829f8d8
SHA256bb18c63c1982f5cb99c9b65d2b801e8c1909ad7cd0171326dc0015d6b781b451
SHA51269a495c1be253734b1a0958047b70fe93d0b2319c4599420ff84806e17b16e4fe1c9b2f6db69494f14dfe45c9323758670df56215b8695cf4effb9cf0ee638f9
-
Filesize
230KB
MD5349ab4f70e2ac44970894e7f03e1576e
SHA15f27448dd78eee8e3c583b57fcfe0969281f007f
SHA256584d84ad7be834b72e3c4548b3e1e25984ccc5f9eaa2245c44cb6bfc63a9d716
SHA512382bf892a97d32bf5c4f30086d6c36ee59ffd0c428da105b821660373bfbc05b1a089717f9c76d1c76fbbc795fdfb68fda203a12cc1c6f17a2f262c838078021
-
Filesize
139KB
MD5903930192dcd755910ca5f8e188cf10f
SHA18f52fe210e94f1299f76f5bc3cbe6340c77b5e91
SHA2561746a56d9b678a4b7c4b74db3a53bd35e0c9e0d35b0f2979956785dae75a57b0
SHA512472b098be907580dc9f6bcd31ba5ad44bb0b537bf1878dc89374ae2c2abb28312b7d8b87dc9389acce296ff5bf97c7dc6666483e836e7029e13398355927ba8b
-
Filesize
338KB
MD5e90da42b87d684debfb73b38a718a006
SHA1f2eb9b7b20f8f0b88578bc8fda8326f12829f8d8
SHA256bb18c63c1982f5cb99c9b65d2b801e8c1909ad7cd0171326dc0015d6b781b451
SHA51269a495c1be253734b1a0958047b70fe93d0b2319c4599420ff84806e17b16e4fe1c9b2f6db69494f14dfe45c9323758670df56215b8695cf4effb9cf0ee638f9
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
257B
MD58eee003fe17c4b6b5de6fd5584835714
SHA1bad2e29a6bb92c3a34563755239837f81cfda454
SHA256bb5f6f82f2e5b6cc3d720d41d29378ca03ab1fa044d6052e2f5438db51db941c
SHA512415b3b25fc3802ceaf4c986530f9c4fc05d0f5ed923bf2474f6e53e847f71c615ceea25f733454007b5d011828ffa33b6637c2444c5e1b1c85c369d6b47a82cf