Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 23:38
Static task
static1
Behavioral task
behavioral1
Sample
f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe
Resource
win7-20220812-en
windows7-x64
19 signatures
150 seconds
General
-
Target
f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe
-
Size
630KB
-
MD5
4ffa402c3a2a75f91e4765f930a6912d
-
SHA1
bf9dc1b017cbab7012b5b73f4fec260663743bb9
-
SHA256
f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567
-
SHA512
77cfded06a7ca16cc4b13046dd490f21d65f48b15d46d9c8c3b43c40386def62cda069e2e7c36f6f5100030fb2357e82c75eb8c0d74c12469b7cde8460eba354
-
SSDEEP
12288:1026yDWbokVvKYPaq7mforb1ISwFXYl4mM87POGh+yY5OOFB:1026y6zVyYPqgdISVM87POLfB
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 4916 Au_.exe -
resource yara_rule behavioral2/memory/2708-133-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral2/memory/2708-134-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral2/memory/2708-135-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral2/memory/4916-145-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/4916-148-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: Au_.exe File opened (read-only) \??\M: Au_.exe File opened (read-only) \??\O: Au_.exe File opened (read-only) \??\W: Au_.exe File opened (read-only) \??\Y: Au_.exe File opened (read-only) \??\Q: Au_.exe File opened (read-only) \??\S: Au_.exe File opened (read-only) \??\X: Au_.exe File opened (read-only) \??\U: Au_.exe File opened (read-only) \??\V: Au_.exe File opened (read-only) \??\Z: Au_.exe File opened (read-only) \??\J: Au_.exe File opened (read-only) \??\L: Au_.exe File opened (read-only) \??\N: Au_.exe File opened (read-only) \??\R: Au_.exe File opened (read-only) \??\T: Au_.exe File opened (read-only) \??\P: Au_.exe File opened (read-only) \??\E: Au_.exe File opened (read-only) \??\G: Au_.exe File opened (read-only) \??\H: Au_.exe File opened (read-only) \??\I: Au_.exe File opened (read-only) \??\K: Au_.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf Au_.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe Au_.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe Au_.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe Au_.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe Au_.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe 4916 Au_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe Token: SeDebugPrivilege 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 784 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 79 PID 2708 wrote to memory of 792 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 78 PID 2708 wrote to memory of 332 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 8 PID 2708 wrote to memory of 2416 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 45 PID 2708 wrote to memory of 2444 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 44 PID 2708 wrote to memory of 2576 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 41 PID 2708 wrote to memory of 2152 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 36 PID 2708 wrote to memory of 2976 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 35 PID 2708 wrote to memory of 3256 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 34 PID 2708 wrote to memory of 3344 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 33 PID 2708 wrote to memory of 3416 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 11 PID 2708 wrote to memory of 3500 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 32 PID 2708 wrote to memory of 3716 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 31 PID 2708 wrote to memory of 4668 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 28 PID 2708 wrote to memory of 2972 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 15 PID 2708 wrote to memory of 4568 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 13 PID 2708 wrote to memory of 784 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 79 PID 2708 wrote to memory of 792 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 78 PID 2708 wrote to memory of 332 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 8 PID 2708 wrote to memory of 2416 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 45 PID 2708 wrote to memory of 2444 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 44 PID 2708 wrote to memory of 2576 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 41 PID 2708 wrote to memory of 2152 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 36 PID 2708 wrote to memory of 2976 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 35 PID 2708 wrote to memory of 3256 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 34 PID 2708 wrote to memory of 3344 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 33 PID 2708 wrote to memory of 3416 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 11 PID 2708 wrote to memory of 3500 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 32 PID 2708 wrote to memory of 3716 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 31 PID 2708 wrote to memory of 4668 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 28 PID 2708 wrote to memory of 2972 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 15 PID 2708 wrote to memory of 4568 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 13 PID 2708 wrote to memory of 4916 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 81 PID 2708 wrote to memory of 4916 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 81 PID 2708 wrote to memory of 4916 2708 f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe 81 PID 4916 wrote to memory of 784 4916 Au_.exe 79 PID 4916 wrote to memory of 792 4916 Au_.exe 78 PID 4916 wrote to memory of 332 4916 Au_.exe 8 PID 4916 wrote to memory of 2416 4916 Au_.exe 45 PID 4916 wrote to memory of 2444 4916 Au_.exe 44 PID 4916 wrote to memory of 2576 4916 Au_.exe 41 PID 4916 wrote to memory of 2152 4916 Au_.exe 36 PID 4916 wrote to memory of 2976 4916 Au_.exe 35 PID 4916 wrote to memory of 3256 4916 Au_.exe 34 PID 4916 wrote to memory of 3344 4916 Au_.exe 33 PID 4916 wrote to memory of 3416 4916 Au_.exe 11 PID 4916 wrote to memory of 3500 4916 Au_.exe 32 PID 4916 wrote to memory of 3716 4916 Au_.exe 31 PID 4916 wrote to memory of 4668 4916 Au_.exe 28 PID 4916 wrote to memory of 4568 4916 Au_.exe 13 PID 4916 wrote to memory of 784 4916 Au_.exe 79 PID 4916 wrote to memory of 792 4916 Au_.exe 78 PID 4916 wrote to memory of 332 4916 Au_.exe 8 PID 4916 wrote to memory of 2416 4916 Au_.exe 45 PID 4916 wrote to memory of 2444 4916 Au_.exe 44 PID 4916 wrote to memory of 2576 4916 Au_.exe 41 PID 4916 wrote to memory of 2152 4916 Au_.exe 36 PID 4916 wrote to memory of 2976 4916 Au_.exe 35 PID 4916 wrote to memory of 3256 4916 Au_.exe 34 PID 4916 wrote to memory of 3344 4916 Au_.exe 33 PID 4916 wrote to memory of 3416 4916 Au_.exe 11 PID 4916 wrote to memory of 3500 4916 Au_.exe 32 PID 4916 wrote to memory of 3716 4916 Au_.exe 31 PID 4916 wrote to memory of 4668 4916 Au_.exe 28 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3416
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4568
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3716
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3500
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3344
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2976
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe"C:\Users\Admin\AppData\Local\Temp\f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4916
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2444
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2416
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E56C49D_Rar\f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567.exe
Filesize558KB
MD57bde88a61e13bb4fad02a1501cb874dc
SHA1d35869c8c02920bb6dfb96eb09fca608fe8cd506
SHA2564b96eaa04499ba7946cafe281ec34da60265d31313131072996b5fc784bab731
SHA51241157e578994e1e3a4e435f3186665c1d95b31cbb42abae8961037e2fdb0f3c40dd2ce852eeacbc6a6c12970fddadfa4cc7df487b0c7d722050fe3ba3a7ee61b
-
Filesize
15KB
MD56e663f1a0de94bc05d64d020da5d6f36
SHA1c5abb0033776d6ab1f07e5b3568f7d64f90e5b04
SHA256458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4
SHA5122a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5
-
Filesize
15KB
MD56e663f1a0de94bc05d64d020da5d6f36
SHA1c5abb0033776d6ab1f07e5b3568f7d64f90e5b04
SHA256458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4
SHA5122a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5
-
Filesize
11KB
MD5b9f430f71c7144d8ff4ab94be2785aa6
SHA1c5c1e153caff7ad1d221a9acc8bbb831f05ccb05
SHA256b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655
SHA512c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099
-
Filesize
630KB
MD54ffa402c3a2a75f91e4765f930a6912d
SHA1bf9dc1b017cbab7012b5b73f4fec260663743bb9
SHA256f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567
SHA51277cfded06a7ca16cc4b13046dd490f21d65f48b15d46d9c8c3b43c40386def62cda069e2e7c36f6f5100030fb2357e82c75eb8c0d74c12469b7cde8460eba354
-
Filesize
630KB
MD54ffa402c3a2a75f91e4765f930a6912d
SHA1bf9dc1b017cbab7012b5b73f4fec260663743bb9
SHA256f6a3faea8cde562aeeff55d082d41c09a365b08e01d04cb697b0e51632638567
SHA51277cfded06a7ca16cc4b13046dd490f21d65f48b15d46d9c8c3b43c40386def62cda069e2e7c36f6f5100030fb2357e82c75eb8c0d74c12469b7cde8460eba354
-
Filesize
257B
MD58c85b16273effceb224f227754122224
SHA1c85d4d7b7a0dcfe1d74b2d5a9dd74bb201e440a5
SHA256f5a3422b4988750f17ec20d7657a8175660d9a6b7020aa80be8f1078722107c4
SHA512611251c64cbc643ae58b351f090e427cc130e0c0116bed9e3b3b798a9bdc387608728d41cafc94779666bb1da5b3ddb06d15bf6f27afdf386dbb0a0043c9e05b