Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 18:45
Static task
static1
Behavioral task
behavioral1
Sample
b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Resource
win7-20220901-en
windows7-x64
18 signatures
150 seconds
General
-
Target
b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
-
Size
144KB
-
MD5
0c309cac018d98471faf31feff28e8e0
-
SHA1
d62789b02b92a067bf4569f86cde6f939a3fd7a4
-
SHA256
b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759
-
SHA512
44ce9659bbb15ac9c992c7bb52c9a1bf33fb971b02c093090529e7b4a8eba0d57be480d715f94784b10976662395bda4d3f2d691ec865a1a4b792c1440eaf511
-
SSDEEP
3072:X6pyTK5LYYGEKZzTmq7u7vSZFXm0wqP6b/MnDlfFvaZ:X6py6LaWz7S7wqP6gDlRaZ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral1/memory/1348-55-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral1/memory/1348-58-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral1/memory/1348-60-0x0000000002430000-0x00000000034BE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\S: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\W: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\Z: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\F: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\J: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\K: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\N: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\M: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\Q: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\R: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\V: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\T: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\X: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\E: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\G: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\H: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\L: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\I: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\P: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\U: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened (read-only) \??\Y: b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\inf\mdmaiwa4.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnep00b.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnhp002.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\qd3x64.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\wiaca00e.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmelsa.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mstape.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\netxex64.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\nfrd960.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnca00z.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmomrn3.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmtdkj5.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\netbxnda.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnhp003.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnsv002.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmrock4.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnlx002.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\usb.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdm3com.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmar1.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmtdkj6.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File created C:\Windows\inf\oem0.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnle004.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\bthspp.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnlx009.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnrc005.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\wiaca00f.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmhaeu.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnod002.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File created C:\Windows\inf\rdvgwddm.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\v_mscdsc.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmdp2.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\megasas.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\netl260a.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\tsprint.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmadc.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnky002.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnrc006.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\rawsilo.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\averfx2swtv_noavin_x64.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmbr00a.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\net8187bv64.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\ph6xib64c0.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnbr002.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\netk57a.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnca00d.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnep00c.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\scrawpdo.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnlx00x.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\avmx64c.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\hcw85b64.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\hidserv.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmx5560.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\netbvbda.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmdsi.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmtdkj3.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmvv.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmmega.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\prnkm002.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\wiaxx002.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\wsdprint.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmmts.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\mdmntt1.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe File opened for modification C:\Windows\inf\wiaep002.PNF b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeDebugPrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeRestorePrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeRestorePrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeRestorePrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeRestorePrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeRestorePrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeRestorePrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe Token: SeRestorePrivilege 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 PID 1348 wrote to memory of 1068 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 18 PID 1348 wrote to memory of 1164 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 17 PID 1348 wrote to memory of 1208 1348 b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe 16 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe"C:\Users\Admin\AppData\Local\Temp\b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1348
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1068