Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 19:28
Behavioral task
behavioral1
Sample
06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe
Resource
win7-20220812-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe
-
Size
200KB
-
MD5
7f974af964596b305c20113ed530c024
-
SHA1
808067aa8bd460f41413ea8d74d36fdcdabb015a
-
SHA256
06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c
-
SHA512
fca9795be2f74c17d68dfe99356b52493d009e9e6901389adfed1b4421dab4bb38d1d425694b3e6bce811311c2bb5c340a18b4bbda94d4ec854eed793cdafdc3
-
SSDEEP
6144:C4o1sUtqp1HQ9Fs8SsseAT+MAgyPKW99U2vzQpZ:ZoWUAv6FtkeATbAgJL
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe -
Executes dropped EXE 1 IoCs
pid Process 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe -
resource yara_rule behavioral1/memory/996-55-0x0000000001F30000-0x0000000002FBE000-memory.dmp upx behavioral1/memory/996-64-0x0000000001F30000-0x0000000002FBE000-memory.dmp upx behavioral1/files/0x00070000000139e2-81.dat upx behavioral1/memory/996-86-0x0000000004190000-0x0000000004328000-memory.dmp upx behavioral1/memory/996-296-0x0000000001F30000-0x0000000002FBE000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Reujua = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Reujua.exe" mspaint.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run mspaint.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe -
Enumerates connected drives 3 TTPs 43 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\F: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\N: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\E: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\J: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\K: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\D: mspaint.exe File opened (read-only) \??\Z: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\L: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\P: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\S: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\U: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\M: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\Q: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\W: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\Y: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\X: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\O: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\R: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\T: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\V: 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened (read-only) \??\Q: svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 996 set thread context of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376431993" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8AA90591-6F5A-11ED-8C74-D6AAFEFD221A} = "0" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 860 svchost.exe Token: SeDebugPrivilege 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe Token: SeDebugPrivilege 2044 mspaint.exe Token: SeDebugPrivilege 640 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 316 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2044 mspaint.exe 2044 mspaint.exe 2044 mspaint.exe 2044 mspaint.exe 316 IEXPLORE.EXE 316 IEXPLORE.EXE 640 IEXPLORE.EXE 640 IEXPLORE.EXE 640 IEXPLORE.EXE 640 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 996 wrote to memory of 1124 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 18 PID 996 wrote to memory of 1184 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 17 PID 996 wrote to memory of 1244 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 16 PID 996 wrote to memory of 860 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 996 wrote to memory of 860 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 996 wrote to memory of 860 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 996 wrote to memory of 860 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 996 wrote to memory of 860 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 996 wrote to memory of 860 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 996 wrote to memory of 860 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 860 wrote to memory of 2044 860 svchost.exe 29 PID 860 wrote to memory of 2044 860 svchost.exe 29 PID 860 wrote to memory of 2044 860 svchost.exe 29 PID 860 wrote to memory of 2044 860 svchost.exe 29 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 1216 wrote to memory of 1008 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 31 PID 1216 wrote to memory of 1008 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 31 PID 1216 wrote to memory of 1008 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 31 PID 1216 wrote to memory of 1008 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 31 PID 1008 wrote to memory of 316 1008 iexplore.exe 32 PID 1008 wrote to memory of 316 1008 iexplore.exe 32 PID 1008 wrote to memory of 316 1008 iexplore.exe 32 PID 1008 wrote to memory of 316 1008 iexplore.exe 32 PID 316 wrote to memory of 640 316 IEXPLORE.EXE 34 PID 316 wrote to memory of 640 316 IEXPLORE.EXE 34 PID 316 wrote to memory of 640 316 IEXPLORE.EXE 34 PID 316 wrote to memory of 640 316 IEXPLORE.EXE 34 PID 1216 wrote to memory of 996 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 23 PID 1216 wrote to memory of 996 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 23 PID 1216 wrote to memory of 860 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 1216 wrote to memory of 860 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 1216 wrote to memory of 2044 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 29 PID 996 wrote to memory of 1124 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 18 PID 996 wrote to memory of 1184 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 17 PID 996 wrote to memory of 1244 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 16 PID 996 wrote to memory of 860 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 996 wrote to memory of 860 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 27 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 1216 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 28 PID 996 wrote to memory of 2044 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 29 PID 996 wrote to memory of 2044 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 29 PID 996 wrote to memory of 316 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 32 PID 996 wrote to memory of 692 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 33 PID 996 wrote to memory of 640 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 34 PID 996 wrote to memory of 640 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 34 PID 1216 wrote to memory of 2044 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 29 PID 1216 wrote to memory of 640 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 34 PID 1216 wrote to memory of 640 1216 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 34 PID 996 wrote to memory of 1124 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 18 PID 996 wrote to memory of 1184 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 17 PID 996 wrote to memory of 1244 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 16 PID 996 wrote to memory of 316 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 32 PID 996 wrote to memory of 692 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 33 PID 996 wrote to memory of 1124 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 18 PID 996 wrote to memory of 1184 996 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe 17 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe"C:\Users\Admin\AppData\Local\Temp\06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:996 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe"4⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2044
-
-
-
C:\Users\Admin\AppData\Local\Temp\06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe"C:\Users\Admin\AppData\Local\Temp\06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:316 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:640
-
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1184
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:692
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\06f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c.exe
Filesize200KB
MD57f974af964596b305c20113ed530c024
SHA1808067aa8bd460f41413ea8d74d36fdcdabb015a
SHA25606f101c377c9a2e864eaf8cbbeed61266431f123c2cd32ff776ce930ee67765c
SHA512fca9795be2f74c17d68dfe99356b52493d009e9e6901389adfed1b4421dab4bb38d1d425694b3e6bce811311c2bb5c340a18b4bbda94d4ec854eed793cdafdc3
-
Filesize
608B
MD59a28366eee14350ae6dec1a218a7e8f1
SHA1d22d4ca23b50ee766a163288adea1aeeac99c54b
SHA2564cca48e79608ef751cbe5b1a75877bdab99e2dafb4e4667275b92580c413099b
SHA51240467710ce1bf8af821b2e1ec894bb59373dec874dc1c58f0c194e5b9cc85987b7980d4f875f27d3f7363489f7419e20cb4cce33fabb4f3e85311a5680293131