Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 04:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.74c1a75ad25b02e803215c2f676146d0.exe
Resource
win7-20231023-en
windows7-x64
16 signatures
150 seconds
General
-
Target
NEAS.74c1a75ad25b02e803215c2f676146d0.exe
-
Size
1.1MB
-
MD5
74c1a75ad25b02e803215c2f676146d0
-
SHA1
f8abbe2d9319799846311b70ef9383d66e14bacf
-
SHA256
55eef54d3f27ef5d9465b19ab925786759f2cf5c6453998ba8daebf558bfa64a
-
SHA512
631045fcc627bbef113f806186f52be6380bcea68202a8b67cd5b73224643de0e8111a5a48481f74af5b4f436f8369853ed5e264ddc29c3809660e14de05bc8c
-
SSDEEP
1536:i+d5JPwFP816C9V29d95KTtSj1z49LsWENmlma03hIx:i+JsOpU9tScj1YYKma03h
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
resource yara_rule behavioral2/memory/4396-2-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-4-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-5-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-6-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-9-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-13-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-18-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-19-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-20-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-21-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-22-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-23-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-24-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-25-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-26-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-28-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-29-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-30-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-35-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-37-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-39-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-42-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-43-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-50-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-52-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-54-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-56-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-58-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-60-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-62-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-64-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-66-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-68-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-70-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-73-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-75-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-78-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/4396-88-0x0000000000890000-0x000000000194A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.74c1a75ad25b02e803215c2f676146d0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\K: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\Q: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\X: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\V: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\W: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\Y: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\Z: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\L: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\N: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\S: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\T: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\P: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\G: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\H: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\J: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\O: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\I: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\M: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\R: NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened (read-only) \??\U: NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification F:\autorun.inf NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\7-Zip\7z.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Program Files\7-Zip\7zG.exe NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57f2dc NEAS.74c1a75ad25b02e803215c2f676146d0.exe File opened for modification C:\Windows\SYSTEM.INI NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe Token: SeDebugPrivilege 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4396 wrote to memory of 796 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 8 PID 4396 wrote to memory of 804 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 86 PID 4396 wrote to memory of 316 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 9 PID 4396 wrote to memory of 2340 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 66 PID 4396 wrote to memory of 2348 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 65 PID 4396 wrote to memory of 2460 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 20 PID 4396 wrote to memory of 3260 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 53 PID 4396 wrote to memory of 3428 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 52 PID 4396 wrote to memory of 3640 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 22 PID 4396 wrote to memory of 3732 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 51 PID 4396 wrote to memory of 3796 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 23 PID 4396 wrote to memory of 3920 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 50 PID 4396 wrote to memory of 3764 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 49 PID 4396 wrote to memory of 4204 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 47 PID 4396 wrote to memory of 4364 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 39 PID 4396 wrote to memory of 1208 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 26 PID 4396 wrote to memory of 4860 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 32 PID 4396 wrote to memory of 3448 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 31 PID 4396 wrote to memory of 4136 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 88 PID 4396 wrote to memory of 2800 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 90 PID 4396 wrote to memory of 1924 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 91 PID 4396 wrote to memory of 796 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 8 PID 4396 wrote to memory of 804 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 86 PID 4396 wrote to memory of 316 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 9 PID 4396 wrote to memory of 2340 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 66 PID 4396 wrote to memory of 2348 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 65 PID 4396 wrote to memory of 2460 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 20 PID 4396 wrote to memory of 3260 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 53 PID 4396 wrote to memory of 3428 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 52 PID 4396 wrote to memory of 3640 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 22 PID 4396 wrote to memory of 3732 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 51 PID 4396 wrote to memory of 3796 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 23 PID 4396 wrote to memory of 3920 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 50 PID 4396 wrote to memory of 3764 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 49 PID 4396 wrote to memory of 4204 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 47 PID 4396 wrote to memory of 4364 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 39 PID 4396 wrote to memory of 1208 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 26 PID 4396 wrote to memory of 4860 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 32 PID 4396 wrote to memory of 3448 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 31 PID 4396 wrote to memory of 4136 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 88 PID 4396 wrote to memory of 2800 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 90 PID 4396 wrote to memory of 796 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 8 PID 4396 wrote to memory of 804 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 86 PID 4396 wrote to memory of 316 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 9 PID 4396 wrote to memory of 2340 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 66 PID 4396 wrote to memory of 2348 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 65 PID 4396 wrote to memory of 2460 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 20 PID 4396 wrote to memory of 3260 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 53 PID 4396 wrote to memory of 3428 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 52 PID 4396 wrote to memory of 3640 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 22 PID 4396 wrote to memory of 3732 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 51 PID 4396 wrote to memory of 3796 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 23 PID 4396 wrote to memory of 3920 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 50 PID 4396 wrote to memory of 3764 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 49 PID 4396 wrote to memory of 4204 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 47 PID 4396 wrote to memory of 4364 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 39 PID 4396 wrote to memory of 1208 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 26 PID 4396 wrote to memory of 4860 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 32 PID 4396 wrote to memory of 4136 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 88 PID 4396 wrote to memory of 2800 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 90 PID 4396 wrote to memory of 796 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 8 PID 4396 wrote to memory of 804 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 86 PID 4396 wrote to memory of 316 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 9 PID 4396 wrote to memory of 2340 4396 NEAS.74c1a75ad25b02e803215c2f676146d0.exe 66 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.74c1a75ad25b02e803215c2f676146d0.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2460
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3640
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3796
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:1208
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3448
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4860
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4204
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\NEAS.74c1a75ad25b02e803215c2f676146d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.74c1a75ad25b02e803215c2f676146d0.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4396
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2348
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2340
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4136
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2800
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵PID:1924
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2992
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:968
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b26bbd83721d62c229a9f2fd6cfd65e3
SHA1f8266b25c9b214c661f61cca41fd43a0e2b6144b
SHA256de1bc5170dc25f6e81d36337f688e1b2397c3ba0926002e84d943034d7155296
SHA51201d677fcb316887d93e5b97be0bf8c17674c1495e5344b744358c867244f12df8c3d1e985ef34bbcdf9b324731a717bb470dcc7d9a92cfd3a4debeed172f08f7