Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 01:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c.dll
Resource
win7-20240215-en
windows7-x64
17 signatures
150 seconds
General
-
Target
f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c.dll
-
Size
120KB
-
MD5
dc3f80d788dc9ed7e853500cb434a3dc
-
SHA1
8b992a3c39eff3bc4c841414df9f76c2c8d2586c
-
SHA256
f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c
-
SHA512
613640cbea5f198e7b20f09974842dc0c1b62e876a9adda6ea2d3ca9ac18ffd5ab4b024584fdbb951b0d25cb9731d2af69fc990b519633e932e1b1c2a22eaf55
-
SSDEEP
1536:J2qA6JtJpQ1P0x27nmyIm8PG8f75Lb2f8i3mhvOUIdwuhrnay0I2Wiw:J2qAuziPGZP9lmhMvRIdlh2LI2w
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5732c8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5732c8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5732c8.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 31 IoCs
resource yara_rule behavioral2/memory/2756-7-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-9-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-10-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-24-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-15-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-30-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-31-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-32-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-33-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-34-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-35-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-36-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-37-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-38-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-39-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-41-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-54-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-55-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-57-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-60-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-74-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-76-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-80-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-82-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-84-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-86-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-88-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-95-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-96-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2756-97-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/864-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 36 IoCs
resource yara_rule behavioral2/memory/2756-7-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-9-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-10-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3676-23-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2756-24-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-15-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-30-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-31-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-32-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-33-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-34-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-35-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-36-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-37-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-38-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-39-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-41-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-54-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-55-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-57-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-60-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-74-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-76-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-80-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-82-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-84-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-86-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-88-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-95-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-96-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-97-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/2756-116-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3676-119-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4952-123-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/864-129-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/864-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 2756 e5732c8.exe 3676 e573539.exe 4952 e574e01.exe 864 e574e20.exe -
resource yara_rule behavioral2/memory/2756-7-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-9-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-10-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-24-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-15-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-30-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-31-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-32-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-34-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-35-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-39-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-41-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-54-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-55-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-57-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-60-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-74-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-76-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-80-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-82-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-84-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-86-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-88-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-95-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-96-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2756-97-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/864-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5732c8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5732c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5732c8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5732c8.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e5732c8.exe File opened (read-only) \??\M: e5732c8.exe File opened (read-only) \??\P: e5732c8.exe File opened (read-only) \??\R: e5732c8.exe File opened (read-only) \??\K: e5732c8.exe File opened (read-only) \??\O: e5732c8.exe File opened (read-only) \??\Q: e5732c8.exe File opened (read-only) \??\L: e5732c8.exe File opened (read-only) \??\E: e5732c8.exe File opened (read-only) \??\G: e5732c8.exe File opened (read-only) \??\I: e5732c8.exe File opened (read-only) \??\J: e5732c8.exe File opened (read-only) \??\N: e5732c8.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5732c8.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5732c8.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5732c8.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e573400 e5732c8.exe File opened for modification C:\Windows\SYSTEM.INI e5732c8.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2756 e5732c8.exe 2756 e5732c8.exe 2756 e5732c8.exe 2756 e5732c8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe Token: SeDebugPrivilege 2756 e5732c8.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 1880 wrote to memory of 4364 1880 rundll32.exe 87 PID 1880 wrote to memory of 4364 1880 rundll32.exe 87 PID 1880 wrote to memory of 4364 1880 rundll32.exe 87 PID 4364 wrote to memory of 2756 4364 rundll32.exe 88 PID 4364 wrote to memory of 2756 4364 rundll32.exe 88 PID 4364 wrote to memory of 2756 4364 rundll32.exe 88 PID 2756 wrote to memory of 776 2756 e5732c8.exe 8 PID 2756 wrote to memory of 780 2756 e5732c8.exe 9 PID 2756 wrote to memory of 388 2756 e5732c8.exe 13 PID 2756 wrote to memory of 2868 2756 e5732c8.exe 49 PID 2756 wrote to memory of 2928 2756 e5732c8.exe 50 PID 2756 wrote to memory of 720 2756 e5732c8.exe 52 PID 2756 wrote to memory of 3412 2756 e5732c8.exe 56 PID 2756 wrote to memory of 3560 2756 e5732c8.exe 57 PID 2756 wrote to memory of 3748 2756 e5732c8.exe 58 PID 2756 wrote to memory of 3836 2756 e5732c8.exe 59 PID 2756 wrote to memory of 3896 2756 e5732c8.exe 60 PID 2756 wrote to memory of 3984 2756 e5732c8.exe 61 PID 2756 wrote to memory of 3420 2756 e5732c8.exe 62 PID 2756 wrote to memory of 4576 2756 e5732c8.exe 74 PID 2756 wrote to memory of 4356 2756 e5732c8.exe 75 PID 2756 wrote to memory of 1620 2756 e5732c8.exe 82 PID 2756 wrote to memory of 2604 2756 e5732c8.exe 83 PID 2756 wrote to memory of 4072 2756 e5732c8.exe 84 PID 2756 wrote to memory of 1880 2756 e5732c8.exe 86 PID 2756 wrote to memory of 4364 2756 e5732c8.exe 87 PID 2756 wrote to memory of 4364 2756 e5732c8.exe 87 PID 4364 wrote to memory of 3676 4364 rundll32.exe 89 PID 4364 wrote to memory of 3676 4364 rundll32.exe 89 PID 4364 wrote to memory of 3676 4364 rundll32.exe 89 PID 4364 wrote to memory of 4952 4364 rundll32.exe 96 PID 4364 wrote to memory of 4952 4364 rundll32.exe 96 PID 4364 wrote to memory of 4952 4364 rundll32.exe 96 PID 4364 wrote to memory of 864 4364 rundll32.exe 97 PID 4364 wrote to memory of 864 4364 rundll32.exe 97 PID 4364 wrote to memory of 864 4364 rundll32.exe 97 PID 2756 wrote to memory of 776 2756 e5732c8.exe 8 PID 2756 wrote to memory of 780 2756 e5732c8.exe 9 PID 2756 wrote to memory of 388 2756 e5732c8.exe 13 PID 2756 wrote to memory of 2868 2756 e5732c8.exe 49 PID 2756 wrote to memory of 2928 2756 e5732c8.exe 50 PID 2756 wrote to memory of 720 2756 e5732c8.exe 52 PID 2756 wrote to memory of 3412 2756 e5732c8.exe 56 PID 2756 wrote to memory of 3560 2756 e5732c8.exe 57 PID 2756 wrote to memory of 3748 2756 e5732c8.exe 58 PID 2756 wrote to memory of 3836 2756 e5732c8.exe 59 PID 2756 wrote to memory of 3896 2756 e5732c8.exe 60 PID 2756 wrote to memory of 3984 2756 e5732c8.exe 61 PID 2756 wrote to memory of 3420 2756 e5732c8.exe 62 PID 2756 wrote to memory of 4576 2756 e5732c8.exe 74 PID 2756 wrote to memory of 4356 2756 e5732c8.exe 75 PID 2756 wrote to memory of 1620 2756 e5732c8.exe 82 PID 2756 wrote to memory of 2604 2756 e5732c8.exe 83 PID 2756 wrote to memory of 3676 2756 e5732c8.exe 89 PID 2756 wrote to memory of 3676 2756 e5732c8.exe 89 PID 2756 wrote to memory of 4120 2756 e5732c8.exe 91 PID 2756 wrote to memory of 3032 2756 e5732c8.exe 92 PID 2756 wrote to memory of 4952 2756 e5732c8.exe 96 PID 2756 wrote to memory of 4952 2756 e5732c8.exe 96 PID 2756 wrote to memory of 864 2756 e5732c8.exe 97 PID 2756 wrote to memory of 864 2756 e5732c8.exe 97 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5732c8.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2928
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:720
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\e5732c8.exeC:\Users\Admin\AppData\Local\Temp\e5732c8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\e573539.exeC:\Users\Admin\AppData\Local\Temp\e573539.exe4⤵
- Executes dropped EXE
PID:3676
-
-
C:\Users\Admin\AppData\Local\Temp\e574e01.exeC:\Users\Admin\AppData\Local\Temp\e574e01.exe4⤵
- Executes dropped EXE
PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\e574e20.exeC:\Users\Admin\AppData\Local\Temp\e574e20.exe4⤵
- Executes dropped EXE
PID:864
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3420
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4356
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:1620
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2604
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4120
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3032
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e298f0488456d182dc030d8bcc238fa5
SHA171cb894dc32976bede9713b13f46eff0645ab5af
SHA256765b69ec03ae392e2464cf51970225d041962cda2bc549c1bc773c89018500ac
SHA512c2af0159b02df9c747eedfe4f6d39acb90d7302177c577b4a48146295568f1a9dbe1ed27352148cf657cfe939b2362dc5fe791782f6d99b41bf19f19dbfcd45c