Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 21:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
445f65a0645085c56ffc9face3c17642206b951acf6a360ff70ec8d6c1deb4e2.dll
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
General
-
Target
445f65a0645085c56ffc9face3c17642206b951acf6a360ff70ec8d6c1deb4e2.dll
-
Size
120KB
-
MD5
294f8ef41c60fe2dfe37380f107419df
-
SHA1
b6c62ab00f57a1ce50cb067308e32d65faaccded
-
SHA256
445f65a0645085c56ffc9face3c17642206b951acf6a360ff70ec8d6c1deb4e2
-
SHA512
9902455fa918a86614d8da2f45aacaf3c9d54d1ec1fb9ef1075092ea45386b513131a5bd4f454912ee8706264678de8fac1024ece514a25900f835ca376d0bb1
-
SSDEEP
1536:0OftrJupQAPBqrjtRNZb6bja6m5CHdaJmiGN+5Fi6cSARye0A3+YgfRMiFQNvu:0Cp2oNZuema0Nki6cSARL3+Yg5Uvu
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76280a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76280a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f760c40.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f760c40.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f760c40.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76280a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76280a.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
resource yara_rule behavioral1/memory/3040-13-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-15-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-16-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-17-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-20-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-22-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-25-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-28-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-31-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-34-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-62-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-63-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-64-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-65-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-66-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-68-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-84-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-85-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-87-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-89-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-106-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/3040-147-0x00000000006E0000-0x000000000179A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2240-155-0x0000000000960000-0x0000000001A1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2240-196-0x0000000000960000-0x0000000001A1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 30 IoCs
resource yara_rule behavioral1/memory/3040-11-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/3040-13-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-15-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-16-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-17-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-20-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-22-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-25-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-28-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-31-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-34-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/2732-61-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/3040-62-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-63-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-64-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-65-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-66-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-68-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/2240-83-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/3040-84-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-85-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-87-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-89-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-106-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/3040-146-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/3040-147-0x00000000006E0000-0x000000000179A000-memory.dmp UPX behavioral1/memory/2732-151-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2240-155-0x0000000000960000-0x0000000001A1A000-memory.dmp UPX behavioral1/memory/2240-195-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2240-196-0x0000000000960000-0x0000000001A1A000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 3040 f760c40.exe 2732 f76122a.exe 2240 f76280a.exe -
Loads dropped DLL 6 IoCs
pid Process 2976 rundll32.exe 2976 rundll32.exe 2976 rundll32.exe 2976 rundll32.exe 2976 rundll32.exe 2976 rundll32.exe -
resource yara_rule behavioral1/memory/3040-13-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-15-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-16-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-17-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-20-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-22-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-25-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-28-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-31-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-34-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-62-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-63-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-64-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-65-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-66-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-68-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-84-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-85-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-87-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-89-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-106-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3040-147-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2240-155-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2240-196-0x0000000000960000-0x0000000001A1A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76280a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f760c40.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76280a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f760c40.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76280a.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: f760c40.exe File opened (read-only) \??\H: f760c40.exe File opened (read-only) \??\N: f760c40.exe File opened (read-only) \??\E: f760c40.exe File opened (read-only) \??\G: f760c40.exe File opened (read-only) \??\P: f760c40.exe File opened (read-only) \??\R: f760c40.exe File opened (read-only) \??\J: f760c40.exe File opened (read-only) \??\O: f760c40.exe File opened (read-only) \??\L: f760c40.exe File opened (read-only) \??\M: f760c40.exe File opened (read-only) \??\E: f76280a.exe File opened (read-only) \??\I: f760c40.exe File opened (read-only) \??\K: f760c40.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f760c40.exe File created C:\Windows\f7662f7 f76280a.exe File created C:\Windows\f760cbd f760c40.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3040 f760c40.exe 3040 f760c40.exe 2240 f76280a.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 3040 f760c40.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe Token: SeDebugPrivilege 2240 f76280a.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2976 2784 rundll32.exe 28 PID 2784 wrote to memory of 2976 2784 rundll32.exe 28 PID 2784 wrote to memory of 2976 2784 rundll32.exe 28 PID 2784 wrote to memory of 2976 2784 rundll32.exe 28 PID 2784 wrote to memory of 2976 2784 rundll32.exe 28 PID 2784 wrote to memory of 2976 2784 rundll32.exe 28 PID 2784 wrote to memory of 2976 2784 rundll32.exe 28 PID 2976 wrote to memory of 3040 2976 rundll32.exe 29 PID 2976 wrote to memory of 3040 2976 rundll32.exe 29 PID 2976 wrote to memory of 3040 2976 rundll32.exe 29 PID 2976 wrote to memory of 3040 2976 rundll32.exe 29 PID 3040 wrote to memory of 1132 3040 f760c40.exe 19 PID 3040 wrote to memory of 1188 3040 f760c40.exe 20 PID 3040 wrote to memory of 1216 3040 f760c40.exe 21 PID 3040 wrote to memory of 1912 3040 f760c40.exe 23 PID 3040 wrote to memory of 2784 3040 f760c40.exe 27 PID 3040 wrote to memory of 2976 3040 f760c40.exe 28 PID 3040 wrote to memory of 2976 3040 f760c40.exe 28 PID 2976 wrote to memory of 2732 2976 rundll32.exe 30 PID 2976 wrote to memory of 2732 2976 rundll32.exe 30 PID 2976 wrote to memory of 2732 2976 rundll32.exe 30 PID 2976 wrote to memory of 2732 2976 rundll32.exe 30 PID 2976 wrote to memory of 2240 2976 rundll32.exe 31 PID 2976 wrote to memory of 2240 2976 rundll32.exe 31 PID 2976 wrote to memory of 2240 2976 rundll32.exe 31 PID 2976 wrote to memory of 2240 2976 rundll32.exe 31 PID 3040 wrote to memory of 1132 3040 f760c40.exe 19 PID 3040 wrote to memory of 1188 3040 f760c40.exe 20 PID 3040 wrote to memory of 1216 3040 f760c40.exe 21 PID 3040 wrote to memory of 2732 3040 f760c40.exe 30 PID 3040 wrote to memory of 2732 3040 f760c40.exe 30 PID 3040 wrote to memory of 2240 3040 f760c40.exe 31 PID 3040 wrote to memory of 2240 3040 f760c40.exe 31 PID 2240 wrote to memory of 1132 2240 f76280a.exe 19 PID 2240 wrote to memory of 1188 2240 f76280a.exe 20 PID 2240 wrote to memory of 1216 2240 f76280a.exe 21 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f760c40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76280a.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1132
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1188
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\445f65a0645085c56ffc9face3c17642206b951acf6a360ff70ec8d6c1deb4e2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\445f65a0645085c56ffc9face3c17642206b951acf6a360ff70ec8d6c1deb4e2.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\f760c40.exeC:\Users\Admin\AppData\Local\Temp\f760c40.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\f76122a.exeC:\Users\Admin\AppData\Local\Temp\f76122a.exe4⤵
- Executes dropped EXE
PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\f76280a.exeC:\Users\Admin\AppData\Local\Temp\f76280a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1912
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5e4eeba8f2f7fa21f4318f25f58d3cb1e
SHA1c169d60050a82fb749702b6d6c0d09fc2c2759ec
SHA256716e0d4ed3e9d102070d40f30395c8fcefc21df078530d6be2f152ebc1ef75cb
SHA512edbfd9a536c71ba02f68996fe393c2429bb79b1e6921cc96ce6e4e13e58839ab8a77d037fcf635048fb29cad043a4fe2f72dbf4816894cc3ff73c2f5f66ef47e
-
Filesize
97KB
MD5bb1fcca9f7cc7f189287cbed844f3a86
SHA1e1b2346c68b001bf1de23f9f5066f45d84aa7caf
SHA25666cd1eaf562bf6161ac2835fada7976bd66826d9d156ecc410a295bf8a992ec0
SHA512fc79e79d4b335c6c5f2c09a5d1b6e771eed596cfc6ff11bf94368a0a01dc242456e1401a57e19958a88e2a557758981671e286d8f6cbe77194e0aee7fb909f1d