Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 22:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe
Resource
win7-20240221-en
windows7-x64
27 signatures
150 seconds
General
-
Target
63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe
-
Size
282KB
-
MD5
4e329b43d4d3d9ae7d34c2c93aa52ba9
-
SHA1
14347433cb7954222b901c8c18e7d4c040ae7ad0
-
SHA256
63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9
-
SHA512
72a92c55be81719693c1f80cc5d8c1716b7ffd210188474594477515b33868fc1eb51359356ce9259dfd8b3f9674516ecad28c305a274e5264579b9d68c9217a
-
SSDEEP
3072:SObjCPedQsoaRJU7KF+6aLK2IJqi6uS+gkDstXKJVqv8d0JG2wmVVW8wwWjwnCms:SXPEQaNJVYlNsJlsjzdjXYL9
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 33 IoCs
resource yara_rule behavioral1/memory/812-1-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-4-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-5-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-8-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-11-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-26-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-27-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-28-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-29-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-30-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-32-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-44-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-45-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-47-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-48-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-49-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-51-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-53-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-54-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-56-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-58-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-61-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-63-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-64-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-67-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-68-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-71-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-72-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-79-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-82-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-83-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-86-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/812-109-0x0000000001DF0000-0x0000000002EAA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 33 IoCs
resource yara_rule behavioral1/memory/812-1-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-4-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-5-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-8-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-11-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-26-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-27-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-28-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-29-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-30-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-32-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-44-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-45-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-47-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-48-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-49-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-51-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-53-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-54-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-56-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-58-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-61-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-63-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-64-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-67-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-68-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-71-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-72-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-79-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-82-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-83-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-86-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX behavioral1/memory/812-109-0x0000000001DF0000-0x0000000002EAA000-memory.dmp UPX -
Blocklisted process makes network request 1 IoCs
flow pid Process 6 1752 Rundll32.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 9 IoCs
pid Process 2328 Rundll32.exe 2328 Rundll32.exe 2328 Rundll32.exe 2328 Rundll32.exe 1752 Rundll32.exe 1752 Rundll32.exe 1752 Rundll32.exe 1752 Rundll32.exe 1752 Rundll32.exe -
resource yara_rule behavioral1/memory/812-1-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-4-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-5-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-8-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-11-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-26-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-27-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-28-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-29-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-30-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-32-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-44-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-45-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-47-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-48-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-49-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-51-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-53-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-54-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-56-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-58-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-61-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-63-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-64-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-67-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-68-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-71-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-72-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-79-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-82-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-83-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-86-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/812-109-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" Rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\H: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\I: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\J: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\N: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\Q: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\R: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\S: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\Z: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\E: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\K: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\Y: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\G: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\L: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\M: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\O: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\P: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\W: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\D: Rundll32.exe File opened (read-only) \??\T: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\V: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\X: 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened (read-only) \??\F: Rundll32.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification F:\autorun.inf 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\mwqewctb.dll 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File created C:\Windows\SysWOW64\xlpsectb.dll 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File opened for modification C:\Program Files\AAV\CDriver.sys Rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe File created C:\Windows\f7673aa 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2148 sc.exe 2704 sc.exe 2972 sc.exe 2968 sc.exe 1828 sc.exe 2692 sc.exe 2020 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 2328 Rundll32.exe 2328 Rundll32.exe 2328 Rundll32.exe 2328 Rundll32.exe 2328 Rundll32.exe 2328 Rundll32.exe 2328 Rundll32.exe 1752 Rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 468 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe Token: SeDebugPrivilege 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 1124 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 19 PID 812 wrote to memory of 1192 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 20 PID 812 wrote to memory of 1264 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 21 PID 812 wrote to memory of 2328 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 28 PID 812 wrote to memory of 2328 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 28 PID 812 wrote to memory of 2328 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 28 PID 812 wrote to memory of 2328 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 28 PID 812 wrote to memory of 2328 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 28 PID 812 wrote to memory of 2328 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 28 PID 812 wrote to memory of 2328 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 28 PID 2328 wrote to memory of 2424 2328 Rundll32.exe 29 PID 2328 wrote to memory of 2424 2328 Rundll32.exe 29 PID 2328 wrote to memory of 2424 2328 Rundll32.exe 29 PID 2328 wrote to memory of 2424 2328 Rundll32.exe 29 PID 2328 wrote to memory of 3056 2328 Rundll32.exe 30 PID 2328 wrote to memory of 3056 2328 Rundll32.exe 30 PID 2328 wrote to memory of 3056 2328 Rundll32.exe 30 PID 2328 wrote to memory of 3056 2328 Rundll32.exe 30 PID 2328 wrote to memory of 2020 2328 Rundll32.exe 33 PID 2328 wrote to memory of 2020 2328 Rundll32.exe 33 PID 2328 wrote to memory of 2020 2328 Rundll32.exe 33 PID 2328 wrote to memory of 2020 2328 Rundll32.exe 33 PID 2328 wrote to memory of 2692 2328 Rundll32.exe 34 PID 2328 wrote to memory of 2692 2328 Rundll32.exe 34 PID 2328 wrote to memory of 2692 2328 Rundll32.exe 34 PID 2328 wrote to memory of 2692 2328 Rundll32.exe 34 PID 2328 wrote to memory of 2968 2328 Rundll32.exe 37 PID 2328 wrote to memory of 2968 2328 Rundll32.exe 37 PID 2328 wrote to memory of 2968 2328 Rundll32.exe 37 PID 2328 wrote to memory of 2968 2328 Rundll32.exe 37 PID 2328 wrote to memory of 2972 2328 Rundll32.exe 38 PID 2328 wrote to memory of 2972 2328 Rundll32.exe 38 PID 2328 wrote to memory of 2972 2328 Rundll32.exe 38 PID 2328 wrote to memory of 2972 2328 Rundll32.exe 38 PID 2328 wrote to memory of 2704 2328 Rundll32.exe 39 PID 2328 wrote to memory of 2704 2328 Rundll32.exe 39 PID 2328 wrote to memory of 2704 2328 Rundll32.exe 39 PID 2328 wrote to memory of 2704 2328 Rundll32.exe 39 PID 2328 wrote to memory of 2148 2328 Rundll32.exe 40 PID 2328 wrote to memory of 2148 2328 Rundll32.exe 40 PID 2328 wrote to memory of 2148 2328 Rundll32.exe 40 PID 2328 wrote to memory of 2148 2328 Rundll32.exe 40 PID 2328 wrote to memory of 812 2328 Rundll32.exe 27 PID 2328 wrote to memory of 812 2328 Rundll32.exe 27 PID 2328 wrote to memory of 2424 2328 Rundll32.exe 29 PID 3056 wrote to memory of 1884 3056 net.exe 45 PID 3056 wrote to memory of 1884 3056 net.exe 45 PID 3056 wrote to memory of 1884 3056 net.exe 45 PID 3056 wrote to memory of 1884 3056 net.exe 45 PID 2424 wrote to memory of 1708 2424 net.exe 46 PID 2424 wrote to memory of 1708 2424 net.exe 46 PID 2424 wrote to memory of 1708 2424 net.exe 46 PID 2424 wrote to memory of 1708 2424 net.exe 46 PID 812 wrote to memory of 1752 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 49 PID 812 wrote to memory of 1752 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 49 PID 812 wrote to memory of 1752 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 49 PID 812 wrote to memory of 1752 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 49 PID 812 wrote to memory of 1752 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 49 PID 812 wrote to memory of 1752 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 49 PID 812 wrote to memory of 1752 812 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe 49 PID 2328 wrote to memory of 2424 2328 Rundll32.exe 29 PID 2328 wrote to memory of 1828 2328 Rundll32.exe 50 PID 2328 wrote to memory of 1828 2328 Rundll32.exe 50 PID 2328 wrote to memory of 1828 2328 Rundll32.exe 50 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1192
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe"C:\Users\Admin\AppData\Local\Temp\63bba24b5df06c6ef48e6a3ba9e967f8f34cd22df6ed7d9744559f8b8faeb7a9.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:812 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\mwqewctb.dll Exxcute3⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\net.exenet stop WinDefend4⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend5⤵PID:1708
-
-
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:1884
-
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
PID:2020
-
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled4⤵
- Launches sc.exe
PID:2692
-
-
C:\Windows\SysWOW64\sc.exesc stop ZhuDongFangYu4⤵
- Launches sc.exe
PID:2968
-
-
C:\Windows\SysWOW64\sc.exesc delete ZhuDongFangYu4⤵
- Launches sc.exe
PID:2972
-
-
C:\Windows\SysWOW64\sc.exesc stop 360rp4⤵
- Launches sc.exe
PID:2704
-
-
C:\Windows\SysWOW64\sc.exesc delete 360rp4⤵
- Launches sc.exe
PID:2148
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent4⤵
- Launches sc.exe
PID:1828
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\xlpsectb.dll Exucute3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5571b5bf943a03b56627aae4ccb0841d9
SHA1fc0d40a3ed252ab6440466dda2db2967df18e7c6
SHA2564afa0c12a66a020512ea1674be986ea7210f067c38612ac74bc766e86b4283e3
SHA512e43bf28477b2da4d07a7134a9a6c54ad1ec348b6dfe93fdc43370f4afc6cbec2540036e8b38b9a45d1a579292a60fcfab580ac8d1c4ecc7b59df333359edf578
-
Filesize
22KB
MD5a3ef28ba7455d1c1d64dda9e671ceeb4
SHA1f38fb6d8a939f38e629be107669ba33c2d0a5490
SHA256ef23a1ba0b5705aa5fe4b3a2b155c793c0cb6d219ad53208ba29594e4693d978
SHA5129b6b25c880b5a73e9b165ac1019005dd4335e024fe7987fd562aa96ca74029b1c8c535938f5623dc223f1cf74f21b1b05c9361b52757267fdd1b34597bf89d3a
-
Filesize
97KB
MD5d8370f5d39b0720e57af144619c5dda4
SHA161707604842697ed62d4c4f6df7d2864a3706f6d
SHA256574066199b9f8e40ee6a00e558fca3e8863e69b78f649d75092cc365839ec6b4
SHA512ade63bd7e2d792311afd1488474e64a9fe516c63d6a3be5eb699cd70459ae1f81c19c9e6836f558235d09cad6d4be431c7a18498572d930072799c12ede9d384
-
Filesize
1.7MB
MD5b5eb5bd3066959611e1f7a80fd6cc172
SHA16fb1532059212c840737b3f923a9c0b152c0887a
SHA2561ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc
SHA5126c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6