Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 23:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7b514b21b4a46f94468a9a94f0d2e382bd142a295bb69e6cc3ee2afa59cb554d.dll
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
General
-
Target
7b514b21b4a46f94468a9a94f0d2e382bd142a295bb69e6cc3ee2afa59cb554d.dll
-
Size
120KB
-
MD5
3385f70bae0b0a65bace68b5f5efa1c1
-
SHA1
d37748dc4a135cb2423f0d26a3b830281a30e1ea
-
SHA256
7b514b21b4a46f94468a9a94f0d2e382bd142a295bb69e6cc3ee2afa59cb554d
-
SHA512
4bf6ad9c90103404d2d8a51cc665c6e4d2cf571c3f928ac9ae43d22d20e3427d367dd9c574f8eceac5477a2edcaae50d9d3af1aae8bf87749a4733c871c021d6
-
SSDEEP
1536:mxJp5PC/nSFBbKmuPRA9zqaw+rKfnFH953Vw9qsni7XeBMQKwIlN:mZ5/HbKpPkOaw+oFHvFafiMMzwoN
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579d2a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579d2a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579d2a.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 23 IoCs
resource yara_rule behavioral2/memory/2464-7-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-9-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-10-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-11-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-12-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-24-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-28-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-29-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-33-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-36-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-38-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-39-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-48-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-53-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-54-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-55-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-62-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2464-63-0x00000000007C0000-0x000000000187A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4984-88-0x0000000000830000-0x00000000018EA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4984-90-0x0000000000830000-0x00000000018EA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4984-91-0x0000000000830000-0x00000000018EA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4984-93-0x0000000000830000-0x00000000018EA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4984-134-0x0000000000830000-0x00000000018EA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 27 IoCs
resource yara_rule behavioral2/memory/2464-7-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-9-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-10-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-11-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-12-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-24-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-28-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-29-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/4316-34-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2464-33-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-36-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-38-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-39-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-48-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-53-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-54-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-55-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-62-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-63-0x00000000007C0000-0x000000000187A000-memory.dmp UPX behavioral2/memory/2464-83-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4316-87-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4984-88-0x0000000000830000-0x00000000018EA000-memory.dmp UPX behavioral2/memory/4984-90-0x0000000000830000-0x00000000018EA000-memory.dmp UPX behavioral2/memory/4984-91-0x0000000000830000-0x00000000018EA000-memory.dmp UPX behavioral2/memory/4984-93-0x0000000000830000-0x00000000018EA000-memory.dmp UPX behavioral2/memory/4984-134-0x0000000000830000-0x00000000018EA000-memory.dmp UPX behavioral2/memory/4984-135-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2464 e576ce3.exe 4316 e5771a6.exe 4984 e579d2a.exe -
resource yara_rule behavioral2/memory/2464-7-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-12-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-24-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-28-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-29-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-33-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-38-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-39-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-48-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-53-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-54-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-55-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-62-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/2464-63-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4984-88-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4984-90-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4984-91-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4984-93-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4984-134-0x0000000000830000-0x00000000018EA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576ce3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579d2a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576ce3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576ce3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579d2a.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e579d2a.exe File opened (read-only) \??\G: e579d2a.exe File opened (read-only) \??\E: e576ce3.exe File opened (read-only) \??\G: e576ce3.exe File opened (read-only) \??\H: e576ce3.exe File opened (read-only) \??\I: e576ce3.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e576ce3.exe File created C:\Windows\e57c5f0 e579d2a.exe File created C:\Windows\e576eb8 e576ce3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2464 e576ce3.exe 2464 e576ce3.exe 2464 e576ce3.exe 2464 e576ce3.exe 4984 e579d2a.exe 4984 e579d2a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe Token: SeDebugPrivilege 2464 e576ce3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3496 wrote to memory of 2468 3496 rundll32.exe 83 PID 3496 wrote to memory of 2468 3496 rundll32.exe 83 PID 3496 wrote to memory of 2468 3496 rundll32.exe 83 PID 2468 wrote to memory of 2464 2468 rundll32.exe 86 PID 2468 wrote to memory of 2464 2468 rundll32.exe 86 PID 2468 wrote to memory of 2464 2468 rundll32.exe 86 PID 2464 wrote to memory of 788 2464 e576ce3.exe 9 PID 2464 wrote to memory of 796 2464 e576ce3.exe 10 PID 2464 wrote to memory of 64 2464 e576ce3.exe 13 PID 2464 wrote to memory of 2492 2464 e576ce3.exe 43 PID 2464 wrote to memory of 2500 2464 e576ce3.exe 44 PID 2464 wrote to memory of 2728 2464 e576ce3.exe 51 PID 2464 wrote to memory of 3404 2464 e576ce3.exe 56 PID 2464 wrote to memory of 3528 2464 e576ce3.exe 57 PID 2464 wrote to memory of 3720 2464 e576ce3.exe 58 PID 2464 wrote to memory of 3844 2464 e576ce3.exe 59 PID 2464 wrote to memory of 3912 2464 e576ce3.exe 60 PID 2464 wrote to memory of 4008 2464 e576ce3.exe 61 PID 2464 wrote to memory of 4148 2464 e576ce3.exe 62 PID 2464 wrote to memory of 488 2464 e576ce3.exe 64 PID 2464 wrote to memory of 1988 2464 e576ce3.exe 74 PID 2464 wrote to memory of 3516 2464 e576ce3.exe 78 PID 2464 wrote to memory of 4312 2464 e576ce3.exe 79 PID 2464 wrote to memory of 1156 2464 e576ce3.exe 80 PID 2464 wrote to memory of 3496 2464 e576ce3.exe 82 PID 2464 wrote to memory of 2468 2464 e576ce3.exe 83 PID 2464 wrote to memory of 2468 2464 e576ce3.exe 83 PID 2464 wrote to memory of 3232 2464 e576ce3.exe 84 PID 2464 wrote to memory of 1956 2464 e576ce3.exe 85 PID 2468 wrote to memory of 4316 2468 rundll32.exe 87 PID 2468 wrote to memory of 4316 2468 rundll32.exe 87 PID 2468 wrote to memory of 4316 2468 rundll32.exe 87 PID 2464 wrote to memory of 788 2464 e576ce3.exe 9 PID 2464 wrote to memory of 796 2464 e576ce3.exe 10 PID 2464 wrote to memory of 64 2464 e576ce3.exe 13 PID 2464 wrote to memory of 2492 2464 e576ce3.exe 43 PID 2464 wrote to memory of 2500 2464 e576ce3.exe 44 PID 2464 wrote to memory of 2728 2464 e576ce3.exe 51 PID 2464 wrote to memory of 3404 2464 e576ce3.exe 56 PID 2464 wrote to memory of 3528 2464 e576ce3.exe 57 PID 2464 wrote to memory of 3720 2464 e576ce3.exe 58 PID 2468 wrote to memory of 4984 2468 rundll32.exe 91 PID 2468 wrote to memory of 4984 2468 rundll32.exe 91 PID 2468 wrote to memory of 4984 2468 rundll32.exe 91 PID 2464 wrote to memory of 3844 2464 e576ce3.exe 59 PID 2464 wrote to memory of 3912 2464 e576ce3.exe 60 PID 2464 wrote to memory of 4008 2464 e576ce3.exe 61 PID 2464 wrote to memory of 4148 2464 e576ce3.exe 62 PID 2464 wrote to memory of 488 2464 e576ce3.exe 64 PID 2464 wrote to memory of 1988 2464 e576ce3.exe 74 PID 2464 wrote to memory of 3516 2464 e576ce3.exe 78 PID 2464 wrote to memory of 4312 2464 e576ce3.exe 79 PID 2464 wrote to memory of 1156 2464 e576ce3.exe 80 PID 2464 wrote to memory of 3496 2464 e576ce3.exe 82 PID 2464 wrote to memory of 1956 2464 e576ce3.exe 85 PID 2464 wrote to memory of 4316 2464 e576ce3.exe 87 PID 2464 wrote to memory of 4316 2464 e576ce3.exe 87 PID 2464 wrote to memory of 3428 2464 e576ce3.exe 88 PID 4984 wrote to memory of 788 4984 e579d2a.exe 9 PID 4984 wrote to memory of 796 4984 e579d2a.exe 10 PID 4984 wrote to memory of 64 4984 e579d2a.exe 13 PID 4984 wrote to memory of 2492 4984 e579d2a.exe 43 PID 4984 wrote to memory of 2500 4984 e579d2a.exe 44 PID 4984 wrote to memory of 2728 4984 e579d2a.exe 51 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579d2a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576ce3.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2500
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2728
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3404
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b514b21b4a46f94468a9a94f0d2e382bd142a295bb69e6cc3ee2afa59cb554d.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b514b21b4a46f94468a9a94f0d2e382bd142a295bb69e6cc3ee2afa59cb554d.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\e576ce3.exeC:\Users\Admin\AppData\Local\Temp\e576ce3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\e5771a6.exeC:\Users\Admin\AppData\Local\Temp\e5771a6.exe4⤵
- Executes dropped EXE
PID:4316
-
-
C:\Users\Admin\AppData\Local\Temp\e579d2a.exeC:\Users\Admin\AppData\Local\Temp\e579d2a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4984
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3528
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:488
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1988
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3516
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4312
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1156
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3232
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3428
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD54f51ced9b00d8efbd4d2d22595c838d1
SHA12821b87d10cb4b540d315f484775db1dc75064c4
SHA256e8fb57785510af08049f6569d7a8385baee59ca5e884bdc427bf30c8a36d1711
SHA512f3ed3cb40c48f9331715feb98dd619820998781e53657a1c49660fdce6b2ac523c0b985b92982478c0468d5ead160b84d1b34e87c0904d0c98a802cfaf675eb1
-
Filesize
257B
MD54801230866f4dad434b80b989cec7993
SHA18630265c93230208248cbb8ee2f45a089ed93c5b
SHA256992ffb71887a92b084158e6661ffc8b815c31d6d6c77a36bc2a0ff5e0fb71a99
SHA5124dd6808556ca206288921c5f367cb894c21f5651baa92704e33647fcb05b55cadbe27d2195ac18dcc2f8ef1aaae7b4cc2e12350696b4cae3f3df1347bc4ed75e