Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 14:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
005ff49678b8be60267bb5f5839b2100N.dll
Resource
win7-20240708-en
windows7-x64
15 signatures
150 seconds
General
-
Target
005ff49678b8be60267bb5f5839b2100N.dll
-
Size
120KB
-
MD5
005ff49678b8be60267bb5f5839b2100
-
SHA1
76bd0b1c9a7c7c3fc003ea2332dc359f7bd1d3e4
-
SHA256
4d10371e623bc09f84a9dd08e70a79a8f7d83bf36d5013710daeb303df80e84e
-
SHA512
60af9d5eb18bbd99b195d691e41b259a8385516837f78d649b78b1778ca9615f465ee90edbf5117ff8520bdc06ef8d54d770063a8d6f25e6af475ca7375607d3
-
SSDEEP
1536:2l7TsJfHTfgA25aeJLSTKPDFI7v5mnKT5QHHsqfJQ17U7PGz3gBpc00rf4DMqj6D:uTAzr2UnKby7v6KlQn5C1uP43Oiizkb
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bc2c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bc2c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bc2c.exe -
Executes dropped EXE 3 IoCs
pid Process 2304 e57a0c4.exe 1768 e57a2d7.exe 3628 e57bc2c.exe -
resource yara_rule behavioral2/memory/2304-6-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-8-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-17-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-25-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-11-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-10-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-9-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-33-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-31-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-34-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-36-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-35-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-37-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-38-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-39-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-41-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-42-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-51-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-53-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-54-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-64-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-66-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-69-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-71-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-73-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-75-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-77-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-78-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-79-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-80-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2304-82-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3628-117-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3628-147-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a0c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bc2c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bc2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a0c4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bc2c.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e57a0c4.exe File opened (read-only) \??\H: e57a0c4.exe File opened (read-only) \??\I: e57a0c4.exe File opened (read-only) \??\K: e57a0c4.exe File opened (read-only) \??\O: e57a0c4.exe File opened (read-only) \??\Q: e57a0c4.exe File opened (read-only) \??\R: e57a0c4.exe File opened (read-only) \??\M: e57a0c4.exe File opened (read-only) \??\E: e57a0c4.exe File opened (read-only) \??\P: e57a0c4.exe File opened (read-only) \??\S: e57a0c4.exe File opened (read-only) \??\J: e57a0c4.exe File opened (read-only) \??\L: e57a0c4.exe File opened (read-only) \??\N: e57a0c4.exe File opened (read-only) \??\E: e57bc2c.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a0c4.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57a0c4.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57a0c4.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57a0c4.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a18f e57a0c4.exe File opened for modification C:\Windows\SYSTEM.INI e57a0c4.exe File created C:\Windows\e57f211 e57bc2c.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2304 e57a0c4.exe 2304 e57a0c4.exe 2304 e57a0c4.exe 2304 e57a0c4.exe 3628 e57bc2c.exe 3628 e57bc2c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe Token: SeDebugPrivilege 2304 e57a0c4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4492 wrote to memory of 2636 4492 rundll32.exe 83 PID 4492 wrote to memory of 2636 4492 rundll32.exe 83 PID 4492 wrote to memory of 2636 4492 rundll32.exe 83 PID 2636 wrote to memory of 2304 2636 rundll32.exe 85 PID 2636 wrote to memory of 2304 2636 rundll32.exe 85 PID 2636 wrote to memory of 2304 2636 rundll32.exe 85 PID 2304 wrote to memory of 780 2304 e57a0c4.exe 8 PID 2304 wrote to memory of 788 2304 e57a0c4.exe 9 PID 2304 wrote to memory of 376 2304 e57a0c4.exe 13 PID 2304 wrote to memory of 2480 2304 e57a0c4.exe 42 PID 2304 wrote to memory of 2508 2304 e57a0c4.exe 43 PID 2304 wrote to memory of 2652 2304 e57a0c4.exe 46 PID 2304 wrote to memory of 3548 2304 e57a0c4.exe 56 PID 2304 wrote to memory of 3656 2304 e57a0c4.exe 57 PID 2304 wrote to memory of 3852 2304 e57a0c4.exe 58 PID 2304 wrote to memory of 3936 2304 e57a0c4.exe 59 PID 2304 wrote to memory of 4000 2304 e57a0c4.exe 60 PID 2304 wrote to memory of 4084 2304 e57a0c4.exe 61 PID 2304 wrote to memory of 4120 2304 e57a0c4.exe 62 PID 2304 wrote to memory of 3156 2304 e57a0c4.exe 75 PID 2304 wrote to memory of 2008 2304 e57a0c4.exe 76 PID 2304 wrote to memory of 464 2304 e57a0c4.exe 80 PID 2304 wrote to memory of 5048 2304 e57a0c4.exe 81 PID 2304 wrote to memory of 4492 2304 e57a0c4.exe 82 PID 2304 wrote to memory of 2636 2304 e57a0c4.exe 83 PID 2304 wrote to memory of 2636 2304 e57a0c4.exe 83 PID 2304 wrote to memory of 4700 2304 e57a0c4.exe 84 PID 2636 wrote to memory of 1768 2636 rundll32.exe 86 PID 2636 wrote to memory of 1768 2636 rundll32.exe 86 PID 2636 wrote to memory of 1768 2636 rundll32.exe 86 PID 2636 wrote to memory of 3628 2636 rundll32.exe 89 PID 2636 wrote to memory of 3628 2636 rundll32.exe 89 PID 2636 wrote to memory of 3628 2636 rundll32.exe 89 PID 2304 wrote to memory of 780 2304 e57a0c4.exe 8 PID 2304 wrote to memory of 788 2304 e57a0c4.exe 9 PID 2304 wrote to memory of 376 2304 e57a0c4.exe 13 PID 2304 wrote to memory of 2480 2304 e57a0c4.exe 42 PID 2304 wrote to memory of 2508 2304 e57a0c4.exe 43 PID 2304 wrote to memory of 2652 2304 e57a0c4.exe 46 PID 2304 wrote to memory of 3548 2304 e57a0c4.exe 56 PID 2304 wrote to memory of 3656 2304 e57a0c4.exe 57 PID 2304 wrote to memory of 3852 2304 e57a0c4.exe 58 PID 2304 wrote to memory of 3936 2304 e57a0c4.exe 59 PID 2304 wrote to memory of 4000 2304 e57a0c4.exe 60 PID 2304 wrote to memory of 4084 2304 e57a0c4.exe 61 PID 2304 wrote to memory of 4120 2304 e57a0c4.exe 62 PID 2304 wrote to memory of 3156 2304 e57a0c4.exe 75 PID 2304 wrote to memory of 2008 2304 e57a0c4.exe 76 PID 2304 wrote to memory of 464 2304 e57a0c4.exe 80 PID 2304 wrote to memory of 1768 2304 e57a0c4.exe 86 PID 2304 wrote to memory of 1768 2304 e57a0c4.exe 86 PID 2304 wrote to memory of 1748 2304 e57a0c4.exe 87 PID 2304 wrote to memory of 1196 2304 e57a0c4.exe 88 PID 2304 wrote to memory of 3628 2304 e57a0c4.exe 89 PID 2304 wrote to memory of 3628 2304 e57a0c4.exe 89 PID 3628 wrote to memory of 780 3628 e57bc2c.exe 8 PID 3628 wrote to memory of 788 3628 e57bc2c.exe 9 PID 3628 wrote to memory of 376 3628 e57bc2c.exe 13 PID 3628 wrote to memory of 2480 3628 e57bc2c.exe 42 PID 3628 wrote to memory of 2508 3628 e57bc2c.exe 43 PID 3628 wrote to memory of 2652 3628 e57bc2c.exe 46 PID 3628 wrote to memory of 3548 3628 e57bc2c.exe 56 PID 3628 wrote to memory of 3656 3628 e57bc2c.exe 57 PID 3628 wrote to memory of 3852 3628 e57bc2c.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a0c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bc2c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2508
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2652
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3548
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\005ff49678b8be60267bb5f5839b2100N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\005ff49678b8be60267bb5f5839b2100N.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\e57a0c4.exeC:\Users\Admin\AppData\Local\Temp\e57a0c4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\e57a2d7.exeC:\Users\Admin\AppData\Local\Temp\e57a2d7.exe4⤵
- Executes dropped EXE
PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\e57bc2c.exeC:\Users\Admin\AppData\Local\Temp\e57bc2c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3628
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3656
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4084
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4120
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3156
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2008
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:464
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5048
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:4700
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1196
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5597db43f7c222e01b6b778cfcf802266
SHA137dca9ada9e80a0ea8e0e3d52ea7884d867b7066
SHA2562d4a3eaed0f3d7f86b285bc8b71e1a3e4363414248ad7cf5be38ae3c6d66ec68
SHA512c8e5517b6d81fbb5c1dca240064d258eed9cddb602e7745fc3dd20d0317ca1e07e464dffa837662efceb6827ae0d5bb8fcd688c60937fa83851d0eccce1f078a
-
Filesize
257B
MD5b3e65eacc12709e4e598e130720e93cc
SHA10577ddc60b7b749ab4ed878f9152fb78dcb5d3d8
SHA25615d1c6493be6ca15742e9c5fc10b6b221208a8c81b2a8ae508c8ee365a019108
SHA5124d381f82dde6a37f74d50c858001588b9b1d7619cd42511162eb3a64c7da23f7520db254e4853274b301e04ac58c4e06b59a4d232cd8e367e4263fed2442116f