Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 22:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b.dll
Resource
win7-20240708-en
windows7-x64
15 signatures
150 seconds
General
-
Target
67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b.dll
-
Size
120KB
-
MD5
597dc6eacd74e8dc1cb880a07cd42976
-
SHA1
04ef206eb9535b92d352aa0f83f64d8f49bab780
-
SHA256
67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b
-
SHA512
bea89e33297877fe2fc0f9853a4e1299cc8289c09ae9cdd5338941d70c26c0f0b355710cf42091c156841610ced1d1ebe20aaf058b4f46d22ead735a02ff31fb
-
SSDEEP
1536:UJGGUHrMT6FJEZVgxyXqqowvgJRDxLD5WhEfiAvgxVhsAKlis6YTO0l+w/UoiWY1:HDmPXPvkD1IEfYxVh9QpT3lN/PSEY
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5b5502.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b7099.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b7099.exe -
Executes dropped EXE 4 IoCs
pid Process 2124 e5b5502.exe 2508 e5b5706.exe 3412 e5b7079.exe 232 e5b7099.exe -
resource yara_rule behavioral2/memory/2124-6-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-7-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-10-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-9-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-11-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-12-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-27-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-14-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-33-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-20-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-13-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-37-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-38-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-39-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-40-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-41-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-43-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-44-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-57-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-59-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-60-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-75-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-74-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-80-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-81-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-83-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-84-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-86-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-89-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-91-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/2124-113-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/232-115-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx behavioral2/memory/232-163-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5b5502.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5b7099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5b7099.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5b7099.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b7099.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e5b5502.exe File opened (read-only) \??\L: e5b5502.exe File opened (read-only) \??\O: e5b5502.exe File opened (read-only) \??\Q: e5b5502.exe File opened (read-only) \??\S: e5b5502.exe File opened (read-only) \??\G: e5b5502.exe File opened (read-only) \??\N: e5b5502.exe File opened (read-only) \??\K: e5b5502.exe File opened (read-only) \??\M: e5b5502.exe File opened (read-only) \??\R: e5b5502.exe File opened (read-only) \??\H: e5b5502.exe File opened (read-only) \??\I: e5b5502.exe File opened (read-only) \??\J: e5b5502.exe File opened (read-only) \??\P: e5b5502.exe File opened (read-only) \??\E: e5b7099.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5b5502.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5b5502.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5b5502.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5b5502.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5b5550 e5b5502.exe File opened for modification C:\Windows\SYSTEM.INI e5b5502.exe File created C:\Windows\e5ba64f e5b7099.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2124 e5b5502.exe 2124 e5b5502.exe 2124 e5b5502.exe 2124 e5b5502.exe 232 e5b7099.exe 232 e5b7099.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe Token: SeDebugPrivilege 2124 e5b5502.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3908 wrote to memory of 2944 3908 rundll32.exe 83 PID 3908 wrote to memory of 2944 3908 rundll32.exe 83 PID 3908 wrote to memory of 2944 3908 rundll32.exe 83 PID 2944 wrote to memory of 2124 2944 rundll32.exe 84 PID 2944 wrote to memory of 2124 2944 rundll32.exe 84 PID 2944 wrote to memory of 2124 2944 rundll32.exe 84 PID 2124 wrote to memory of 772 2124 e5b5502.exe 8 PID 2124 wrote to memory of 768 2124 e5b5502.exe 9 PID 2124 wrote to memory of 60 2124 e5b5502.exe 13 PID 2124 wrote to memory of 1092 2124 e5b5502.exe 49 PID 2124 wrote to memory of 2600 2124 e5b5502.exe 50 PID 2124 wrote to memory of 3096 2124 e5b5502.exe 51 PID 2124 wrote to memory of 3456 2124 e5b5502.exe 54 PID 2124 wrote to memory of 3580 2124 e5b5502.exe 55 PID 2124 wrote to memory of 3760 2124 e5b5502.exe 56 PID 2124 wrote to memory of 3872 2124 e5b5502.exe 57 PID 2124 wrote to memory of 3936 2124 e5b5502.exe 58 PID 2124 wrote to memory of 4052 2124 e5b5502.exe 59 PID 2124 wrote to memory of 3464 2124 e5b5502.exe 60 PID 2124 wrote to memory of 1512 2124 e5b5502.exe 73 PID 2124 wrote to memory of 2732 2124 e5b5502.exe 75 PID 2124 wrote to memory of 3592 2124 e5b5502.exe 80 PID 2124 wrote to memory of 1084 2124 e5b5502.exe 81 PID 2124 wrote to memory of 3908 2124 e5b5502.exe 82 PID 2124 wrote to memory of 2944 2124 e5b5502.exe 83 PID 2124 wrote to memory of 2944 2124 e5b5502.exe 83 PID 2944 wrote to memory of 2508 2944 rundll32.exe 85 PID 2944 wrote to memory of 2508 2944 rundll32.exe 85 PID 2944 wrote to memory of 2508 2944 rundll32.exe 85 PID 2944 wrote to memory of 3412 2944 rundll32.exe 89 PID 2944 wrote to memory of 3412 2944 rundll32.exe 89 PID 2944 wrote to memory of 3412 2944 rundll32.exe 89 PID 2944 wrote to memory of 232 2944 rundll32.exe 90 PID 2944 wrote to memory of 232 2944 rundll32.exe 90 PID 2944 wrote to memory of 232 2944 rundll32.exe 90 PID 2124 wrote to memory of 772 2124 e5b5502.exe 8 PID 2124 wrote to memory of 768 2124 e5b5502.exe 9 PID 2124 wrote to memory of 60 2124 e5b5502.exe 13 PID 2124 wrote to memory of 1092 2124 e5b5502.exe 49 PID 2124 wrote to memory of 2600 2124 e5b5502.exe 50 PID 2124 wrote to memory of 3096 2124 e5b5502.exe 51 PID 2124 wrote to memory of 3456 2124 e5b5502.exe 54 PID 2124 wrote to memory of 3580 2124 e5b5502.exe 55 PID 2124 wrote to memory of 3760 2124 e5b5502.exe 56 PID 2124 wrote to memory of 3872 2124 e5b5502.exe 57 PID 2124 wrote to memory of 3936 2124 e5b5502.exe 58 PID 2124 wrote to memory of 4052 2124 e5b5502.exe 59 PID 2124 wrote to memory of 3464 2124 e5b5502.exe 60 PID 2124 wrote to memory of 1512 2124 e5b5502.exe 73 PID 2124 wrote to memory of 2732 2124 e5b5502.exe 75 PID 2124 wrote to memory of 3592 2124 e5b5502.exe 80 PID 2124 wrote to memory of 1084 2124 e5b5502.exe 81 PID 2124 wrote to memory of 2508 2124 e5b5502.exe 85 PID 2124 wrote to memory of 2508 2124 e5b5502.exe 85 PID 2124 wrote to memory of 2460 2124 e5b5502.exe 87 PID 2124 wrote to memory of 4840 2124 e5b5502.exe 88 PID 2124 wrote to memory of 3412 2124 e5b5502.exe 89 PID 2124 wrote to memory of 3412 2124 e5b5502.exe 89 PID 2124 wrote to memory of 232 2124 e5b5502.exe 90 PID 2124 wrote to memory of 232 2124 e5b5502.exe 90 PID 232 wrote to memory of 772 232 e5b7099.exe 8 PID 232 wrote to memory of 768 232 e5b7099.exe 9 PID 232 wrote to memory of 60 232 e5b7099.exe 13 PID 232 wrote to memory of 1092 232 e5b7099.exe 49 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b5502.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5b7099.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2600
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3096
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\e5b5502.exeC:\Users\Admin\AppData\Local\Temp\e5b5502.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\e5b5706.exeC:\Users\Admin\AppData\Local\Temp\e5b5706.exe4⤵
- Executes dropped EXE
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\e5b7079.exeC:\Users\Admin\AppData\Local\Temp\e5b7079.exe4⤵
- Executes dropped EXE
PID:3412
-
-
C:\Users\Admin\AppData\Local\Temp\e5b7099.exeC:\Users\Admin\AppData\Local\Temp\e5b7099.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:232
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3580
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3464
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1512
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2732
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3592
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1084
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2460
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4840
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d6f3d6789c6c5a37367781325b361ddc
SHA194b7364394c950d68d289f5a116a94afe2e94a42
SHA256965f34aaa11d853f4d6f84ce6ef49f64480844ae369816dbbad29251e88bf016
SHA5120fba03b431c8d4ebd357e19e0d722f1abeba6ac9c1799ab8ffdf85ef1172dc7e0dfce0378580d76e10ad44eef27ef943717fb081b3d4d3f150d96dc5e70971d1
-
Filesize
256B
MD54c6f4acc067c35d8f40fdf652e72ada2
SHA126f2d51cb26de6f75f16b569d5972e49b7aebae3
SHA256780400150c73f02141161646873d16b292853ae51b5759ee18efbbf0e274c882
SHA5120b1a8cac228231c0b12b016f13a4e6370ac5a904e139a25afc3741b186583c38fb1525fb8915f482b0809c27110579265657ef01dbda22484c35f02793a1bcca