Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 00:49
Behavioral task
behavioral1
Sample
7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
Resource
win10v2004-20240802-en
General
-
Target
7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe
-
Size
1.7MB
-
MD5
58a108887f3b8a883ad972f625256851
-
SHA1
e766b827f09a0afa881cbe1b6484710ce33f2bf0
-
SHA256
7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d
-
SHA512
4c08d788a287816e86d838dd8ee3bca4c4310d7ed340b9c8e0209f3cfc11fa0c36325058101265527218c16fbe3a3032392df74e530bd6fd84dc7e759b4d6af3
-
SSDEEP
24576:89SQXgnU56Gt4ULYVI8RGwvrK7/ckFLI78cPR:ssnxUU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe" reg.exe -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\vb6.exe = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Internet Explorer\Ieupdate.exe = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe:*:Enabled:Windows Messanger" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run Ieupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" Ieupdate.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" Ieupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3} Ieupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" Ieupdate.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFF07AB-FA6F-2EBB-4DBF-CDBBEA4DDCE3} Ieupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe -
Executes dropped EXE 3 IoCs
pid Process 4944 Ieupdate.exe 3424 Ieupdate.exe 1188 Ieupdate.exe -
resource yara_rule behavioral2/memory/1396-0-0x0000000000400000-0x00000000005A9000-memory.dmp upx behavioral2/files/0x00060000000226c6-40.dat upx behavioral2/memory/1396-52-0x0000000000400000-0x00000000005A9000-memory.dmp upx behavioral2/memory/4944-55-0x0000000000400000-0x00000000005A9000-memory.dmp upx behavioral2/memory/3424-56-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-60-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1188-65-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/1188-63-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/1188-61-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/3424-58-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4944-70-0x0000000000400000-0x00000000005A9000-memory.dmp upx behavioral2/memory/3424-75-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1188-78-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/3424-79-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-82-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-86-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-90-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-94-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-98-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-102-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-106-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-110-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-114-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3424-118-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" Ieupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\vb6.exe" Ieupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IeUpdate = "C:\\Program Files (x86)\\Internet Explorer\\Ieupdate.exe" reg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ieupdate.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4944 set thread context of 3424 4944 Ieupdate.exe 109 PID 4944 set thread context of 1188 4944 Ieupdate.exe 110 -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\Ieupdate.exe Ieupdate.exe File created C:\Program Files (x86)\Internet Explorer\Ieupdate.txt 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe File opened for modification C:\Program Files (x86)\Internet Explorer\Ieupdate.txt 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe File created C:\Program Files (x86)\Internet Explorer\Ieupdate.exe 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe File opened for modification C:\Program Files (x86)\Internet Explorer\Ieupdate.exe Ieupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4800 reg.exe 4020 reg.exe 4640 reg.exe 3384 reg.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 1188 Ieupdate.exe Token: 1 3424 Ieupdate.exe Token: SeCreateTokenPrivilege 3424 Ieupdate.exe Token: SeAssignPrimaryTokenPrivilege 3424 Ieupdate.exe Token: SeLockMemoryPrivilege 3424 Ieupdate.exe Token: SeIncreaseQuotaPrivilege 3424 Ieupdate.exe Token: SeMachineAccountPrivilege 3424 Ieupdate.exe Token: SeTcbPrivilege 3424 Ieupdate.exe Token: SeSecurityPrivilege 3424 Ieupdate.exe Token: SeTakeOwnershipPrivilege 3424 Ieupdate.exe Token: SeLoadDriverPrivilege 3424 Ieupdate.exe Token: SeSystemProfilePrivilege 3424 Ieupdate.exe Token: SeSystemtimePrivilege 3424 Ieupdate.exe Token: SeProfSingleProcessPrivilege 3424 Ieupdate.exe Token: SeIncBasePriorityPrivilege 3424 Ieupdate.exe Token: SeCreatePagefilePrivilege 3424 Ieupdate.exe Token: SeCreatePermanentPrivilege 3424 Ieupdate.exe Token: SeBackupPrivilege 3424 Ieupdate.exe Token: SeRestorePrivilege 3424 Ieupdate.exe Token: SeShutdownPrivilege 3424 Ieupdate.exe Token: SeDebugPrivilege 3424 Ieupdate.exe Token: SeAuditPrivilege 3424 Ieupdate.exe Token: SeSystemEnvironmentPrivilege 3424 Ieupdate.exe Token: SeChangeNotifyPrivilege 3424 Ieupdate.exe Token: SeRemoteShutdownPrivilege 3424 Ieupdate.exe Token: SeUndockPrivilege 3424 Ieupdate.exe Token: SeSyncAgentPrivilege 3424 Ieupdate.exe Token: SeEnableDelegationPrivilege 3424 Ieupdate.exe Token: SeManageVolumePrivilege 3424 Ieupdate.exe Token: SeImpersonatePrivilege 3424 Ieupdate.exe Token: SeCreateGlobalPrivilege 3424 Ieupdate.exe Token: 31 3424 Ieupdate.exe Token: 32 3424 Ieupdate.exe Token: 33 3424 Ieupdate.exe Token: 34 3424 Ieupdate.exe Token: 35 3424 Ieupdate.exe Token: SeDebugPrivilege 3424 Ieupdate.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 4944 Ieupdate.exe 4944 Ieupdate.exe 3424 Ieupdate.exe 1188 Ieupdate.exe 1188 Ieupdate.exe 3424 Ieupdate.exe 3424 Ieupdate.exe 3424 Ieupdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1396 wrote to memory of 3708 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 91 PID 1396 wrote to memory of 3708 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 91 PID 1396 wrote to memory of 3708 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 91 PID 3708 wrote to memory of 3292 3708 cmd.exe 95 PID 3708 wrote to memory of 3292 3708 cmd.exe 95 PID 3708 wrote to memory of 3292 3708 cmd.exe 95 PID 3708 wrote to memory of 2636 3708 cmd.exe 96 PID 3708 wrote to memory of 2636 3708 cmd.exe 96 PID 3708 wrote to memory of 2636 3708 cmd.exe 96 PID 1396 wrote to memory of 2948 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 99 PID 1396 wrote to memory of 2948 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 99 PID 1396 wrote to memory of 2948 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 99 PID 2948 wrote to memory of 2216 2948 cmd.exe 101 PID 2948 wrote to memory of 2216 2948 cmd.exe 101 PID 2948 wrote to memory of 2216 2948 cmd.exe 101 PID 1396 wrote to memory of 4744 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 102 PID 1396 wrote to memory of 4744 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 102 PID 1396 wrote to memory of 4744 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 102 PID 4744 wrote to memory of 1644 4744 cmd.exe 104 PID 4744 wrote to memory of 1644 4744 cmd.exe 104 PID 4744 wrote to memory of 1644 4744 cmd.exe 104 PID 1396 wrote to memory of 2524 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 105 PID 1396 wrote to memory of 2524 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 105 PID 1396 wrote to memory of 2524 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 105 PID 2524 wrote to memory of 1624 2524 cmd.exe 107 PID 2524 wrote to memory of 1624 2524 cmd.exe 107 PID 2524 wrote to memory of 1624 2524 cmd.exe 107 PID 1396 wrote to memory of 4944 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 108 PID 1396 wrote to memory of 4944 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 108 PID 1396 wrote to memory of 4944 1396 7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe 108 PID 4944 wrote to memory of 3424 4944 Ieupdate.exe 109 PID 4944 wrote to memory of 3424 4944 Ieupdate.exe 109 PID 4944 wrote to memory of 3424 4944 Ieupdate.exe 109 PID 4944 wrote to memory of 3424 4944 Ieupdate.exe 109 PID 4944 wrote to memory of 3424 4944 Ieupdate.exe 109 PID 4944 wrote to memory of 3424 4944 Ieupdate.exe 109 PID 4944 wrote to memory of 3424 4944 Ieupdate.exe 109 PID 4944 wrote to memory of 3424 4944 Ieupdate.exe 109 PID 4944 wrote to memory of 1188 4944 Ieupdate.exe 110 PID 4944 wrote to memory of 1188 4944 Ieupdate.exe 110 PID 4944 wrote to memory of 1188 4944 Ieupdate.exe 110 PID 4944 wrote to memory of 1188 4944 Ieupdate.exe 110 PID 4944 wrote to memory of 1188 4944 Ieupdate.exe 110 PID 4944 wrote to memory of 1188 4944 Ieupdate.exe 110 PID 4944 wrote to memory of 1188 4944 Ieupdate.exe 110 PID 4944 wrote to memory of 1188 4944 Ieupdate.exe 110 PID 3424 wrote to memory of 4368 3424 Ieupdate.exe 112 PID 3424 wrote to memory of 4368 3424 Ieupdate.exe 112 PID 3424 wrote to memory of 4368 3424 Ieupdate.exe 112 PID 3424 wrote to memory of 1584 3424 Ieupdate.exe 113 PID 3424 wrote to memory of 1584 3424 Ieupdate.exe 113 PID 3424 wrote to memory of 1584 3424 Ieupdate.exe 113 PID 3424 wrote to memory of 3412 3424 Ieupdate.exe 114 PID 3424 wrote to memory of 3412 3424 Ieupdate.exe 114 PID 3424 wrote to memory of 3412 3424 Ieupdate.exe 114 PID 3424 wrote to memory of 3744 3424 Ieupdate.exe 115 PID 3424 wrote to memory of 3744 3424 Ieupdate.exe 115 PID 3424 wrote to memory of 3744 3424 Ieupdate.exe 115 PID 3412 wrote to memory of 4800 3412 cmd.exe 121 PID 3412 wrote to memory of 4800 3412 cmd.exe 121 PID 3412 wrote to memory of 4800 3412 cmd.exe 121 PID 4368 wrote to memory of 4020 4368 cmd.exe 120 PID 4368 wrote to memory of 4020 4368 cmd.exe 120 PID 4368 wrote to memory of 4020 4368 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe"C:\Users\Admin\AppData\Local\Temp\7ec06423c9b70938c9da4be3b0cb6aa156bf45213bb95b44f0c352069e72587d.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JNYVYK.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
PID:3292
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyKhZ.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eXVQA.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "IeUpdate" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EpSnr.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /f3⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:1624
-
-
-
C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe" /t REG_SZ /d "C:\Program Files (x86)\Internet Explorer\Ieupdate.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
PID:3744 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\vb6.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\vb6.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4640
-
-
-
-
C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"C:\Program Files (x86)\Internet Explorer\Ieupdate.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1188
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:81⤵PID:2216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5db76dd6adf5e489bc6a57dd20e7fccc4
SHA11cb4be9763f05f600ab3f7028059f92030b1c9de
SHA2566f78d93eb11b4525dcfed260aa90f1e59828e8fa769e17237a07da25305506b6
SHA512a3bb2eb2372a8a3283b94c873200fcbf6e364b1e68d0a8011d80ce0d1e89d3d5978437c8547e886301801b5505408a9be131ad4856836aa2300fd01e249d91f2
-
Filesize
148B
MD55d73853d695283e13b412c88ec62984c
SHA1672379399a80a746a8f0d8043bbf98956101d0ca
SHA25659884297b763a498c1f55e4ba57f04597ab37677feb9b686839e7553942cf335
SHA5129043d02ec14cc4869cc8c01562838c11448e2bff42af32ec0a60de76fa8915c3a3a50529ce567c6cb93d2691525b38862257993674c263ed25f6625e370cb2d2
-
Filesize
181B
MD509d67635a7674b12183c3f0668ce0cd1
SHA1c3fe2225cc5198a1c33df0342a95528c2e657a6d
SHA256972e896e8649a5d2caf286a0d75db99909587b1d2f4683870207b547c3bc02d9
SHA512b37bdad4fb0e9ab947ea5750337de073907d31156d0d00a1a79392741ced2d1aabf1cc2d92581d7f068266f82cd5b2c10fd7e5c573044e6ce77dea6da6dde321
-
Filesize
274B
MD59fcec2a4ee61953e0d4867261a39ea32
SHA1d552acf26d9fcc31a9da82ecce503b16a11e9d2a
SHA25624c5da914d1f429c07ef17dfb7d4d0c90eb060e5a9bd009963fba83b1dd6cae3
SHA51257d8a88138645780357a88658f21f833efa0ba657dd1fefa6458ba930731e1949216b518f26ab995241837bc7e6eff90b46e5cb5ec34364d2f89db09779e5564
-
Filesize
148B
MD53d470539cbafa762cdb72a4635ad553d
SHA14bda3e7de91052dc7d073d8b278ad09ad0d10fa6
SHA2569f0571e3567d7e1849c7bd5dd7b7a2be942ec44aea6c8bb32d415874b7282691
SHA51242b168fabd5ddd175ccd143d4f9338880aad03eb22d07fb8a2e13f387015b9eb1d23307bff3ae370c95a5644c88c5e9f7c8b12b332b595c79be069ffc92a448e