Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2024, 19:58
Static task
static1
Behavioral task
behavioral1
Sample
242c24be996e827979509c71f8574398c0a373ae1d07e67ef6df2c03c61f4edd.dll
Resource
win7-20240708-en
General
-
Target
242c24be996e827979509c71f8574398c0a373ae1d07e67ef6df2c03c61f4edd.dll
-
Size
120KB
-
MD5
bf6f3505ca59136d08d699dca52ff9af
-
SHA1
a5774984f78fd1b8320001aa411ab50cee22a742
-
SHA256
242c24be996e827979509c71f8574398c0a373ae1d07e67ef6df2c03c61f4edd
-
SHA512
30fdab92c21a08f81ede70eedb91a798db884ec0d5b36dd72e7e35a1ba94cc1dadf4862c95e8ed7974487e0bfc3940492fad8a601094870ef35b4842ca091e16
-
SSDEEP
1536:zGHBh/EVHy4LDCsixQ0BZ+eADf3atU08WMDBoxGxbFTkXUkmOBgZoaEYFl6l:aT/WDDixQ4boiU08WJ0xxIkaCoaEu
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e58461c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e58461c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e584457.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e584457.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e587ab9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e587ab9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e587ab9.exe -
Executes dropped EXE 3 IoCs
pid Process 456 e584457.exe 772 e58461c.exe 4636 e587ab9.exe -
resource yara_rule behavioral2/memory/456-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-24-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-13-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-23-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-25-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-45-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-46-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-57-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-59-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-60-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-62-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-63-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/456-67-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/772-87-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/772-92-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/772-93-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/772-90-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/772-89-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/772-91-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/772-120-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e58461c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e587ab9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e587ab9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e584457.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e587ab9.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e584457.exe File opened (read-only) \??\K: e584457.exe File opened (read-only) \??\L: e584457.exe File opened (read-only) \??\H: e584457.exe File opened (read-only) \??\G: e584457.exe File opened (read-only) \??\J: e584457.exe File opened (read-only) \??\E: e587ab9.exe File opened (read-only) \??\G: e587ab9.exe File opened (read-only) \??\H: e587ab9.exe File opened (read-only) \??\E: e584457.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e5844f3 e584457.exe File opened for modification C:\Windows\SYSTEM.INI e584457.exe File created C:\Windows\e589507 e58461c.exe File created C:\Windows\e58aa16 e587ab9.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e584457.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e58461c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e587ab9.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 456 e584457.exe 456 e584457.exe 456 e584457.exe 456 e584457.exe 772 e58461c.exe 772 e58461c.exe 4636 e587ab9.exe 4636 e587ab9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe Token: SeDebugPrivilege 456 e584457.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 444 wrote to memory of 4736 444 rundll32.exe 91 PID 444 wrote to memory of 4736 444 rundll32.exe 91 PID 444 wrote to memory of 4736 444 rundll32.exe 91 PID 4736 wrote to memory of 456 4736 rundll32.exe 92 PID 4736 wrote to memory of 456 4736 rundll32.exe 92 PID 4736 wrote to memory of 456 4736 rundll32.exe 92 PID 456 wrote to memory of 804 456 e584457.exe 9 PID 456 wrote to memory of 808 456 e584457.exe 10 PID 456 wrote to memory of 376 456 e584457.exe 13 PID 456 wrote to memory of 2996 456 e584457.exe 50 PID 456 wrote to memory of 3056 456 e584457.exe 51 PID 456 wrote to memory of 3100 456 e584457.exe 52 PID 456 wrote to memory of 3460 456 e584457.exe 56 PID 456 wrote to memory of 3556 456 e584457.exe 57 PID 456 wrote to memory of 3772 456 e584457.exe 58 PID 456 wrote to memory of 3860 456 e584457.exe 59 PID 456 wrote to memory of 3928 456 e584457.exe 60 PID 456 wrote to memory of 4052 456 e584457.exe 61 PID 456 wrote to memory of 4132 456 e584457.exe 62 PID 456 wrote to memory of 2108 456 e584457.exe 64 PID 456 wrote to memory of 4624 456 e584457.exe 76 PID 456 wrote to memory of 2456 456 e584457.exe 78 PID 456 wrote to memory of 3672 456 e584457.exe 79 PID 456 wrote to memory of 2472 456 e584457.exe 80 PID 456 wrote to memory of 5008 456 e584457.exe 81 PID 456 wrote to memory of 2952 456 e584457.exe 82 PID 456 wrote to memory of 4968 456 e584457.exe 88 PID 456 wrote to memory of 3648 456 e584457.exe 89 PID 456 wrote to memory of 444 456 e584457.exe 90 PID 456 wrote to memory of 4736 456 e584457.exe 91 PID 456 wrote to memory of 4736 456 e584457.exe 91 PID 4736 wrote to memory of 772 4736 rundll32.exe 93 PID 4736 wrote to memory of 772 4736 rundll32.exe 93 PID 4736 wrote to memory of 772 4736 rundll32.exe 93 PID 456 wrote to memory of 804 456 e584457.exe 9 PID 456 wrote to memory of 808 456 e584457.exe 10 PID 456 wrote to memory of 376 456 e584457.exe 13 PID 456 wrote to memory of 2996 456 e584457.exe 50 PID 456 wrote to memory of 3056 456 e584457.exe 51 PID 456 wrote to memory of 3100 456 e584457.exe 52 PID 456 wrote to memory of 3460 456 e584457.exe 56 PID 456 wrote to memory of 3556 456 e584457.exe 57 PID 456 wrote to memory of 3772 456 e584457.exe 58 PID 456 wrote to memory of 3860 456 e584457.exe 59 PID 456 wrote to memory of 3928 456 e584457.exe 60 PID 456 wrote to memory of 4052 456 e584457.exe 61 PID 456 wrote to memory of 4132 456 e584457.exe 62 PID 456 wrote to memory of 2108 456 e584457.exe 64 PID 456 wrote to memory of 4624 456 e584457.exe 76 PID 456 wrote to memory of 2456 456 e584457.exe 78 PID 456 wrote to memory of 3672 456 e584457.exe 79 PID 456 wrote to memory of 2472 456 e584457.exe 80 PID 456 wrote to memory of 5008 456 e584457.exe 81 PID 456 wrote to memory of 2952 456 e584457.exe 82 PID 456 wrote to memory of 4968 456 e584457.exe 88 PID 456 wrote to memory of 3648 456 e584457.exe 89 PID 456 wrote to memory of 444 456 e584457.exe 90 PID 456 wrote to memory of 772 456 e584457.exe 93 PID 456 wrote to memory of 772 456 e584457.exe 93 PID 456 wrote to memory of 5012 456 e584457.exe 94 PID 456 wrote to memory of 3980 456 e584457.exe 95 PID 4736 wrote to memory of 4636 4736 rundll32.exe 103 PID 4736 wrote to memory of 4636 4736 rundll32.exe 103 PID 4736 wrote to memory of 4636 4736 rundll32.exe 103 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e584457.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e58461c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e587ab9.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3056
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\242c24be996e827979509c71f8574398c0a373ae1d07e67ef6df2c03c61f4edd.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\242c24be996e827979509c71f8574398c0a373ae1d07e67ef6df2c03c61f4edd.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\e584457.exeC:\Users\Admin\AppData\Local\Temp\e584457.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:456
-
-
C:\Users\Admin\AppData\Local\Temp\e58461c.exeC:\Users\Admin\AppData\Local\Temp\e58461c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:772
-
-
C:\Users\Admin\AppData\Local\Temp\e587ab9.exeC:\Users\Admin\AppData\Local\Temp\e587ab9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4636
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4132
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2108
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:2456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff85c6cd198,0x7ff85c6cd1a4,0x7ff85c6cd1b02⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2140,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1820,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:32⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2400,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:82⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3904,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:82⤵PID:4916
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4968
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3648
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:5012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1604
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b622c2b50d7a8ecc3438f44b7f930253
SHA1333d61e04b8143e546bf894d79cce19a42c5a48e
SHA2564a5a3f86c8836f4f9cd4b37dc04bc02024e3bba70b90e2212c68bd57da14c5e9
SHA51217a7886f2094edaa6862e46891809be3972632fd7ef1cb8435681c5693d9e0f7fc83aaa32027b532dc7f22b1ac9a6999582915778af07889c879427332147e16
-
Filesize
257B
MD503633f9dd80690802090e67ea0ea68ab
SHA16528c4c7f767045b173590b0def34da4e4979115
SHA2564daeb4a33d5dd600ced0fb5e65d06300b721ac7b9c8daee795430f539280a353
SHA5124368a486e57cabcaf54b952d2f0cb83ab54b857c66112d74ccece9e1dc0bd4607df4ecf293c71fbe4211687e6756e5c995aa7f9a3f7fb5216d3d4251c977d999