Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2024, 12:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98b81a3a7263b67c71fbb2eb8f84da30N.dll
Resource
win7-20240705-en
windows7-x64
16 signatures
120 seconds
General
-
Target
98b81a3a7263b67c71fbb2eb8f84da30N.dll
-
Size
120KB
-
MD5
98b81a3a7263b67c71fbb2eb8f84da30
-
SHA1
b7386e53c8155498dc131f15e02236f4e9eed8b6
-
SHA256
11c347cfadfac26009173311446608c248aa129a33812ff69846ca5b197174e7
-
SHA512
f2a94469988645f5e2cd0bdb21301da470e97f01eadd60ddedf7f0324cf338696ae92855561a2856a48991dd66a6d57c6431b06b71d17da2e5dd5502800f4581
-
SSDEEP
3072:rQaiyuSMuLG3MDoDAtDLNztUqTq7MtZ/KXeXJyfDvD4KqNq:r+S/VDoDAtDcjm0eXJyfX4Hq
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d503.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d503.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d503.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d503.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d503.exe -
Executes dropped EXE 3 IoCs
pid Process 3480 e57b94d.exe 2500 e57bab5.exe 444 e57d503.exe -
resource yara_rule behavioral2/memory/3480-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-25-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-32-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-34-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-33-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-35-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-41-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-42-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-50-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-52-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-54-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-69-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-71-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-73-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-75-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-76-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-85-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/3480-86-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/444-123-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/3480-91-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/444-154-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d503.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d503.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d503.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d503.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d503.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57b94d.exe File opened (read-only) \??\K: e57b94d.exe File opened (read-only) \??\M: e57b94d.exe File opened (read-only) \??\N: e57b94d.exe File opened (read-only) \??\I: e57b94d.exe File opened (read-only) \??\Q: e57b94d.exe File opened (read-only) \??\E: e57d503.exe File opened (read-only) \??\J: e57b94d.exe File opened (read-only) \??\L: e57b94d.exe File opened (read-only) \??\O: e57b94d.exe File opened (read-only) \??\R: e57b94d.exe File opened (read-only) \??\G: e57b94d.exe File opened (read-only) \??\H: e57b94d.exe File opened (read-only) \??\P: e57b94d.exe File opened (read-only) \??\S: e57b94d.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e57b94d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57b94d.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57b94d.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57b94d.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b9bb e57b94d.exe File opened for modification C:\Windows\SYSTEM.INI e57b94d.exe File created C:\Windows\e580a0d e57d503.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b94d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bab5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57d503.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3480 e57b94d.exe 3480 e57b94d.exe 3480 e57b94d.exe 3480 e57b94d.exe 444 e57d503.exe 444 e57d503.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe Token: SeDebugPrivilege 3480 e57b94d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3952 wrote to memory of 5000 3952 rundll32.exe 84 PID 3952 wrote to memory of 5000 3952 rundll32.exe 84 PID 3952 wrote to memory of 5000 3952 rundll32.exe 84 PID 5000 wrote to memory of 3480 5000 rundll32.exe 85 PID 5000 wrote to memory of 3480 5000 rundll32.exe 85 PID 5000 wrote to memory of 3480 5000 rundll32.exe 85 PID 3480 wrote to memory of 772 3480 e57b94d.exe 8 PID 3480 wrote to memory of 776 3480 e57b94d.exe 9 PID 3480 wrote to memory of 60 3480 e57b94d.exe 13 PID 3480 wrote to memory of 2624 3480 e57b94d.exe 44 PID 3480 wrote to memory of 2640 3480 e57b94d.exe 45 PID 3480 wrote to memory of 2764 3480 e57b94d.exe 47 PID 3480 wrote to memory of 3444 3480 e57b94d.exe 56 PID 3480 wrote to memory of 3596 3480 e57b94d.exe 57 PID 3480 wrote to memory of 3780 3480 e57b94d.exe 58 PID 3480 wrote to memory of 3868 3480 e57b94d.exe 59 PID 3480 wrote to memory of 3928 3480 e57b94d.exe 60 PID 3480 wrote to memory of 4008 3480 e57b94d.exe 61 PID 3480 wrote to memory of 4120 3480 e57b94d.exe 62 PID 3480 wrote to memory of 4100 3480 e57b94d.exe 75 PID 3480 wrote to memory of 1684 3480 e57b94d.exe 76 PID 3480 wrote to memory of 1808 3480 e57b94d.exe 81 PID 3480 wrote to memory of 2668 3480 e57b94d.exe 82 PID 3480 wrote to memory of 3952 3480 e57b94d.exe 83 PID 3480 wrote to memory of 5000 3480 e57b94d.exe 84 PID 3480 wrote to memory of 5000 3480 e57b94d.exe 84 PID 5000 wrote to memory of 2500 5000 rundll32.exe 86 PID 5000 wrote to memory of 2500 5000 rundll32.exe 86 PID 5000 wrote to memory of 2500 5000 rundll32.exe 86 PID 5000 wrote to memory of 444 5000 rundll32.exe 96 PID 5000 wrote to memory of 444 5000 rundll32.exe 96 PID 5000 wrote to memory of 444 5000 rundll32.exe 96 PID 3480 wrote to memory of 772 3480 e57b94d.exe 8 PID 3480 wrote to memory of 776 3480 e57b94d.exe 9 PID 3480 wrote to memory of 60 3480 e57b94d.exe 13 PID 3480 wrote to memory of 2624 3480 e57b94d.exe 44 PID 3480 wrote to memory of 2640 3480 e57b94d.exe 45 PID 3480 wrote to memory of 2764 3480 e57b94d.exe 47 PID 3480 wrote to memory of 3444 3480 e57b94d.exe 56 PID 3480 wrote to memory of 3596 3480 e57b94d.exe 57 PID 3480 wrote to memory of 3780 3480 e57b94d.exe 58 PID 3480 wrote to memory of 3868 3480 e57b94d.exe 59 PID 3480 wrote to memory of 3928 3480 e57b94d.exe 60 PID 3480 wrote to memory of 4008 3480 e57b94d.exe 61 PID 3480 wrote to memory of 4120 3480 e57b94d.exe 62 PID 3480 wrote to memory of 4100 3480 e57b94d.exe 75 PID 3480 wrote to memory of 1684 3480 e57b94d.exe 76 PID 3480 wrote to memory of 1808 3480 e57b94d.exe 81 PID 3480 wrote to memory of 2500 3480 e57b94d.exe 86 PID 3480 wrote to memory of 2500 3480 e57b94d.exe 86 PID 3480 wrote to memory of 452 3480 e57b94d.exe 88 PID 3480 wrote to memory of 3936 3480 e57b94d.exe 89 PID 3480 wrote to memory of 444 3480 e57b94d.exe 96 PID 3480 wrote to memory of 444 3480 e57b94d.exe 96 PID 444 wrote to memory of 772 444 e57d503.exe 8 PID 444 wrote to memory of 776 444 e57d503.exe 9 PID 444 wrote to memory of 60 444 e57d503.exe 13 PID 444 wrote to memory of 2624 444 e57d503.exe 44 PID 444 wrote to memory of 2640 444 e57d503.exe 45 PID 444 wrote to memory of 2764 444 e57d503.exe 47 PID 444 wrote to memory of 3444 444 e57d503.exe 56 PID 444 wrote to memory of 3596 444 e57d503.exe 57 PID 444 wrote to memory of 3780 444 e57d503.exe 58 PID 444 wrote to memory of 3868 444 e57d503.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b94d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d503.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2640
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2764
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\98b81a3a7263b67c71fbb2eb8f84da30N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\98b81a3a7263b67c71fbb2eb8f84da30N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\e57b94d.exeC:\Users\Admin\AppData\Local\Temp\e57b94d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3480
-
-
C:\Users\Admin\AppData\Local\Temp\e57bab5.exeC:\Users\Admin\AppData\Local\Temp\e57bab5.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\e57d503.exeC:\Users\Admin\AppData\Local\Temp\e57d503.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:444
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4120
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4100
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1684
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1808
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e71590872e0bd32b42369d673a8035a7
SHA13591a0e05c889700b578a8961ad9932561df35ae
SHA256bb0398f76df6d6e8ea0e08cf848cf6a249c03e8a6c97dafd26f0316abadc0a2a
SHA512b158ef72afdb910542d4aefe0448cb955b1d326ead555d46b151f4e9d6d9df62467bf5ec18a82e66e8919c2b5a850f7880db61e77d58fd5075e7b128dee220c0
-
Filesize
257B
MD5fccffe8f74b2f9b56da0362721feb725
SHA13aed87ba74c5c5437b0ff174a0f0394b58cc020b
SHA256e951cac02557c5e9febc16234bd0fc9f3d1f8bb93fcb4b49f374b42fc22ba572
SHA51246769b07ede15babf75e5711943df55204364d38b4e9587deede5ea5dc0227674471863cba8b086bc26b816988998a0e525780aa116413bd15c2b2f6255a4c0b