Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 14:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0768fbb50e2e83bc87248cc48e36dc3c3b6f22cf59ac1ee9dd3e8a60e22792b1N.dll
Resource
win7-20240903-en
windows7-x64
16 signatures
120 seconds
General
-
Target
0768fbb50e2e83bc87248cc48e36dc3c3b6f22cf59ac1ee9dd3e8a60e22792b1N.dll
-
Size
120KB
-
MD5
8f7aa4045176c2123252c7f8bb6ea6b0
-
SHA1
cda00035c77c513167cf8948455da7e1b1fa0ba8
-
SHA256
0768fbb50e2e83bc87248cc48e36dc3c3b6f22cf59ac1ee9dd3e8a60e22792b1
-
SHA512
d231a9a84c6096cd03f871835df0ed32736b1207fadfd3c5797b4f7355b9dc9f7fd4515103a29fdc09774737b55e59989ed1ff17afad5bcf1160612355ca7d3f
-
SSDEEP
3072:RB7CtxlSlOBZ94N3jvbV3o6lfom+mIHJhnK:PG52OBZKFDfjeh
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57c66d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c66d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c66d.exe -
Executes dropped EXE 4 IoCs
pid Process 4844 e57a78a.exe 4520 e57a9ad.exe 1452 e57c64d.exe 1836 e57c66d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57c66d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57c66d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a78a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c66d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a78a.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57a78a.exe File opened (read-only) \??\O: e57a78a.exe File opened (read-only) \??\E: e57c66d.exe File opened (read-only) \??\K: e57a78a.exe File opened (read-only) \??\L: e57a78a.exe File opened (read-only) \??\M: e57a78a.exe File opened (read-only) \??\N: e57a78a.exe File opened (read-only) \??\P: e57a78a.exe File opened (read-only) \??\E: e57a78a.exe File opened (read-only) \??\J: e57a78a.exe File opened (read-only) \??\G: e57a78a.exe File opened (read-only) \??\I: e57a78a.exe File opened (read-only) \??\Q: e57a78a.exe File opened (read-only) \??\G: e57c66d.exe -
resource yara_rule behavioral2/memory/4844-8-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-11-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-12-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-13-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-14-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-15-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-22-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-16-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-9-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-10-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-37-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-38-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-40-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-39-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-41-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-56-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-57-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-58-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-59-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-74-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-76-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-79-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-80-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-83-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-84-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-86-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-88-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-92-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4844-93-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/1836-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/1836-162-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57a78a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a78a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57a78a.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57a78a.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57a78a.exe File created C:\Windows\e57f8f6 e57c66d.exe File created C:\Windows\e57a7d9 e57a78a.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c64d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c66d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a78a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a9ad.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4844 e57a78a.exe 4844 e57a78a.exe 4844 e57a78a.exe 4844 e57a78a.exe 1836 e57c66d.exe 1836 e57c66d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe Token: SeDebugPrivilege 4844 e57a78a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 1856 3164 rundll32.exe 81 PID 3164 wrote to memory of 1856 3164 rundll32.exe 81 PID 3164 wrote to memory of 1856 3164 rundll32.exe 81 PID 1856 wrote to memory of 4844 1856 rundll32.exe 82 PID 1856 wrote to memory of 4844 1856 rundll32.exe 82 PID 1856 wrote to memory of 4844 1856 rundll32.exe 82 PID 4844 wrote to memory of 796 4844 e57a78a.exe 9 PID 4844 wrote to memory of 804 4844 e57a78a.exe 10 PID 4844 wrote to memory of 384 4844 e57a78a.exe 13 PID 4844 wrote to memory of 852 4844 e57a78a.exe 51 PID 4844 wrote to memory of 2508 4844 e57a78a.exe 52 PID 4844 wrote to memory of 3108 4844 e57a78a.exe 53 PID 4844 wrote to memory of 3376 4844 e57a78a.exe 56 PID 4844 wrote to memory of 3552 4844 e57a78a.exe 57 PID 4844 wrote to memory of 3740 4844 e57a78a.exe 58 PID 4844 wrote to memory of 3832 4844 e57a78a.exe 59 PID 4844 wrote to memory of 3896 4844 e57a78a.exe 60 PID 4844 wrote to memory of 3980 4844 e57a78a.exe 61 PID 4844 wrote to memory of 3416 4844 e57a78a.exe 62 PID 4844 wrote to memory of 4508 4844 e57a78a.exe 64 PID 4844 wrote to memory of 3824 4844 e57a78a.exe 74 PID 4844 wrote to memory of 3164 4844 e57a78a.exe 80 PID 4844 wrote to memory of 1856 4844 e57a78a.exe 81 PID 4844 wrote to memory of 1856 4844 e57a78a.exe 81 PID 1856 wrote to memory of 4520 1856 rundll32.exe 83 PID 1856 wrote to memory of 4520 1856 rundll32.exe 83 PID 1856 wrote to memory of 4520 1856 rundll32.exe 83 PID 1856 wrote to memory of 1452 1856 rundll32.exe 85 PID 1856 wrote to memory of 1452 1856 rundll32.exe 85 PID 1856 wrote to memory of 1452 1856 rundll32.exe 85 PID 1856 wrote to memory of 1836 1856 rundll32.exe 86 PID 1856 wrote to memory of 1836 1856 rundll32.exe 86 PID 1856 wrote to memory of 1836 1856 rundll32.exe 86 PID 4844 wrote to memory of 796 4844 e57a78a.exe 9 PID 4844 wrote to memory of 804 4844 e57a78a.exe 10 PID 4844 wrote to memory of 384 4844 e57a78a.exe 13 PID 4844 wrote to memory of 852 4844 e57a78a.exe 51 PID 4844 wrote to memory of 2508 4844 e57a78a.exe 52 PID 4844 wrote to memory of 3108 4844 e57a78a.exe 53 PID 4844 wrote to memory of 3376 4844 e57a78a.exe 56 PID 4844 wrote to memory of 3552 4844 e57a78a.exe 57 PID 4844 wrote to memory of 3740 4844 e57a78a.exe 58 PID 4844 wrote to memory of 3832 4844 e57a78a.exe 59 PID 4844 wrote to memory of 3896 4844 e57a78a.exe 60 PID 4844 wrote to memory of 3980 4844 e57a78a.exe 61 PID 4844 wrote to memory of 3416 4844 e57a78a.exe 62 PID 4844 wrote to memory of 4508 4844 e57a78a.exe 64 PID 4844 wrote to memory of 3824 4844 e57a78a.exe 74 PID 4844 wrote to memory of 4520 4844 e57a78a.exe 83 PID 4844 wrote to memory of 4520 4844 e57a78a.exe 83 PID 4844 wrote to memory of 1452 4844 e57a78a.exe 85 PID 4844 wrote to memory of 1452 4844 e57a78a.exe 85 PID 4844 wrote to memory of 1836 4844 e57a78a.exe 86 PID 4844 wrote to memory of 1836 4844 e57a78a.exe 86 PID 1836 wrote to memory of 796 1836 e57c66d.exe 9 PID 1836 wrote to memory of 804 1836 e57c66d.exe 10 PID 1836 wrote to memory of 384 1836 e57c66d.exe 13 PID 1836 wrote to memory of 852 1836 e57c66d.exe 51 PID 1836 wrote to memory of 2508 1836 e57c66d.exe 52 PID 1836 wrote to memory of 3108 1836 e57c66d.exe 53 PID 1836 wrote to memory of 3376 1836 e57c66d.exe 56 PID 1836 wrote to memory of 3552 1836 e57c66d.exe 57 PID 1836 wrote to memory of 3740 1836 e57c66d.exe 58 PID 1836 wrote to memory of 3832 1836 e57c66d.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a78a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57c66d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2508
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3108
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3376
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0768fbb50e2e83bc87248cc48e36dc3c3b6f22cf59ac1ee9dd3e8a60e22792b1N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0768fbb50e2e83bc87248cc48e36dc3c3b6f22cf59ac1ee9dd3e8a60e22792b1N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\e57a78a.exeC:\Users\Admin\AppData\Local\Temp\e57a78a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4844
-
-
C:\Users\Admin\AppData\Local\Temp\e57a9ad.exeC:\Users\Admin\AppData\Local\Temp\e57a9ad.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4520
-
-
C:\Users\Admin\AppData\Local\Temp\e57c64d.exeC:\Users\Admin\AppData\Local\Temp\e57c64d.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\e57c66d.exeC:\Users\Admin\AppData\Local\Temp\e57c66d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1836
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3416
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4508
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3824
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56bb039a128a6cae725228f0e17d1d8ac
SHA1f63a861fb8aeaca2b02b70c081748d66b5158cc0
SHA256f25ebab916af2f5364999430726147f60e9848c949df2f41cc949f4bc762ed8f
SHA512c48b8a5e4e3689820dc587c07d2e32fe0995056788884e1a4ba13d1945ea36a05a76b83f49367638a75cd2be7f408871fff16ecb3aa4fb59a9b6f294565420ab
-
Filesize
257B
MD5c69a12bb7fd08221172a3ccd8f5c34bc
SHA18bcbbd74803531e0f8c7f0e147d666b5bda0bef7
SHA256ad2587346901cb2ac74e76fb4698d978fca292ccb727b5a3970568e50b440585
SHA5121b28f1c875eda5c16a6fcdb08d57720eaab76689cc67dc5abedd3b3a5ed45cc7d8d27c22a332d805ad6f4e714f7467abdaa038d92fa6a4bcfa6e12f150041a98