Analysis
-
max time kernel
19s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 19:41
Static task
static1
Behavioral task
behavioral1
Sample
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
Resource
win7-20240903-en
General
-
Target
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
-
Size
1.6MB
-
MD5
607ee92a3b80545833c68f3a7616af40
-
SHA1
3fa1395e28cc6b13ed988540d603016e1eb26e7d
-
SHA256
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31
-
SHA512
84ce39d4482a7fe5dd1ca71f05ecc7ef5c752bf3785be192ae229afd0688a94b36e95a1b89b274ced7599f74da1a942c95b4a473951cd37b81a235deb2792771
-
SSDEEP
49152:4L7VbCRbECQozfZEbEUd/dRDFwdkRtNWxPN:M7VuRbEGEgUp56kncH
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exepid Process 2064 icacls.exe 2288 takeown.exe 1684 takeown.exe 1756 icacls.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7Loader.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 7Loader.exe -
Executes dropped EXE 3 IoCs
Processes:
EvoActivacion7.exe7Loader.exebootsect.exepid Process 2808 EvoActivacion7.exe 1356 7Loader.exe 2632 bootsect.exe -
Loads dropped DLL 2 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.execmd.exepid Process 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2812 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid Process 1684 takeown.exe 2288 takeown.exe 1756 icacls.exe 2064 icacls.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process File opened (read-only) \??\J: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\L: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\O: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\P: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\G: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\E: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\H: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\R: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\S: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\I: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\K: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\M: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\N: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\Q: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
resource yara_rule behavioral1/memory/3000-1-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-4-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-7-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-12-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-26-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-25-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-11-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-10-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-6-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-5-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-3-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/3000-46-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/files/0x0008000000015f71-57.dat upx behavioral1/memory/1356-59-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/3000-123-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/1356-195-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/3000-239-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process File opened for modification C:\Windows\SYSTEM.INI 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
icacls.execmd.exeicacls.execmd.exetakeown.exebootsect.exe7Loader.exetakeown.execmd.execompact.execmd.execmd.execmd.execmd.execompact.execmd.execmd.exe3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exeEvoActivacion7.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bootsect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language compact.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language compact.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EvoActivacion7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe7Loader.exepid Process 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 1356 7Loader.exe 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exetakeown.exetakeown.exedescription pid Process Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeTakeOwnershipPrivilege 1684 takeown.exe Token: SeTakeOwnershipPrivilege 2288 takeown.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7Loader.exepid Process 1356 7Loader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exeEvoActivacion7.execmd.exe7Loader.execmd.execmd.execmd.exedescription pid Process procid_target PID 3000 wrote to memory of 1112 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 19 PID 3000 wrote to memory of 1168 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 20 PID 3000 wrote to memory of 1216 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 21 PID 3000 wrote to memory of 1068 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 25 PID 3000 wrote to memory of 2808 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 30 PID 3000 wrote to memory of 2808 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 30 PID 3000 wrote to memory of 2808 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 30 PID 3000 wrote to memory of 2808 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 30 PID 3000 wrote to memory of 2808 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 30 PID 3000 wrote to memory of 2808 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 30 PID 3000 wrote to memory of 2808 3000 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 30 PID 2808 wrote to memory of 2812 2808 EvoActivacion7.exe 31 PID 2808 wrote to memory of 2812 2808 EvoActivacion7.exe 31 PID 2808 wrote to memory of 2812 2808 EvoActivacion7.exe 31 PID 2808 wrote to memory of 2812 2808 EvoActivacion7.exe 31 PID 2808 wrote to memory of 2812 2808 EvoActivacion7.exe 31 PID 2808 wrote to memory of 2812 2808 EvoActivacion7.exe 31 PID 2808 wrote to memory of 2812 2808 EvoActivacion7.exe 31 PID 2812 wrote to memory of 1356 2812 cmd.exe 33 PID 2812 wrote to memory of 1356 2812 cmd.exe 33 PID 2812 wrote to memory of 1356 2812 cmd.exe 33 PID 2812 wrote to memory of 1356 2812 cmd.exe 33 PID 2812 wrote to memory of 1356 2812 cmd.exe 33 PID 2812 wrote to memory of 1356 2812 cmd.exe 33 PID 2812 wrote to memory of 1356 2812 cmd.exe 33 PID 1356 wrote to memory of 1516 1356 7Loader.exe 35 PID 1356 wrote to memory of 1516 1356 7Loader.exe 35 PID 1356 wrote to memory of 1516 1356 7Loader.exe 35 PID 1356 wrote to memory of 1516 1356 7Loader.exe 35 PID 1356 wrote to memory of 1516 1356 7Loader.exe 35 PID 1356 wrote to memory of 1516 1356 7Loader.exe 35 PID 1356 wrote to memory of 1516 1356 7Loader.exe 35 PID 1516 wrote to memory of 756 1516 cmd.exe 37 PID 1516 wrote to memory of 756 1516 cmd.exe 37 PID 1516 wrote to memory of 756 1516 cmd.exe 37 PID 1516 wrote to memory of 756 1516 cmd.exe 37 PID 1516 wrote to memory of 756 1516 cmd.exe 37 PID 1516 wrote to memory of 756 1516 cmd.exe 37 PID 1516 wrote to memory of 756 1516 cmd.exe 37 PID 756 wrote to memory of 1684 756 cmd.exe 38 PID 756 wrote to memory of 1684 756 cmd.exe 38 PID 756 wrote to memory of 1684 756 cmd.exe 38 PID 756 wrote to memory of 1684 756 cmd.exe 38 PID 756 wrote to memory of 1684 756 cmd.exe 38 PID 756 wrote to memory of 1684 756 cmd.exe 38 PID 756 wrote to memory of 1684 756 cmd.exe 38 PID 1356 wrote to memory of 1380 1356 7Loader.exe 39 PID 1356 wrote to memory of 1380 1356 7Loader.exe 39 PID 1356 wrote to memory of 1380 1356 7Loader.exe 39 PID 1356 wrote to memory of 1380 1356 7Loader.exe 39 PID 1356 wrote to memory of 1380 1356 7Loader.exe 39 PID 1356 wrote to memory of 1380 1356 7Loader.exe 39 PID 1356 wrote to memory of 1380 1356 7Loader.exe 39 PID 1380 wrote to memory of 1756 1380 cmd.exe 41 PID 1380 wrote to memory of 1756 1380 cmd.exe 41 PID 1380 wrote to memory of 1756 1380 cmd.exe 41 PID 1380 wrote to memory of 1756 1380 cmd.exe 41 PID 1380 wrote to memory of 1756 1380 cmd.exe 41 PID 1380 wrote to memory of 1756 1380 cmd.exe 41 PID 1380 wrote to memory of 1756 1380 cmd.exe 41 PID 1356 wrote to memory of 2100 1356 7Loader.exe 42 PID 1356 wrote to memory of 2100 1356 7Loader.exe 42 PID 1356 wrote to memory of 2100 1356 7Loader.exe 42 PID 1356 wrote to memory of 2100 1356 7Loader.exe 42 -
System policy modification 1 TTPs 1 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe"C:\Users\Admin\AppData\Local\Temp\3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EvoActivacion7.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EvoActivacion7.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Activar.cmd" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7Loader.exe7Loader.exe /silent /norestart /l=Default5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin8⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"6⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin7⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin8⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"6⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2064
-
-
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc C:\Acer.XRM-MS"6⤵PID:2396
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc C:\Acer.XRM-MS7⤵PID:2152
-
-
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"6⤵PID:2992
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR27⤵PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{c21bc463-69ed-11ef-8091-806e6f6e6963}\JVCZD"6⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{c21bc463-69ed-11ef-8091-806e6f6e6963}\JVCZD7⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{c21bc463-69ed-11ef-8091-806e6f6e6963}\win7.ld"6⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{c21bc463-69ed-11ef-8091-806e6f6e6963}\win7.ld7⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"6⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\bootsect.exeC:\bootsect.exe /nt60 SYS /force7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1068
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "14287114651343469193-95493416-7742419472609301471288596822-816168527-1712165327"1⤵PID:2768
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1459062663-447694737-27071981886118990-691384508-771459141726050493-818143330"1⤵PID:1544
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
Filesize
1.3MB
MD501a9427df69a25ccbe085d9be14a2762
SHA152c2a67c6f23b0b050908a4456b0c5118a1914ce
SHA2563f81b56dc4a051a1d408170400246a8769f84855909d2a60769dc36852356861
SHA51218be26ecf333a3a40174504128870e9717b193a8bb6eacf86d6551a44991b4e646ce7005f7a38d5284d12f97e9218c12df406140a932d3f764c3e33feab4c5bb
-
Filesize
2.9MB
MD5935576e21ffaf90ef782fed90c3421ff
SHA16f75e0932cdb4ab98667684c6868932d571de4e9
SHA256c496c0e03fcfcb126a92121cf431df6a8b77e15f5ba4cf7e230492f9d18ff470
SHA5122fa5d341901519f1f8bc0cd0c2007871923c7e7e4ad73833e49db7557bfdec2fbcdecdd4a1789f4c99d140fcc0791a83981b70cd72747f41d39c6eaa03c4e3c3
-
Filesize
397B
MD5a2c3e139951719f09e483a37235f683f
SHA134590ad5c3e9e310491b9ac891071c58c5cf7622
SHA2566135c3af068b400d2adef197ff7a8cf428e5f1ae7f5af6ed944333b6c124d89d
SHA512c8414c08c8e60fe0dfff4750c921babc452febabb6d064eccd514c9f844931eec74cee2d85d487225522a554281dfd896273d10ee077442a4c43e4b5a44b54c5
-
Filesize
1KB
MD539a7ffebae676a3aefa7ab87b2ad6dd0
SHA1b3fef1ff6aee362b39eb9624555eb58c4b1e05ae
SHA256dae98421de4695fbaf827f17b9991a56a5a2c5253ff6408f51aae9357f580a7b
SHA512946fbbe34a817537368bf72e766f038705b261cad2d4a6e8f94f6dce6be24aac08dd9d4a858e6944342f2f760765bcb7817ae6dc77f6c277ae397a1be8424b4d
-
Filesize
8KB
MD5f7490dae3d51646651fd17fdf644ec18
SHA13af9362e812fe8f057b32335a0f7025b4609b495
SHA256daaeafa6c595477a799b3d0d623afdbf36a68be3772191b8b375b8da9ec06ba2
SHA51267918e6bc0540b764289890e54d94a816f893aece4fe0377d8b87baeed4fa3b2ce6ac373e2b7f18dba31f6ebb987379afc0aeaa985518248b46fa7588ff3ecf2
-
Filesize
95KB
MD596132b1a5cc134da9bb138ec44ea968f
SHA1ad9aa1a291409fb6f1a9a1f62928396315a0629e
SHA256fff54b375c4b5227a80e07988d248b8437626d6a56eacbe0dbf56af5e1a4266b
SHA512770d25dc78696a09894178337ef74409b54a072e2d6567b0d5fd2df37255039371fa1b9db9b8187113f8be10ab242972c15b41829cd5e020eea17594f7a3956f
-
Filesize
415KB
MD5a0e88a2817c086d6880c9142101199f0
SHA189ce9fbf1caf8fd1b9ebe1107a6908dc9fe4064e
SHA25653d1cf9201ea9d44b362b02b139eb0757f9ac111fb79281652975acd5a0c74d1
SHA512cbc7b62e3f510902772e1f80b44eeb1ffc16af64fbaf42f92d8a6a53f98742507286d0d0a167b0bacdc37e3f949bc4c97d9cf120dd6a0caf8964ea97f01f4d7f
-
Filesize
20B
MD57d9fc3b5783fe90ba62c1730eb31d4e7
SHA1506af1d3a866ba450225b6184381b57402ab4672
SHA25670bc1b6f937bceae46847abf82b08cf00f3eb2856a817e9c5a58b915234feda6
SHA5122bc8295f26d0941b1f8b98558cb9531287d772ffc3e4985435cea663f56762466a28a87b54df4ddb7f760b5194548c3a28f50b53e37b6b07d65e32e0e92e093d