Analysis
-
max time kernel
117s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2024 19:41
Static task
static1
Behavioral task
behavioral1
Sample
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
Resource
win7-20240903-en
General
-
Target
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
-
Size
1.6MB
-
MD5
607ee92a3b80545833c68f3a7616af40
-
SHA1
3fa1395e28cc6b13ed988540d603016e1eb26e7d
-
SHA256
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31
-
SHA512
84ce39d4482a7fe5dd1ca71f05ecc7ef5c752bf3785be192ae229afd0688a94b36e95a1b89b274ced7599f74da1a942c95b4a473951cd37b81a235deb2792771
-
SSDEEP
49152:4L7VbCRbECQozfZEbEUd/dRDFwdkRtNWxPN:M7VuRbEGEgUp56kncH
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7Loader.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 7Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7Loader.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exeEvoActivacion7.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation EvoActivacion7.exe -
Executes dropped EXE 2 IoCs
Processes:
EvoActivacion7.exe7Loader.exepid Process 2948 EvoActivacion7.exe 2892 7Loader.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process File opened (read-only) \??\O: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\S: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\T: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\G: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\H: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\J: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\K: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\M: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\I: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\V: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\W: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\L: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\N: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\R: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\Z: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\Y: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\E: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\P: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\Q: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\U: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\X: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process File opened for modification C:\autorun.inf 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification F:\autorun.inf 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
resource yara_rule behavioral2/memory/2676-3-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-5-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-12-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-16-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-11-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-7-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-4-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-10-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-6-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-36-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2676-37-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/files/0x0008000000023441-41.dat upx behavioral2/memory/2892-43-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral2/memory/2676-109-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2892-128-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Drops file in Windows directory 1 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process File opened for modification C:\Windows\SYSTEM.INI 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exeEvoActivacion7.execmd.exe7Loader.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EvoActivacion7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7Loader.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe7Loader.exepid Process 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2892 7Loader.exe 2892 7Loader.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription pid Process Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7Loader.exepid Process 2892 7Loader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exeEvoActivacion7.execmd.exedescription pid Process procid_target PID 2676 wrote to memory of 768 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 8 PID 2676 wrote to memory of 776 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 9 PID 2676 wrote to memory of 60 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 13 PID 2676 wrote to memory of 2552 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 44 PID 2676 wrote to memory of 2576 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 45 PID 2676 wrote to memory of 2796 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 51 PID 2676 wrote to memory of 3400 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 55 PID 2676 wrote to memory of 3640 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 57 PID 2676 wrote to memory of 3820 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 58 PID 2676 wrote to memory of 3916 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 59 PID 2676 wrote to memory of 3988 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 60 PID 2676 wrote to memory of 4076 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 61 PID 2676 wrote to memory of 3952 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 62 PID 2676 wrote to memory of 2380 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 74 PID 2676 wrote to memory of 2936 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 76 PID 2676 wrote to memory of 2948 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 82 PID 2676 wrote to memory of 2948 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 82 PID 2676 wrote to memory of 2948 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 82 PID 2948 wrote to memory of 400 2948 EvoActivacion7.exe 83 PID 2948 wrote to memory of 400 2948 EvoActivacion7.exe 83 PID 2948 wrote to memory of 400 2948 EvoActivacion7.exe 83 PID 400 wrote to memory of 2892 400 cmd.exe 85 PID 400 wrote to memory of 2892 400 cmd.exe 85 PID 400 wrote to memory of 2892 400 cmd.exe 85 PID 2676 wrote to memory of 768 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 8 PID 2676 wrote to memory of 776 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 9 PID 2676 wrote to memory of 60 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 13 PID 2676 wrote to memory of 2552 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 44 PID 2676 wrote to memory of 2576 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 45 PID 2676 wrote to memory of 2796 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 51 PID 2676 wrote to memory of 3400 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 55 PID 2676 wrote to memory of 3640 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 57 PID 2676 wrote to memory of 3820 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 58 PID 2676 wrote to memory of 3916 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 59 PID 2676 wrote to memory of 3988 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 60 PID 2676 wrote to memory of 4076 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 61 PID 2676 wrote to memory of 3952 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 62 PID 2676 wrote to memory of 2380 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 74 PID 2676 wrote to memory of 2936 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 76 PID 2676 wrote to memory of 2948 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 82 PID 2676 wrote to memory of 2948 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 82 PID 2676 wrote to memory of 400 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 83 PID 2676 wrote to memory of 400 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 83 PID 2676 wrote to memory of 2028 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 84 PID 2676 wrote to memory of 2892 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 85 PID 2676 wrote to memory of 2892 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 85 PID 2676 wrote to memory of 768 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 8 PID 2676 wrote to memory of 776 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 9 PID 2676 wrote to memory of 60 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 13 PID 2676 wrote to memory of 2552 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 44 PID 2676 wrote to memory of 2576 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 45 PID 2676 wrote to memory of 2796 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 51 PID 2676 wrote to memory of 3400 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 55 PID 2676 wrote to memory of 3640 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 57 PID 2676 wrote to memory of 3820 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 58 PID 2676 wrote to memory of 3916 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 59 PID 2676 wrote to memory of 3988 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 60 PID 2676 wrote to memory of 4076 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 61 PID 2676 wrote to memory of 3952 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 62 PID 2676 wrote to memory of 2380 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 74 PID 2676 wrote to memory of 2936 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 76 PID 2676 wrote to memory of 2028 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 84 PID 2676 wrote to memory of 768 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 8 PID 2676 wrote to memory of 776 2676 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 9 -
System policy modification 1 TTPs 1 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2796
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe"C:\Users\Admin\AppData\Local\Temp\3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EvoActivacion7.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EvoActivacion7.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Activar.cmd" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7Loader.exe7Loader.exe /silent /norestart /l=Default5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2892
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3952
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2936
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD501a9427df69a25ccbe085d9be14a2762
SHA152c2a67c6f23b0b050908a4456b0c5118a1914ce
SHA2563f81b56dc4a051a1d408170400246a8769f84855909d2a60769dc36852356861
SHA51218be26ecf333a3a40174504128870e9717b193a8bb6eacf86d6551a44991b4e646ce7005f7a38d5284d12f97e9218c12df406140a932d3f764c3e33feab4c5bb
-
Filesize
2.9MB
MD5935576e21ffaf90ef782fed90c3421ff
SHA16f75e0932cdb4ab98667684c6868932d571de4e9
SHA256c496c0e03fcfcb126a92121cf431df6a8b77e15f5ba4cf7e230492f9d18ff470
SHA5122fa5d341901519f1f8bc0cd0c2007871923c7e7e4ad73833e49db7557bfdec2fbcdecdd4a1789f4c99d140fcc0791a83981b70cd72747f41d39c6eaa03c4e3c3
-
Filesize
397B
MD5a2c3e139951719f09e483a37235f683f
SHA134590ad5c3e9e310491b9ac891071c58c5cf7622
SHA2566135c3af068b400d2adef197ff7a8cf428e5f1ae7f5af6ed944333b6c124d89d
SHA512c8414c08c8e60fe0dfff4750c921babc452febabb6d064eccd514c9f844931eec74cee2d85d487225522a554281dfd896273d10ee077442a4c43e4b5a44b54c5
-
Filesize
8KB
MD5f7490dae3d51646651fd17fdf644ec18
SHA13af9362e812fe8f057b32335a0f7025b4609b495
SHA256daaeafa6c595477a799b3d0d623afdbf36a68be3772191b8b375b8da9ec06ba2
SHA51267918e6bc0540b764289890e54d94a816f893aece4fe0377d8b87baeed4fa3b2ce6ac373e2b7f18dba31f6ebb987379afc0aeaa985518248b46fa7588ff3ecf2
-
Filesize
100KB
MD5d18127d6395ec135fb21104b3dd7a7a1
SHA1e3c73e8a43609cb6974d8e93186881723414c15c
SHA256a0189bfef715958f0a123618cb1a05d6898e6db4b8724e41b191940afdfa2adb
SHA5126d37a3df743edb930187ceaf02ddf5a85e6d30cab9cd9665ea06acd3b32047ae531307665e1572dcbad6e9d99cc3c2ab5b6a8ea96271b713224337029b0f1aff