Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 19:47
Static task
static1
Behavioral task
behavioral1
Sample
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
Resource
win7-20240729-en
General
-
Target
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
-
Size
1.6MB
-
MD5
607ee92a3b80545833c68f3a7616af40
-
SHA1
3fa1395e28cc6b13ed988540d603016e1eb26e7d
-
SHA256
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31
-
SHA512
84ce39d4482a7fe5dd1ca71f05ecc7ef5c752bf3785be192ae229afd0688a94b36e95a1b89b274ced7599f74da1a942c95b4a473951cd37b81a235deb2792771
-
SSDEEP
49152:4L7VbCRbECQozfZEbEUd/dRDFwdkRtNWxPN:M7VuRbEGEgUp56kncH
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 2196 takeown.exe 2768 icacls.exe 2528 takeown.exe 2388 icacls.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7Loader.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 7Loader.exe -
Executes dropped EXE 3 IoCs
Processes:
EvoActivacion7.exe7Loader.exebootsect.exepid Process 2604 EvoActivacion7.exe 2880 7Loader.exe 3036 bootsect.exe -
Loads dropped DLL 2 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.execmd.exepid Process 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 1884 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 2196 takeown.exe 2768 icacls.exe 2528 takeown.exe 2388 icacls.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process File opened (read-only) \??\G: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\I: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\M: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\O: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\Q: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\E: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\J: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\R: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\H: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\S: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\L: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\N: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\P: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe File opened (read-only) \??\K: 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Processes:
resource yara_rule behavioral1/memory/2232-3-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-6-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-10-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-27-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-8-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-28-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-11-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-9-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-7-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-5-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-4-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2232-35-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/files/0x0008000000016e09-58.dat upx behavioral1/memory/2880-61-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/2232-126-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2880-197-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/2232-241-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process File opened for modification C:\Windows\SYSTEM.INI 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exetakeown.execmd.exeicacls.execmd.exebootsect.execmd.execmd.execompact.execmd.execmd.execmd.exetakeown.exe3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exeEvoActivacion7.execmd.exe7Loader.execmd.exeicacls.execompact.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bootsect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language compact.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EvoActivacion7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language compact.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe7Loader.exepid Process 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 2880 7Loader.exe 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exetakeown.exetakeown.exedescription pid Process Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeTakeOwnershipPrivilege 2196 takeown.exe Token: SeTakeOwnershipPrivilege 2528 takeown.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe Token: SeDebugPrivilege 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7Loader.exepid Process 2880 7Loader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exeEvoActivacion7.execmd.exe7Loader.execmd.execmd.execmd.exedescription pid Process procid_target PID 2232 wrote to memory of 1116 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 19 PID 2232 wrote to memory of 1164 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 20 PID 2232 wrote to memory of 1236 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 21 PID 2232 wrote to memory of 1516 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 25 PID 2232 wrote to memory of 2604 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 31 PID 2232 wrote to memory of 2604 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 31 PID 2232 wrote to memory of 2604 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 31 PID 2232 wrote to memory of 2604 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 31 PID 2232 wrote to memory of 2604 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 31 PID 2232 wrote to memory of 2604 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 31 PID 2232 wrote to memory of 2604 2232 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe 31 PID 2604 wrote to memory of 1884 2604 EvoActivacion7.exe 32 PID 2604 wrote to memory of 1884 2604 EvoActivacion7.exe 32 PID 2604 wrote to memory of 1884 2604 EvoActivacion7.exe 32 PID 2604 wrote to memory of 1884 2604 EvoActivacion7.exe 32 PID 2604 wrote to memory of 1884 2604 EvoActivacion7.exe 32 PID 2604 wrote to memory of 1884 2604 EvoActivacion7.exe 32 PID 2604 wrote to memory of 1884 2604 EvoActivacion7.exe 32 PID 1884 wrote to memory of 2880 1884 cmd.exe 34 PID 1884 wrote to memory of 2880 1884 cmd.exe 34 PID 1884 wrote to memory of 2880 1884 cmd.exe 34 PID 1884 wrote to memory of 2880 1884 cmd.exe 34 PID 1884 wrote to memory of 2880 1884 cmd.exe 34 PID 1884 wrote to memory of 2880 1884 cmd.exe 34 PID 1884 wrote to memory of 2880 1884 cmd.exe 34 PID 2880 wrote to memory of 2100 2880 7Loader.exe 36 PID 2880 wrote to memory of 2100 2880 7Loader.exe 36 PID 2880 wrote to memory of 2100 2880 7Loader.exe 36 PID 2880 wrote to memory of 2100 2880 7Loader.exe 36 PID 2880 wrote to memory of 2100 2880 7Loader.exe 36 PID 2880 wrote to memory of 2100 2880 7Loader.exe 36 PID 2880 wrote to memory of 2100 2880 7Loader.exe 36 PID 2100 wrote to memory of 1424 2100 cmd.exe 38 PID 2100 wrote to memory of 1424 2100 cmd.exe 38 PID 2100 wrote to memory of 1424 2100 cmd.exe 38 PID 2100 wrote to memory of 1424 2100 cmd.exe 38 PID 2100 wrote to memory of 1424 2100 cmd.exe 38 PID 2100 wrote to memory of 1424 2100 cmd.exe 38 PID 2100 wrote to memory of 1424 2100 cmd.exe 38 PID 1424 wrote to memory of 2196 1424 cmd.exe 39 PID 1424 wrote to memory of 2196 1424 cmd.exe 39 PID 1424 wrote to memory of 2196 1424 cmd.exe 39 PID 1424 wrote to memory of 2196 1424 cmd.exe 39 PID 1424 wrote to memory of 2196 1424 cmd.exe 39 PID 1424 wrote to memory of 2196 1424 cmd.exe 39 PID 1424 wrote to memory of 2196 1424 cmd.exe 39 PID 2880 wrote to memory of 1924 2880 7Loader.exe 40 PID 2880 wrote to memory of 1924 2880 7Loader.exe 40 PID 2880 wrote to memory of 1924 2880 7Loader.exe 40 PID 2880 wrote to memory of 1924 2880 7Loader.exe 40 PID 2880 wrote to memory of 1924 2880 7Loader.exe 40 PID 2880 wrote to memory of 1924 2880 7Loader.exe 40 PID 2880 wrote to memory of 1924 2880 7Loader.exe 40 PID 1924 wrote to memory of 2768 1924 cmd.exe 42 PID 1924 wrote to memory of 2768 1924 cmd.exe 42 PID 1924 wrote to memory of 2768 1924 cmd.exe 42 PID 1924 wrote to memory of 2768 1924 cmd.exe 42 PID 1924 wrote to memory of 2768 1924 cmd.exe 42 PID 1924 wrote to memory of 2768 1924 cmd.exe 42 PID 1924 wrote to memory of 2768 1924 cmd.exe 42 PID 2880 wrote to memory of 1692 2880 7Loader.exe 43 PID 2880 wrote to memory of 1692 2880 7Loader.exe 43 PID 2880 wrote to memory of 1692 2880 7Loader.exe 43 PID 2880 wrote to memory of 1692 2880 7Loader.exe 43 -
System policy modification 1 TTPs 1 IoCs
Processes:
3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe"C:\Users\Admin\AppData\Local\Temp\3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EvoActivacion7.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EvoActivacion7.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Activar.cmd" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7Loader.exe7Loader.exe /silent /norestart /l=Default5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin8⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"6⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin7⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin8⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"6⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2388
-
-
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc C:\Acer.XRM-MS"6⤵PID:2132
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc C:\Acer.XRM-MS7⤵PID:3048
-
-
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"6⤵PID:2412
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR27⤵PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{e4371563-4e0c-11ef-9324-806e6f6e6963}\IDNEZ"6⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{e4371563-4e0c-11ef-9324-806e6f6e6963}\IDNEZ7⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{e4371563-4e0c-11ef-9324-806e6f6e6963}\win7.ld"6⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{e4371563-4e0c-11ef-9324-806e6f6e6963}\win7.ld7⤵
- System Location Discovery: System Language Discovery
PID:2668
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"6⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\bootsect.exeC:\bootsect.exe /nt60 SYS /force7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036
-
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1516
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-323740477-11744991171875798460231698741-412353875-807793364-6337253431538962007"1⤵PID:1132
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1960139821-517742370-6138820081379078031539656376-611659170987059073-1023113470"1⤵PID:640
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
Filesize
2.9MB
MD5935576e21ffaf90ef782fed90c3421ff
SHA16f75e0932cdb4ab98667684c6868932d571de4e9
SHA256c496c0e03fcfcb126a92121cf431df6a8b77e15f5ba4cf7e230492f9d18ff470
SHA5122fa5d341901519f1f8bc0cd0c2007871923c7e7e4ad73833e49db7557bfdec2fbcdecdd4a1789f4c99d140fcc0791a83981b70cd72747f41d39c6eaa03c4e3c3
-
Filesize
397B
MD5a2c3e139951719f09e483a37235f683f
SHA134590ad5c3e9e310491b9ac891071c58c5cf7622
SHA2566135c3af068b400d2adef197ff7a8cf428e5f1ae7f5af6ed944333b6c124d89d
SHA512c8414c08c8e60fe0dfff4750c921babc452febabb6d064eccd514c9f844931eec74cee2d85d487225522a554281dfd896273d10ee077442a4c43e4b5a44b54c5
-
Filesize
1KB
MD539a7ffebae676a3aefa7ab87b2ad6dd0
SHA1b3fef1ff6aee362b39eb9624555eb58c4b1e05ae
SHA256dae98421de4695fbaf827f17b9991a56a5a2c5253ff6408f51aae9357f580a7b
SHA512946fbbe34a817537368bf72e766f038705b261cad2d4a6e8f94f6dce6be24aac08dd9d4a858e6944342f2f760765bcb7817ae6dc77f6c277ae397a1be8424b4d
-
Filesize
8KB
MD5f7490dae3d51646651fd17fdf644ec18
SHA13af9362e812fe8f057b32335a0f7025b4609b495
SHA256daaeafa6c595477a799b3d0d623afdbf36a68be3772191b8b375b8da9ec06ba2
SHA51267918e6bc0540b764289890e54d94a816f893aece4fe0377d8b87baeed4fa3b2ce6ac373e2b7f18dba31f6ebb987379afc0aeaa985518248b46fa7588ff3ecf2
-
Filesize
95KB
MD5ca56a75b218a00f77e3b720714abdc36
SHA1e6882d357dadf852aec5a7abd18f13e05bfe3adc
SHA25651af2667f4113eca50f44149c0f79dfcea1f8b454feeb4b0dcb48b3c367cba85
SHA51202a4f535dffa899051d58e1a0ace099a5d960f19facc31cebdaae9599498d5be5ff4e6103c622d7ba9f2db68e510fdb793c8f26017d113109aadbbd3b75ebf0d
-
Filesize
379KB
MD5f2043418249cc86fca6cda5332876a9b
SHA17bc77bfeff2de57cf9d0ad27a4a43553303d39e6
SHA256e31777c42c5b6e61d08713f0b26d6d5d2028940ce43ee1fdd5d83d503cc598c8
SHA5128c893e29a6971aa3d8b60c58d8ca9e946714d3d95704398050d10816f862d882c88b68309b93cd5b6a7dca8aa46893aba2b73b56218009ac6e35755a1abbca1c
-
Filesize
20B
MD59411ea6ebe5daff0f81deedee1c46a07
SHA10fab2f93a1b1ed1aadf54d5b6c3547a437c0d314
SHA25692e0bfb203e147a6292dc5f1513cbc2d156a1cf96288c2a6db69fd2f8681b656
SHA512a8024681d28d576665abbdc24a704f5b9160d87f1a82251b31ee058d2f5fc588bf3e521a5c362f182dc4c0e25d8a724db28548d7e92d2a718cdb270ba9cdf5d6
-
Filesize
1.3MB
MD501a9427df69a25ccbe085d9be14a2762
SHA152c2a67c6f23b0b050908a4456b0c5118a1914ce
SHA2563f81b56dc4a051a1d408170400246a8769f84855909d2a60769dc36852356861
SHA51218be26ecf333a3a40174504128870e9717b193a8bb6eacf86d6551a44991b4e646ce7005f7a38d5284d12f97e9218c12df406140a932d3f764c3e33feab4c5bb