Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04/12/2024, 20:13
Static task
static1
Behavioral task
behavioral1
Sample
1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe
Resource
win7-20240729-en
General
-
Target
1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe
-
Size
2.1MB
-
MD5
bee0398363217eaedbdee4b83e5909fd
-
SHA1
eeaf4acab9a4d247bb3513110dfffe370301763e
-
SHA256
1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622
-
SHA512
da608822c3c570f8fe62a10d0b76ed3c706271ff7f22c4ee7c844a5b5e9af48c736d8cf12a393ba3d390e6dd3ed70b26c43a1ab60061812661855fb6183ae22b
-
SSDEEP
49152:qtACGnO8DYVanUCV9RR2z9TRAiuLjFIWgUWPt5lVU0Eo:qtQnOaUC3q9ojMfP00Eo
Malware Config
Extracted
cybergate
2.7 Final
vítima 4shared
lucasgusmao.no-ip.org:2000
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
ftp_password
123654
-
ftp_port
21
-
ftp_server
ftp.server.com
-
ftp_username
ftp_user
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Falta de DLL ,Instale a DLL e Reinicie o PC... complemento comdl32.ocx
-
message_box_title
Error!!!
-
password
123654
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe File opened for modification C:\Windows\SysWOW64\1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2380 set thread context of 2140 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 30 PID 2140 set thread context of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36D227F1-B27C-11EF-AD31-F6257521C448} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439505071" IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: 33 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe Token: SeIncBasePriorityPrivilege 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2164 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 2164 IEXPLORE.EXE 2164 IEXPLORE.EXE 2608 IEXPLORE.EXE 2608 IEXPLORE.EXE 2608 IEXPLORE.EXE 2608 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2140 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 30 PID 2380 wrote to memory of 2140 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 30 PID 2380 wrote to memory of 2140 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 30 PID 2380 wrote to memory of 2140 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 30 PID 2380 wrote to memory of 2140 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 30 PID 2380 wrote to memory of 2140 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 30 PID 2380 wrote to memory of 2140 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 30 PID 2380 wrote to memory of 2140 2380 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 30 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2140 wrote to memory of 2164 2140 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe 31 PID 2164 wrote to memory of 2608 2164 IEXPLORE.EXE 32 PID 2164 wrote to memory of 2608 2164 IEXPLORE.EXE 32 PID 2164 wrote to memory of 2608 2164 IEXPLORE.EXE 32 PID 2164 wrote to memory of 2608 2164 IEXPLORE.EXE 32 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe"C:\Users\Admin\AppData\Local\Temp\1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exeC:\Users\Admin\AppData\Local\Temp\1d4b18074aa3d958adb6f52e8ba7e37cf6bc799d46784734275cf476a2867622.exe2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2140 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5934494db5a2e5e30b41274d83a906ca7
SHA17f68b971039e35f7e8c77274b8eee51d125b7c5e
SHA2561afac89beff3e66776a7b52d56c753c4e73d9002ffbef853cd3b02703c337a90
SHA51259675ebac5b8d6120c1b275e3449d42e114629b627658fb134887cfe76f6e5fc2011eb233c383789920119388849749032303cc1d9502a99c6cdcab2826ef375
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54327310004f13c164764f3adeee9b6e2
SHA1b2e4878c78e207db206704ffd2747bcfb04fa65a
SHA256ac271502c3f6bd488d6ddc077bdd7cf8f113e653991818f1c4868350560f7ee4
SHA512290c51b561c7755380ae27954d8f4d0598aa53facce70c7c3ccf84cd942d958260844e9b0e8fcf009135506f1799462a124b922ab97e11abecd3e875878edb98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a4b0958072603573be7169fa6f03f75a
SHA18460b2c0c2deea97aec53eef2fcb4e91234a6d72
SHA2567efff8fe7ae333f170af44650ec73deb9f179ed8346e127576f8eb2ec2ac450f
SHA5121275a13deb8af5e60b33d302327d6c7ab21bc489941562cc3ca13c24e8e296e280c82cc1d48eb99517d7b35d62ce6dc2fbec6e4e5816bf1d7cf6edb8bd802a88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51d5952f94fe1670d2ef4ed3cb62e61e9
SHA1565e3028c81121013b8fc435e3e7be602e981ad4
SHA256fe4f25c447503ee6d5f3c8ff332d1e4c87c86c715f0bcca38d14db69b8262b6e
SHA51204f2341e59df2f52af2a2a7328e5e451a4ad99ff693baaaee8c695bb5274e44ec7fc4251700bdb1df3be86805728630e2b2dd4a9d5d15948ee5ecfe591050642
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ce5675a65d7fffae03a0b77eb8c991d
SHA1cbdfe41ca447256fc437b8a284cec75d9fd88d79
SHA2568c6de49f754ce69037e0ca4ef6f1cbb0bffcb908a6684396b751118d35d1955e
SHA512b609477961991f38c096c810385cc616c4108132cd2c19a744786c2232b21a10971b91103994211ff43a44c3ef034844994ce645fe1b7a0b88ea981d89bdb0f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b3696506c76ac73348c1f4afcfc86a6f
SHA1fb523097cb8b2bb5f658a5250ad8318937717609
SHA2566c99ab3732c3c4b7b6ad45b347b4eab3a7b2d7e0a948e59bfdaad38d77d8aeaf
SHA51245d73ea64451421a1aff680ffa5d9e7239a25ecabcec199bf627f8746ff93641e3d5fc9c5a3c98b1d49341a6a2e404d648af2953629baeeea295d7bed24de0ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d57ea3cd6a9115bcd6e12dd2722a2e1b
SHA1a1a91c9f563fed63339ade3573567ac45153cad0
SHA256c33137547342434b5880c09312cdc4a1591d83aadf6d798c0c80925d85008ad9
SHA512a3d675a5ccec62095e17b429ba4cdce2f11f513f615d204ecb2e040753bcd8bf47d2bae84e1ea332338a5d29fc9c672feeea7218ef0a548cd0bc30e77ae3593a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5304e41d3d17003f2e5b33ddebdf9ddf5
SHA149ceb68d198c1af293043fbd3d0f0187a17711e6
SHA2560428b7cc1c41ccdd5f0c549f86f432bd82ed025585434a446f232e65143e7d2c
SHA512cc569a9aa2260db0e547874eec95a0e9a536ffd12dabc7d19e564deeb2c0809422d11e7efc0c1ca15dae336da3bf16cbd30b498e61e0f036b68f714b27d6850b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5afcc208148cd318dd59e45c6dbb43ab3
SHA1c6d29909275730a54ee1980f2775ce07ed6de7c4
SHA2565f401b00ca1a987dfdc05eaf13b941fe37dbeb4a6c6a0f6bbafe1d644d7c3fb9
SHA51207d79e71d462df44bb12ef0b06825425b0e3dc1e37464fb2c324b12be59a654c984decba7c6c379c91d2660f741dcfb7564ba184e333b29d0c72c70dffd31556
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a545dff93a5b0986008212c4382302a8
SHA1a1bcaf0a01d11d37f8a8e999d9c060f88d08ce7f
SHA2561f825c92c7cac183227769e8f502ad73903c8f25622d795b0fbad8ae421efa91
SHA51289076c80bde8ad6ab0ceb9a1bdd699124586fdf49df83a7d8f1fa03c66cc01f5a9031180c3ca229643465150740dd3b02030bedb8117b6b457565d82e6783643
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a9f3e5106888bdb74562e56442e31f6
SHA13a8879ca91bec641759c0d21ec1bcd5479cc98cd
SHA2568aecf0302689ef9ee48acb60b589bb7618e5731f0eb39eff05b963a32bfab73a
SHA5125d1f0c51455ff5b0abcdfbfb629fa6b9263945f38f44a74abceadfe88fe4a373e67046930be74ab4b91d7d6a325926d0f50f94d7d64cf6b09f4154ecc974e742
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab70775162ca3333163add087d295c87
SHA11e2280958d42126849f1a79c5305f3f95bb55d96
SHA2569e2b47300f2f103843a97948f2d151b67792c8d8d38cd68159de58b78a30c7a1
SHA512212b78d1c029a5f3b8174016627c033a58a5ae1ebd71caf03192eb5ca604942b5c1846b05b2bd044b741dd79ae5c8b5af6bc5184a593a719104be2447e2ccec5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ea72a2fe18aea220587c9f4369f83b73
SHA1577cb5f557a33b05866c607c9827c7842e961844
SHA25671394e6ec90d228eda14d2002344bf0ac1226b4cbcab694732aea21adb78cf15
SHA5125f4f3bee98414c63129098bc7b1809cf886077cea3f40a780ffb99c542c63590bf79013377a7057f866e22c9beb1710aec1a3e31b0f446c7a68a69f05e251b41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ef0452efdc2b4a3fe91721f9be65f88d
SHA154772dc3c5c52c20b045a030041ad8e7ddedb79a
SHA256a3e0885582ba901acfb1f0e1966a69ce2a52466a2311013af66f19a3d8c081df
SHA512af1aa0726b272a45c112b58d9017dd2417419a00faf33c9107f805090e61da7a31ecf11154ff2adfd0338b338c3303aeb5a0f5760e5bde12ed4793fe3621fdee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD504e139f6ed81a4264d12bdc45266e857
SHA158e3bfa03ff9f5b76cd8c287b8e7287f9e829f12
SHA2560d8b673753abfac052c24444b951d34e025b7216e6b8c8e92204e8b01688b949
SHA5121629ae9a550f91bced949da070f6634bf139f74222a3e3acdc667c8620c98f31898b9947e3ad77e76db4f73041b423fd957c0ebd5e83f0f073e0bd355b489cba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d8671046f4053542ef5fef2ecede3226
SHA1777919f4b4cb6a3000b06132168bbe0e70adf2c3
SHA25617435ad53d1f4cf4bc8e1cf9a62f70778b4fe0d1c2acd810ae3eb9be9bdc11c5
SHA5125b37cca93789a663247c61d33b0ae9efc5d01972be143b9ba2f13a42f7203e2b0dca8a6fcee0c81f49c70858506d4b7dd87d5866110408b0240633a0614a358a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eae50d550f2f715fe785cddf737a0ef2
SHA1776a7a671cc74bee718ddd5c60603e5fa2289eb0
SHA2564b9d44c3bb1994bda8b49aec39692393ed85f770e1daff2f09074bc80960459d
SHA5122059e7cbca5ed0cf0b2c98d0b6670a20c79334521ffde052ff43a712342c496b839848e32c65d246bc1c38e8f2db9f36db04ad2ed23bf446163a2ab95ec337ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD552c0aae89a22bd86a714a78eca5fae12
SHA16435ad08c8b55445a249d4f4a75a6d1d46c6ac7f
SHA2564c83a08a400ec75f51a9b2ac3c63f08690bdf2bc97d37cad36058033aee99c7f
SHA512998e97decc98408304204553bf05b264f24580ee86aa0db8caa1d21ef32b6d64afc455b4a611cc93c4e0aacfbc23e24f548f86503245c2e2b583c7232d425f01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5accb353e66d6911fd4d9b441c0f3588c
SHA1122ffe9bd5f85857a9f81f7d56e6c4746a2f044e
SHA2561924c15a45fcaa4ae25b7f9a5e7e2f780d04fbae2d643daabbdaf99337c46ef8
SHA5124090cce51cfac4e4adb3cd10785f82153b2130a3e908d47f561c020d9595d8381b1b0f831d3f5a6f28b79e64924e3280c2db03bd62747d2244727fae0dd01d40
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b