Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 12:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb6cbd0395d4be2152d5d02e7260b018c99627175e6f892b6bdff54733a51dccN.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
fb6cbd0395d4be2152d5d02e7260b018c99627175e6f892b6bdff54733a51dccN.dll
-
Size
120KB
-
MD5
c850cdd9bd068ddc8dec4268c33e7b00
-
SHA1
995a542c22c7d9a94e5a1f79512bc02b0ee0483b
-
SHA256
fb6cbd0395d4be2152d5d02e7260b018c99627175e6f892b6bdff54733a51dcc
-
SHA512
f543e3b60a64b545802b0d06f59a390a09b8957841a24c4967fe65c0ac345a7bd779f7470251110e8a23a08556be81c1eb6391383fbfe39f54b044f344940021
-
SSDEEP
3072:oouz3qhIgv6n9XHDPY8kwFF26Px3V58D:DAqny9zPYXwfhPx3V58D
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bf1a.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bf1a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5792e9.exe -
Executes dropped EXE 4 IoCs
pid Process 2388 e5792e9.exe 4520 e5793f3.exe 2904 e57bf1a.exe 3924 e57bf49.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5792e9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5792e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bf1a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bf1a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5792e9.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e5792e9.exe File opened (read-only) \??\I: e5792e9.exe File opened (read-only) \??\J: e5792e9.exe File opened (read-only) \??\G: e57bf1a.exe File opened (read-only) \??\H: e5792e9.exe File opened (read-only) \??\M: e5792e9.exe File opened (read-only) \??\N: e5792e9.exe File opened (read-only) \??\H: e57bf1a.exe File opened (read-only) \??\I: e57bf1a.exe File opened (read-only) \??\L: e5792e9.exe File opened (read-only) \??\E: e57bf1a.exe File opened (read-only) \??\G: e5792e9.exe File opened (read-only) \??\K: e5792e9.exe File opened (read-only) \??\J: e57bf1a.exe -
resource yara_rule behavioral2/memory/2388-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-29-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-12-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-28-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-25-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-35-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-34-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-40-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-46-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-60-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-61-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-65-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-66-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-69-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-70-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-74-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-76-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2388-77-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/2904-160-0x0000000000770000-0x000000000182A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e5792e9.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e5792e9.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5792e9.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579337 e5792e9.exe File opened for modification C:\Windows\SYSTEM.INI e5792e9.exe File created C:\Windows\e57e678 e57bf1a.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5792e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5793f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bf1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bf49.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2388 e5792e9.exe 2388 e5792e9.exe 2388 e5792e9.exe 2388 e5792e9.exe 2904 e57bf1a.exe 2904 e57bf1a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe Token: SeDebugPrivilege 2388 e5792e9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3636 wrote to memory of 3820 3636 rundll32.exe 82 PID 3636 wrote to memory of 3820 3636 rundll32.exe 82 PID 3636 wrote to memory of 3820 3636 rundll32.exe 82 PID 3820 wrote to memory of 2388 3820 rundll32.exe 83 PID 3820 wrote to memory of 2388 3820 rundll32.exe 83 PID 3820 wrote to memory of 2388 3820 rundll32.exe 83 PID 2388 wrote to memory of 780 2388 e5792e9.exe 8 PID 2388 wrote to memory of 788 2388 e5792e9.exe 9 PID 2388 wrote to memory of 384 2388 e5792e9.exe 13 PID 2388 wrote to memory of 2620 2388 e5792e9.exe 47 PID 2388 wrote to memory of 2744 2388 e5792e9.exe 51 PID 2388 wrote to memory of 3020 2388 e5792e9.exe 52 PID 2388 wrote to memory of 3360 2388 e5792e9.exe 56 PID 2388 wrote to memory of 3536 2388 e5792e9.exe 57 PID 2388 wrote to memory of 3736 2388 e5792e9.exe 58 PID 2388 wrote to memory of 3824 2388 e5792e9.exe 59 PID 2388 wrote to memory of 3884 2388 e5792e9.exe 60 PID 2388 wrote to memory of 3980 2388 e5792e9.exe 61 PID 2388 wrote to memory of 4104 2388 e5792e9.exe 62 PID 2388 wrote to memory of 2296 2388 e5792e9.exe 75 PID 2388 wrote to memory of 3400 2388 e5792e9.exe 76 PID 2388 wrote to memory of 3636 2388 e5792e9.exe 81 PID 2388 wrote to memory of 3820 2388 e5792e9.exe 82 PID 2388 wrote to memory of 3820 2388 e5792e9.exe 82 PID 3820 wrote to memory of 4520 3820 rundll32.exe 84 PID 3820 wrote to memory of 4520 3820 rundll32.exe 84 PID 3820 wrote to memory of 4520 3820 rundll32.exe 84 PID 2388 wrote to memory of 780 2388 e5792e9.exe 8 PID 2388 wrote to memory of 788 2388 e5792e9.exe 9 PID 2388 wrote to memory of 384 2388 e5792e9.exe 13 PID 2388 wrote to memory of 2620 2388 e5792e9.exe 47 PID 2388 wrote to memory of 2744 2388 e5792e9.exe 51 PID 2388 wrote to memory of 3020 2388 e5792e9.exe 52 PID 2388 wrote to memory of 3360 2388 e5792e9.exe 56 PID 2388 wrote to memory of 3536 2388 e5792e9.exe 57 PID 2388 wrote to memory of 3736 2388 e5792e9.exe 58 PID 2388 wrote to memory of 3824 2388 e5792e9.exe 59 PID 2388 wrote to memory of 3884 2388 e5792e9.exe 60 PID 2388 wrote to memory of 3980 2388 e5792e9.exe 61 PID 2388 wrote to memory of 4104 2388 e5792e9.exe 62 PID 2388 wrote to memory of 2296 2388 e5792e9.exe 75 PID 2388 wrote to memory of 3400 2388 e5792e9.exe 76 PID 2388 wrote to memory of 3636 2388 e5792e9.exe 81 PID 2388 wrote to memory of 4520 2388 e5792e9.exe 84 PID 2388 wrote to memory of 4520 2388 e5792e9.exe 84 PID 3820 wrote to memory of 2904 3820 rundll32.exe 85 PID 3820 wrote to memory of 2904 3820 rundll32.exe 85 PID 3820 wrote to memory of 2904 3820 rundll32.exe 85 PID 3820 wrote to memory of 3924 3820 rundll32.exe 86 PID 3820 wrote to memory of 3924 3820 rundll32.exe 86 PID 3820 wrote to memory of 3924 3820 rundll32.exe 86 PID 2904 wrote to memory of 780 2904 e57bf1a.exe 8 PID 2904 wrote to memory of 788 2904 e57bf1a.exe 9 PID 2904 wrote to memory of 384 2904 e57bf1a.exe 13 PID 2904 wrote to memory of 2620 2904 e57bf1a.exe 47 PID 2904 wrote to memory of 2744 2904 e57bf1a.exe 51 PID 2904 wrote to memory of 3020 2904 e57bf1a.exe 52 PID 2904 wrote to memory of 3360 2904 e57bf1a.exe 56 PID 2904 wrote to memory of 3536 2904 e57bf1a.exe 57 PID 2904 wrote to memory of 3736 2904 e57bf1a.exe 58 PID 2904 wrote to memory of 3824 2904 e57bf1a.exe 59 PID 2904 wrote to memory of 3884 2904 e57bf1a.exe 60 PID 2904 wrote to memory of 3980 2904 e57bf1a.exe 61 PID 2904 wrote to memory of 4104 2904 e57bf1a.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bf1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5792e9.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2744
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3020
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3360
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb6cbd0395d4be2152d5d02e7260b018c99627175e6f892b6bdff54733a51dccN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fb6cbd0395d4be2152d5d02e7260b018c99627175e6f892b6bdff54733a51dccN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\e5792e9.exeC:\Users\Admin\AppData\Local\Temp\e5792e9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\e5793f3.exeC:\Users\Admin\AppData\Local\Temp\e5793f3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4520
-
-
C:\Users\Admin\AppData\Local\Temp\e57bf1a.exeC:\Users\Admin\AppData\Local\Temp\e57bf1a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\e57bf49.exeC:\Users\Admin\AppData\Local\Temp\e57bf49.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3924
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3884
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2296
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3400
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e1ac356aba37e2f7e64974ef31827596
SHA1d708f87bb4088210727eac7687f94a1785300cc5
SHA256f2fd236fbf1366ea4686dc0f0e74ea242c1cf4f3509a13220696c290ed396251
SHA51240091ef29110fa343ae6b8a7b74c6a2948b2b890ba5de3a1666c787ecaa0fa103c0b933e716790b5c7bfc87dd5dcd2df470c73ae76845568deafd90d102ce4fe
-
Filesize
257B
MD59721ba147292037458734e6c5bc51892
SHA1f5c3457eec9da656dde3551ac6492897ca263210
SHA2563a99232bf9feee31dcf2384801d9787310608deb780181e299a855c48ae92681
SHA5121ec2fc2e6ea5ce9a6427286ffc12f4e814685cf52741d62b94fdad2c85fbb6ca6cc0e7bfdc076066750687928d75bf94c89772ba6de1d24b7d40afc5a8eaff90