Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 15:32
Static task
static1
Behavioral task
behavioral1
Sample
4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3cN.dll
Resource
win7-20240903-en
General
-
Target
4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3cN.dll
-
Size
120KB
-
MD5
849642da0ca58f0b338ff101c7e813d0
-
SHA1
6f841f89ed15c5e73ef79bcc07056f1d5f3a8640
-
SHA256
4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3c
-
SHA512
9a3d037fd6d0cf8e9ee4e4e6ffbaefaa4843b9446040eb22e61862d7573654c70f064097e742b6a79c7f514581e3b3edd6cc51e8259ea98b02b28515d1cc643c
-
SSDEEP
1536:wAIUPIU68VHeJSlIoj01+jc1E6X5BLE3gLMD6KZmM45EKxM8T854wIoBMM52:QU68ISlIoo13XTE31OOmMWNM2IIouB
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578964.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578964.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576dec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576dec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576dec.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578964.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578964.exe -
Executes dropped EXE 4 IoCs
pid Process 3228 e576dec.exe 4988 e576ee6.exe 4492 e578964.exe 1856 e578983.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576dec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578964.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578964.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578964.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e576dec.exe File opened (read-only) \??\I: e576dec.exe File opened (read-only) \??\J: e576dec.exe File opened (read-only) \??\L: e576dec.exe File opened (read-only) \??\M: e576dec.exe File opened (read-only) \??\E: e578964.exe File opened (read-only) \??\G: e578964.exe File opened (read-only) \??\E: e576dec.exe File opened (read-only) \??\Q: e576dec.exe File opened (read-only) \??\P: e576dec.exe File opened (read-only) \??\S: e576dec.exe File opened (read-only) \??\G: e576dec.exe File opened (read-only) \??\N: e576dec.exe File opened (read-only) \??\O: e576dec.exe File opened (read-only) \??\R: e576dec.exe File opened (read-only) \??\T: e576dec.exe File opened (read-only) \??\K: e576dec.exe -
resource yara_rule behavioral2/memory/3228-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-12-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-30-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-25-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-33-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-32-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-35-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-34-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-40-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-41-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-53-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-59-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-60-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-75-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-74-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-79-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-80-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-83-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-84-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-87-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-88-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-90-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-91-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-92-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3228-97-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4492-128-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4492-168-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e576dec.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e576dec.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e576dec.exe File opened for modification C:\Program Files\7-Zip\7z.exe e576dec.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e576e5a e576dec.exe File opened for modification C:\Windows\SYSTEM.INI e576dec.exe File created C:\Windows\e57be20 e578964.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e576dec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e576ee6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578964.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578983.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3228 e576dec.exe 3228 e576dec.exe 3228 e576dec.exe 3228 e576dec.exe 4492 e578964.exe 4492 e578964.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe Token: SeDebugPrivilege 3228 e576dec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4500 4760 rundll32.exe 82 PID 4760 wrote to memory of 4500 4760 rundll32.exe 82 PID 4760 wrote to memory of 4500 4760 rundll32.exe 82 PID 4500 wrote to memory of 3228 4500 rundll32.exe 83 PID 4500 wrote to memory of 3228 4500 rundll32.exe 83 PID 4500 wrote to memory of 3228 4500 rundll32.exe 83 PID 3228 wrote to memory of 764 3228 e576dec.exe 8 PID 3228 wrote to memory of 772 3228 e576dec.exe 9 PID 3228 wrote to memory of 384 3228 e576dec.exe 13 PID 3228 wrote to memory of 2424 3228 e576dec.exe 42 PID 3228 wrote to memory of 2432 3228 e576dec.exe 43 PID 3228 wrote to memory of 2684 3228 e576dec.exe 47 PID 3228 wrote to memory of 3524 3228 e576dec.exe 56 PID 3228 wrote to memory of 3644 3228 e576dec.exe 57 PID 3228 wrote to memory of 3820 3228 e576dec.exe 58 PID 3228 wrote to memory of 3916 3228 e576dec.exe 59 PID 3228 wrote to memory of 3976 3228 e576dec.exe 60 PID 3228 wrote to memory of 4056 3228 e576dec.exe 61 PID 3228 wrote to memory of 4144 3228 e576dec.exe 62 PID 3228 wrote to memory of 4296 3228 e576dec.exe 75 PID 3228 wrote to memory of 4772 3228 e576dec.exe 76 PID 3228 wrote to memory of 4760 3228 e576dec.exe 81 PID 3228 wrote to memory of 4500 3228 e576dec.exe 82 PID 3228 wrote to memory of 4500 3228 e576dec.exe 82 PID 4500 wrote to memory of 4988 4500 rundll32.exe 84 PID 4500 wrote to memory of 4988 4500 rundll32.exe 84 PID 4500 wrote to memory of 4988 4500 rundll32.exe 84 PID 4500 wrote to memory of 4492 4500 rundll32.exe 85 PID 4500 wrote to memory of 4492 4500 rundll32.exe 85 PID 4500 wrote to memory of 4492 4500 rundll32.exe 85 PID 4500 wrote to memory of 1856 4500 rundll32.exe 86 PID 4500 wrote to memory of 1856 4500 rundll32.exe 86 PID 4500 wrote to memory of 1856 4500 rundll32.exe 86 PID 3228 wrote to memory of 764 3228 e576dec.exe 8 PID 3228 wrote to memory of 772 3228 e576dec.exe 9 PID 3228 wrote to memory of 384 3228 e576dec.exe 13 PID 3228 wrote to memory of 2424 3228 e576dec.exe 42 PID 3228 wrote to memory of 2432 3228 e576dec.exe 43 PID 3228 wrote to memory of 2684 3228 e576dec.exe 47 PID 3228 wrote to memory of 3524 3228 e576dec.exe 56 PID 3228 wrote to memory of 3644 3228 e576dec.exe 57 PID 3228 wrote to memory of 3820 3228 e576dec.exe 58 PID 3228 wrote to memory of 3916 3228 e576dec.exe 59 PID 3228 wrote to memory of 3976 3228 e576dec.exe 60 PID 3228 wrote to memory of 4056 3228 e576dec.exe 61 PID 3228 wrote to memory of 4144 3228 e576dec.exe 62 PID 3228 wrote to memory of 4296 3228 e576dec.exe 75 PID 3228 wrote to memory of 4772 3228 e576dec.exe 76 PID 3228 wrote to memory of 4988 3228 e576dec.exe 84 PID 3228 wrote to memory of 4988 3228 e576dec.exe 84 PID 3228 wrote to memory of 4492 3228 e576dec.exe 85 PID 3228 wrote to memory of 4492 3228 e576dec.exe 85 PID 3228 wrote to memory of 1856 3228 e576dec.exe 86 PID 3228 wrote to memory of 1856 3228 e576dec.exe 86 PID 4492 wrote to memory of 764 4492 e578964.exe 8 PID 4492 wrote to memory of 772 4492 e578964.exe 9 PID 4492 wrote to memory of 384 4492 e578964.exe 13 PID 4492 wrote to memory of 2424 4492 e578964.exe 42 PID 4492 wrote to memory of 2432 4492 e578964.exe 43 PID 4492 wrote to memory of 2684 4492 e578964.exe 47 PID 4492 wrote to memory of 3524 4492 e578964.exe 56 PID 4492 wrote to memory of 3644 4492 e578964.exe 57 PID 4492 wrote to memory of 3820 4492 e578964.exe 58 PID 4492 wrote to memory of 3916 4492 e578964.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578964.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2424
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2432
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3524
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3cN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3cN.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\e576dec.exeC:\Users\Admin\AppData\Local\Temp\e576dec.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\e576ee6.exeC:\Users\Admin\AppData\Local\Temp\e576ee6.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\e578964.exeC:\Users\Admin\AppData\Local\Temp\e578964.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\e578983.exeC:\Users\Admin\AppData\Local\Temp\e578983.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4144
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4296
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4772
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD525b10e1f08436c9277cac2776dfb753d
SHA11a8cc487dfdf41421248067fccad94fbe184737b
SHA256fe180c305f1d63e60222ee35e9e32309af4934a7584909b1fd700618b4de96a0
SHA51200052478ff86018c9f384deca61452b166ad5634fb3388354b1d317cf11cb30fccca366a9ba3822300e5e08983d3f951cdc2de82221fe878f9b90bc1728ceedc
-
Filesize
257B
MD5fc22a9d57d0c63c76eb27eefecc25d9a
SHA1ed6788072cd19c101705acfcac4577848b375eb1
SHA2562285c97d8475a79c00215a07b40a3296c0591d4eff6bb22a74fda48ba140a170
SHA512f73e6a1589c6751b766f203b45dfce6cd05e4138ddc58411d3557eb2e498da3fb80aada60d3d7ec1cd9fdab884448803818c406c4f79e00e66f17ada99ce1716