Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 16:08
Static task
static1
Behavioral task
behavioral1
Sample
ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ProcDll.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ProcDll.dll
Resource
win10v2004-20241007-en
General
-
Target
ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe
-
Size
1.0MB
-
MD5
14c057aa28de8f08e9ff1498351f6d90
-
SHA1
ebe3b736756ca6b81752459f02cce257e3381263
-
SHA256
ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707
-
SHA512
070b87e18df1a594c05c65e15fb3c92a99952438635df3c47c871ec2b6366e9488bf5a86e40a530321446a35edc3e85d6fcea71f751ae70797cf4a286b47706a
-
SSDEEP
12288:MYEWcMwLfzH5BUdtsKR0yCKM8CxF7h5NGyENSrzXVoGsqACwUeCCbSzVczdDsgcx:MYUk3X5N2FXNGCrZEqACXeCXcdve1D
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Au_.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe -
Deletes itself 1 IoCs
pid Process 220 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 220 Au_.exe -
Loads dropped DLL 2 IoCs
pid Process 220 Au_.exe 220 Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Au_.exe -
resource yara_rule behavioral2/memory/4700-1-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/4700-3-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/4700-4-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/4700-7-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/4700-10-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/4700-14-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/4700-13-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/4700-6-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/4700-5-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/4700-21-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/220-52-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-51-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-46-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-53-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-55-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-45-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-54-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-43-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-47-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-58-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-57-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-66-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-72-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-73-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-75-0x00000000066B0000-0x000000000773E000-memory.dmp upx behavioral2/memory/220-85-0x00000000066B0000-0x000000000773E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 220 Au_.exe 220 Au_.exe 220 Au_.exe 220 Au_.exe 220 Au_.exe 220 Au_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Token: SeDebugPrivilege 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4700 wrote to memory of 792 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 9 PID 4700 wrote to memory of 800 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 10 PID 4700 wrote to memory of 64 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 13 PID 4700 wrote to memory of 3084 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 51 PID 4700 wrote to memory of 3100 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 52 PID 4700 wrote to memory of 3156 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 53 PID 4700 wrote to memory of 3396 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 56 PID 4700 wrote to memory of 3556 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 57 PID 4700 wrote to memory of 3736 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 58 PID 4700 wrote to memory of 3836 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 59 PID 4700 wrote to memory of 3900 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 60 PID 4700 wrote to memory of 4000 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 61 PID 4700 wrote to memory of 4188 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 62 PID 4700 wrote to memory of 3176 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 74 PID 4700 wrote to memory of 3860 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 76 PID 4700 wrote to memory of 4316 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 77 PID 4700 wrote to memory of 1828 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 78 PID 4700 wrote to memory of 4036 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 83 PID 4700 wrote to memory of 220 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 85 PID 4700 wrote to memory of 220 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 85 PID 4700 wrote to memory of 220 4700 ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe 85 PID 220 wrote to memory of 792 220 Au_.exe 9 PID 220 wrote to memory of 800 220 Au_.exe 10 PID 220 wrote to memory of 64 220 Au_.exe 13 PID 220 wrote to memory of 3084 220 Au_.exe 51 PID 220 wrote to memory of 3100 220 Au_.exe 52 PID 220 wrote to memory of 3156 220 Au_.exe 53 PID 220 wrote to memory of 3396 220 Au_.exe 56 PID 220 wrote to memory of 3556 220 Au_.exe 57 PID 220 wrote to memory of 3736 220 Au_.exe 58 PID 220 wrote to memory of 3836 220 Au_.exe 59 PID 220 wrote to memory of 3900 220 Au_.exe 60 PID 220 wrote to memory of 4000 220 Au_.exe 61 PID 220 wrote to memory of 4188 220 Au_.exe 62 PID 220 wrote to memory of 3176 220 Au_.exe 74 PID 220 wrote to memory of 3860 220 Au_.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3100
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe"C:\Users\Admin\AppData\Local\Temp\ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:220
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3176
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4316
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1828
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4036
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
994KB
MD54e56691e6a461094f27547a3d8d322a3
SHA136e595fa2d7dfe01ec8fc1b3c21654c067b48264
SHA2560b50a7c90a09552566d63926c57904b1c89e6c3a1ab583e5c16e8d1922ca44f0
SHA51288cd05445a186d591b61210b9afb59e21d50ccac415ce297c353fb3c79bff921ca9827769e4b60ba2ad83316f1f2f0925d0e1f994862bb853461800a5c306f2d
-
Filesize
5KB
MD5cae8cbe148469accf1ccf9692316e8f9
SHA164e9308e6b541ad99c6fe4dc90829c7e17794ea4
SHA2568a27ff148592c3bdd33e5e9e87b9b05f54a1c136d002746696aeb9e9bd426395
SHA51272f1c7ec5f272d51c3f712c3b03eead35c3c0540adc5cd1f27004fb659f384720aa841f32fb76ada506398be767c3851633c95755af9af3d6b8980d74cee1023
-
Filesize
1.5MB
MD50d360c149b2c6649637985ee8b0a90a8
SHA12b86f26310127645bc0c758ddf1fd0f42465b053
SHA2569088ac40d822a32efaf756d4d866faa72e69070d691907adfb0dfe916ccdb05f
SHA51296342c15738fc766ce7ea65b5c4a18829d68cc65f1ce931733820d9c9bda4e8bf570f90e26726b063eeddfc40bf454c6ae7751936c5d085cbc03d7f6989f7091
-
Filesize
1.0MB
MD514c057aa28de8f08e9ff1498351f6d90
SHA1ebe3b736756ca6b81752459f02cce257e3381263
SHA256ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707
SHA512070b87e18df1a594c05c65e15fb3c92a99952438635df3c47c871ec2b6366e9488bf5a86e40a530321446a35edc3e85d6fcea71f751ae70797cf4a286b47706a
-
Filesize
257B
MD57491405c7627e41369d69aabab79ec7e
SHA1030d66d840eedc96617553623fa26ec29d6c8adc
SHA256ab496a9461b6da63b7d5a45421a8d4997a602c97c08ac3d8c779e5fc20937423
SHA5125184d0f094e295d2ed085334a8ab057b24f9bdff84842d1680a0f3d23307d1ddf561e00f1836419dcc978be038d1965cb3ea8c18993603821536f51d080b2c49