Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2024, 02:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d7b7607847585b60b3e7c788720990aa8e88fb53beba9c46e0094d6c5aec0b8.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
0d7b7607847585b60b3e7c788720990aa8e88fb53beba9c46e0094d6c5aec0b8.dll
-
Size
120KB
-
MD5
8305270161732002036310fdc2b59dba
-
SHA1
c3f2653b1fbb849158cad1add393900e5b82587e
-
SHA256
0d7b7607847585b60b3e7c788720990aa8e88fb53beba9c46e0094d6c5aec0b8
-
SHA512
807cf07539f353b050837ab59bca25c11543c892ee84acb1cab113881631556a0177bc54be3fc7b469eb7a3cdf3d465994a5e811f50ef2e3bd3b53cdf514eb67
-
SSDEEP
1536:weQ64QvDr7hdNp/Dm2zrmudnIAXZRyPGLfXiH9izYA3zhmqEPuDOyT6REf:wV6Dv/7hdjm2zrmsIsyuLaP2DPmCf
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57e956.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57e956.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57afa9.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e956.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e956.exe -
Executes dropped EXE 4 IoCs
pid Process 4836 e57afa9.exe 1000 e57b15e.exe 740 e57e956.exe 3648 e57e9d3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57afa9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57afa9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57e956.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e956.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57afa9.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57afa9.exe File opened (read-only) \??\H: e57e956.exe File opened (read-only) \??\G: e57e956.exe File opened (read-only) \??\E: e57afa9.exe File opened (read-only) \??\G: e57afa9.exe File opened (read-only) \??\I: e57afa9.exe File opened (read-only) \??\J: e57afa9.exe File opened (read-only) \??\K: e57afa9.exe File opened (read-only) \??\E: e57e956.exe -
resource yara_rule behavioral2/memory/4836-6-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-8-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-24-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-30-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-34-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-35-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-33-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-41-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-44-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-43-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-46-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-59-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-62-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-64-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-66-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-68-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4836-69-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/740-94-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/740-98-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/740-96-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/740-97-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/740-107-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/740-150-0x00000000007C0000-0x000000000187A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e57afa9.exe File created C:\Windows\e5810f3 e57e956.exe File created C:\Windows\e57b006 e57afa9.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57afa9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b15e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e956.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57e9d3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4836 e57afa9.exe 4836 e57afa9.exe 4836 e57afa9.exe 4836 e57afa9.exe 740 e57e956.exe 740 e57e956.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe Token: SeDebugPrivilege 4836 e57afa9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3280 wrote to memory of 4576 3280 rundll32.exe 82 PID 3280 wrote to memory of 4576 3280 rundll32.exe 82 PID 3280 wrote to memory of 4576 3280 rundll32.exe 82 PID 4576 wrote to memory of 4836 4576 rundll32.exe 83 PID 4576 wrote to memory of 4836 4576 rundll32.exe 83 PID 4576 wrote to memory of 4836 4576 rundll32.exe 83 PID 4836 wrote to memory of 784 4836 e57afa9.exe 8 PID 4836 wrote to memory of 792 4836 e57afa9.exe 9 PID 4836 wrote to memory of 380 4836 e57afa9.exe 13 PID 4836 wrote to memory of 2768 4836 e57afa9.exe 49 PID 4836 wrote to memory of 2824 4836 e57afa9.exe 50 PID 4836 wrote to memory of 2972 4836 e57afa9.exe 51 PID 4836 wrote to memory of 3472 4836 e57afa9.exe 56 PID 4836 wrote to memory of 3592 4836 e57afa9.exe 57 PID 4836 wrote to memory of 3764 4836 e57afa9.exe 58 PID 4836 wrote to memory of 3852 4836 e57afa9.exe 59 PID 4836 wrote to memory of 3920 4836 e57afa9.exe 60 PID 4836 wrote to memory of 4004 4836 e57afa9.exe 61 PID 4836 wrote to memory of 4124 4836 e57afa9.exe 62 PID 4836 wrote to memory of 4392 4836 e57afa9.exe 64 PID 4836 wrote to memory of 3132 4836 e57afa9.exe 75 PID 4836 wrote to memory of 3280 4836 e57afa9.exe 81 PID 4836 wrote to memory of 4576 4836 e57afa9.exe 82 PID 4836 wrote to memory of 4576 4836 e57afa9.exe 82 PID 4576 wrote to memory of 1000 4576 rundll32.exe 84 PID 4576 wrote to memory of 1000 4576 rundll32.exe 84 PID 4576 wrote to memory of 1000 4576 rundll32.exe 84 PID 4836 wrote to memory of 784 4836 e57afa9.exe 8 PID 4836 wrote to memory of 792 4836 e57afa9.exe 9 PID 4836 wrote to memory of 380 4836 e57afa9.exe 13 PID 4836 wrote to memory of 2768 4836 e57afa9.exe 49 PID 4836 wrote to memory of 2824 4836 e57afa9.exe 50 PID 4836 wrote to memory of 2972 4836 e57afa9.exe 51 PID 4836 wrote to memory of 3472 4836 e57afa9.exe 56 PID 4836 wrote to memory of 3592 4836 e57afa9.exe 57 PID 4836 wrote to memory of 3764 4836 e57afa9.exe 58 PID 4836 wrote to memory of 3852 4836 e57afa9.exe 59 PID 4836 wrote to memory of 3920 4836 e57afa9.exe 60 PID 4836 wrote to memory of 4004 4836 e57afa9.exe 61 PID 4836 wrote to memory of 4124 4836 e57afa9.exe 62 PID 4836 wrote to memory of 4392 4836 e57afa9.exe 64 PID 4836 wrote to memory of 3132 4836 e57afa9.exe 75 PID 4836 wrote to memory of 3280 4836 e57afa9.exe 81 PID 4836 wrote to memory of 1000 4836 e57afa9.exe 84 PID 4836 wrote to memory of 1000 4836 e57afa9.exe 84 PID 4576 wrote to memory of 740 4576 rundll32.exe 85 PID 4576 wrote to memory of 740 4576 rundll32.exe 85 PID 4576 wrote to memory of 740 4576 rundll32.exe 85 PID 4576 wrote to memory of 3648 4576 rundll32.exe 86 PID 4576 wrote to memory of 3648 4576 rundll32.exe 86 PID 4576 wrote to memory of 3648 4576 rundll32.exe 86 PID 740 wrote to memory of 784 740 e57e956.exe 8 PID 740 wrote to memory of 792 740 e57e956.exe 9 PID 740 wrote to memory of 380 740 e57e956.exe 13 PID 740 wrote to memory of 2768 740 e57e956.exe 49 PID 740 wrote to memory of 2824 740 e57e956.exe 50 PID 740 wrote to memory of 2972 740 e57e956.exe 51 PID 740 wrote to memory of 3472 740 e57e956.exe 56 PID 740 wrote to memory of 3592 740 e57e956.exe 57 PID 740 wrote to memory of 3764 740 e57e956.exe 58 PID 740 wrote to memory of 3852 740 e57e956.exe 59 PID 740 wrote to memory of 3920 740 e57e956.exe 60 PID 740 wrote to memory of 4004 740 e57e956.exe 61 PID 740 wrote to memory of 4124 740 e57e956.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57afa9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e956.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2824
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2972
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0d7b7607847585b60b3e7c788720990aa8e88fb53beba9c46e0094d6c5aec0b8.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0d7b7607847585b60b3e7c788720990aa8e88fb53beba9c46e0094d6c5aec0b8.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\e57afa9.exeC:\Users\Admin\AppData\Local\Temp\e57afa9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4836
-
-
C:\Users\Admin\AppData\Local\Temp\e57b15e.exeC:\Users\Admin\AppData\Local\Temp\e57b15e.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\e57e956.exeC:\Users\Admin\AppData\Local\Temp\e57e956.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:740
-
-
C:\Users\Admin\AppData\Local\Temp\e57e9d3.exeC:\Users\Admin\AppData\Local\Temp\e57e9d3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4392
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3132
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b2c02ad28063e98a9899a8f223656718
SHA136afac6eddfc36303e8755320c990e4b045f5d9a
SHA25601ac6825ba98323a45904f0ffc27afe5a14134ed449b680d7aee44a02dcb1112
SHA512f906ffc772a85010144d2ccc5890099739ea0cbf7618ad55948867d075f7c313b45e74c57747bafe3d66c94c0a32bdf59e92fbc0dc6b752bb97fe2337cb5e1a5
-
Filesize
257B
MD5137ac99b41e8de81b9ba79409b0b1cb0
SHA1954b6a31a83b9520df0e40467eaf4d793e3c852a
SHA256406ea85b5a1c904e0fd33ec65af51d5f9b867d2987a70593036c8b5e0d898c5c
SHA51273393e330454806e6ebaca91677414aa38ac3244e9d4ed48eb4f9f0923d23a480d5dd4d1ca38bef351ad00d1f07f0f478c3605af3be40be12008421560b8fa2d