Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a9b5f9ee551c20981af20431d48f84cd0d189a42dc840904f3e66e27f2a1578N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
0a9b5f9ee551c20981af20431d48f84cd0d189a42dc840904f3e66e27f2a1578N.dll
-
Size
120KB
-
MD5
6809d71ef46483a16816634399eda3c0
-
SHA1
951d8503dc5eb2febd7738352ab73f8aa2a072ea
-
SHA256
0a9b5f9ee551c20981af20431d48f84cd0d189a42dc840904f3e66e27f2a1578
-
SHA512
8a44862f61a7e30229892fab6206f18eab2cf213e4ec4dd16ef443411bd24e55f2bfde5013387f72a2fcf24333571cd581aceb549a4b4bd23d39b8f0b6bc4798
-
SSDEEP
3072:tK6ioXmfTybpc2pkjhDW/nm8GQUqx7dewAXC:cToXuTCmQiDcn5ndLGC
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57caa3.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57caa3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57caa3.exe -
Executes dropped EXE 4 IoCs
pid Process 4868 e579f7c.exe 4212 e57a086.exe 2176 e57caa3.exe 2160 e57cab2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57caa3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57caa3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579f7c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579f7c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57caa3.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e579f7c.exe File opened (read-only) \??\K: e579f7c.exe File opened (read-only) \??\M: e579f7c.exe File opened (read-only) \??\G: e57caa3.exe File opened (read-only) \??\E: e579f7c.exe File opened (read-only) \??\J: e579f7c.exe File opened (read-only) \??\J: e57caa3.exe File opened (read-only) \??\G: e579f7c.exe File opened (read-only) \??\I: e579f7c.exe File opened (read-only) \??\N: e579f7c.exe File opened (read-only) \??\E: e57caa3.exe File opened (read-only) \??\H: e57caa3.exe File opened (read-only) \??\L: e579f7c.exe File opened (read-only) \??\I: e57caa3.exe -
resource yara_rule behavioral2/memory/4868-6-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-8-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-25-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-32-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-33-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-35-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-34-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-39-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-45-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-59-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-61-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-62-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-63-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-65-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-66-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-69-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-72-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/4868-78-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2176-114-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2176-157-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579fe9 e579f7c.exe File opened for modification C:\Windows\SYSTEM.INI e579f7c.exe File created C:\Windows\e57f1e2 e57caa3.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cab2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579f7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57caa3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4868 e579f7c.exe 4868 e579f7c.exe 4868 e579f7c.exe 4868 e579f7c.exe 2176 e57caa3.exe 2176 e57caa3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe Token: SeDebugPrivilege 4868 e579f7c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 4604 2276 rundll32.exe 83 PID 2276 wrote to memory of 4604 2276 rundll32.exe 83 PID 2276 wrote to memory of 4604 2276 rundll32.exe 83 PID 4604 wrote to memory of 4868 4604 rundll32.exe 84 PID 4604 wrote to memory of 4868 4604 rundll32.exe 84 PID 4604 wrote to memory of 4868 4604 rundll32.exe 84 PID 4868 wrote to memory of 784 4868 e579f7c.exe 8 PID 4868 wrote to memory of 792 4868 e579f7c.exe 9 PID 4868 wrote to memory of 316 4868 e579f7c.exe 13 PID 4868 wrote to memory of 2656 4868 e579f7c.exe 44 PID 4868 wrote to memory of 2664 4868 e579f7c.exe 45 PID 4868 wrote to memory of 2772 4868 e579f7c.exe 47 PID 4868 wrote to memory of 3556 4868 e579f7c.exe 56 PID 4868 wrote to memory of 3676 4868 e579f7c.exe 57 PID 4868 wrote to memory of 3884 4868 e579f7c.exe 58 PID 4868 wrote to memory of 3972 4868 e579f7c.exe 59 PID 4868 wrote to memory of 4040 4868 e579f7c.exe 60 PID 4868 wrote to memory of 1016 4868 e579f7c.exe 61 PID 4868 wrote to memory of 4008 4868 e579f7c.exe 62 PID 4868 wrote to memory of 4788 4868 e579f7c.exe 75 PID 4868 wrote to memory of 3668 4868 e579f7c.exe 76 PID 4868 wrote to memory of 2936 4868 e579f7c.exe 81 PID 4868 wrote to memory of 2276 4868 e579f7c.exe 82 PID 4868 wrote to memory of 4604 4868 e579f7c.exe 83 PID 4868 wrote to memory of 4604 4868 e579f7c.exe 83 PID 4604 wrote to memory of 4212 4604 rundll32.exe 85 PID 4604 wrote to memory of 4212 4604 rundll32.exe 85 PID 4604 wrote to memory of 4212 4604 rundll32.exe 85 PID 4868 wrote to memory of 784 4868 e579f7c.exe 8 PID 4868 wrote to memory of 792 4868 e579f7c.exe 9 PID 4868 wrote to memory of 316 4868 e579f7c.exe 13 PID 4868 wrote to memory of 2656 4868 e579f7c.exe 44 PID 4868 wrote to memory of 2664 4868 e579f7c.exe 45 PID 4868 wrote to memory of 2772 4868 e579f7c.exe 47 PID 4868 wrote to memory of 3556 4868 e579f7c.exe 56 PID 4868 wrote to memory of 3676 4868 e579f7c.exe 57 PID 4868 wrote to memory of 3884 4868 e579f7c.exe 58 PID 4868 wrote to memory of 3972 4868 e579f7c.exe 59 PID 4868 wrote to memory of 4040 4868 e579f7c.exe 60 PID 4868 wrote to memory of 1016 4868 e579f7c.exe 61 PID 4868 wrote to memory of 4008 4868 e579f7c.exe 62 PID 4868 wrote to memory of 4788 4868 e579f7c.exe 75 PID 4868 wrote to memory of 3668 4868 e579f7c.exe 76 PID 4868 wrote to memory of 2936 4868 e579f7c.exe 81 PID 4868 wrote to memory of 2276 4868 e579f7c.exe 82 PID 4868 wrote to memory of 4212 4868 e579f7c.exe 85 PID 4868 wrote to memory of 4212 4868 e579f7c.exe 85 PID 4604 wrote to memory of 2176 4604 rundll32.exe 86 PID 4604 wrote to memory of 2176 4604 rundll32.exe 86 PID 4604 wrote to memory of 2176 4604 rundll32.exe 86 PID 4604 wrote to memory of 2160 4604 rundll32.exe 87 PID 4604 wrote to memory of 2160 4604 rundll32.exe 87 PID 4604 wrote to memory of 2160 4604 rundll32.exe 87 PID 2176 wrote to memory of 784 2176 e57caa3.exe 8 PID 2176 wrote to memory of 792 2176 e57caa3.exe 9 PID 2176 wrote to memory of 316 2176 e57caa3.exe 13 PID 2176 wrote to memory of 2656 2176 e57caa3.exe 44 PID 2176 wrote to memory of 2664 2176 e57caa3.exe 45 PID 2176 wrote to memory of 2772 2176 e57caa3.exe 47 PID 2176 wrote to memory of 3556 2176 e57caa3.exe 56 PID 2176 wrote to memory of 3676 2176 e57caa3.exe 57 PID 2176 wrote to memory of 3884 2176 e57caa3.exe 58 PID 2176 wrote to memory of 3972 2176 e57caa3.exe 59 PID 2176 wrote to memory of 4040 2176 e57caa3.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579f7c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57caa3.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2772
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3556
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a9b5f9ee551c20981af20431d48f84cd0d189a42dc840904f3e66e27f2a1578N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a9b5f9ee551c20981af20431d48f84cd0d189a42dc840904f3e66e27f2a1578N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\e579f7c.exeC:\Users\Admin\AppData\Local\Temp\e579f7c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\e57a086.exeC:\Users\Admin\AppData\Local\Temp\e57a086.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\e57caa3.exeC:\Users\Admin\AppData\Local\Temp\e57caa3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\e57cab2.exeC:\Users\Admin\AppData\Local\Temp\e57cab2.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3676
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3884
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4040
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4008
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4788
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3668
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2936
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d816ac504664d18af73a18c0f8554ed0
SHA11b5716afa4de7b36aacce71a70d1091bcfe8f073
SHA256babbf3f21e1ed39d49652fc04f831dff5fe45c0f2cad78e549a79d39726953c0
SHA512563162b9c363be9478810c6ecad2499c4ba357c2158beb78e75ca90db933639313f04ae49ee379e27cc599eb499abe738dc9dbf6b545cfa9d2ebb24768147e28
-
Filesize
257B
MD55186da18411797fde01018fae771ff25
SHA13b170f16990ac04e65c7f948ec7bb88216b20c43
SHA2563d1868e8b095eaa8da96d235d9c35bceb8ec38405ff1de40cf6976a4c00e3665
SHA5122bc6713d0fb94a9911fb32d5f2559f5aa29e8aa060524936127885291f620a9ec93d7e8f4f390694626a8c950c21a8e3520339e9b69f6b8f1999539b00a2569d