Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 00:40
Static task
static1
Behavioral task
behavioral1
Sample
5b48b4bd8d84759d387a3d686c9a0d3458171f02744bb3a0d2b9941b2aa4f4d9N.dll
Resource
win7-20240903-en
General
-
Target
5b48b4bd8d84759d387a3d686c9a0d3458171f02744bb3a0d2b9941b2aa4f4d9N.dll
-
Size
120KB
-
MD5
bc3eb46b1a1afaa42cf91e27e6294630
-
SHA1
9a766f8e4a8891637a5cebbd81e585e2cec70463
-
SHA256
5b48b4bd8d84759d387a3d686c9a0d3458171f02744bb3a0d2b9941b2aa4f4d9
-
SHA512
e687c3d705b308843921437d6f083e8fe4312b0a9b6c8a418c5d9ef322662be70c4d7733467c94755ed2ecf16580ed585f7473b254d7ebd616957947b3ad84c5
-
SSDEEP
3072:1Rah7R7qX7SsGEpWgzfHYhTh3lq1oDiqLsXZEqIs:1y7JHsRlfi1lqTqQZEqIs
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579eb1.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5783b7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579eb1.exe -
Executes dropped EXE 3 IoCs
pid Process 2296 e5783b7.exe 4756 e578770.exe 1160 e579eb1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579eb1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579eb1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5783b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5783b7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579eb1.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e5783b7.exe File opened (read-only) \??\M: e5783b7.exe File opened (read-only) \??\Q: e5783b7.exe File opened (read-only) \??\E: e579eb1.exe File opened (read-only) \??\G: e5783b7.exe File opened (read-only) \??\L: e5783b7.exe File opened (read-only) \??\I: e5783b7.exe File opened (read-only) \??\K: e5783b7.exe File opened (read-only) \??\N: e5783b7.exe File opened (read-only) \??\O: e5783b7.exe File opened (read-only) \??\P: e5783b7.exe File opened (read-only) \??\R: e5783b7.exe File opened (read-only) \??\H: e5783b7.exe File opened (read-only) \??\J: e5783b7.exe File opened (read-only) \??\S: e5783b7.exe -
resource yara_rule behavioral2/memory/2296-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-19-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-21-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-22-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-13-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-20-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-41-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-43-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-52-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-53-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-56-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-57-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-67-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-69-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-72-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-74-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-76-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-78-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-81-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-83-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-85-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2296-96-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1160-117-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1160-153-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e5783b7.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5783b7.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e5783b7.exe File opened for modification C:\Program Files\7-Zip\7z.exe e5783b7.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e578482 e5783b7.exe File opened for modification C:\Windows\SYSTEM.INI e5783b7.exe File created C:\Windows\e57d6b9 e579eb1.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579eb1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5783b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578770.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2296 e5783b7.exe 2296 e5783b7.exe 2296 e5783b7.exe 2296 e5783b7.exe 1160 e579eb1.exe 1160 e579eb1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe Token: SeDebugPrivilege 2296 e5783b7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 3528 1996 rundll32.exe 85 PID 1996 wrote to memory of 3528 1996 rundll32.exe 85 PID 1996 wrote to memory of 3528 1996 rundll32.exe 85 PID 3528 wrote to memory of 2296 3528 rundll32.exe 86 PID 3528 wrote to memory of 2296 3528 rundll32.exe 86 PID 3528 wrote to memory of 2296 3528 rundll32.exe 86 PID 2296 wrote to memory of 796 2296 e5783b7.exe 9 PID 2296 wrote to memory of 800 2296 e5783b7.exe 10 PID 2296 wrote to memory of 384 2296 e5783b7.exe 13 PID 2296 wrote to memory of 2808 2296 e5783b7.exe 49 PID 2296 wrote to memory of 2864 2296 e5783b7.exe 50 PID 2296 wrote to memory of 2984 2296 e5783b7.exe 51 PID 2296 wrote to memory of 3416 2296 e5783b7.exe 56 PID 2296 wrote to memory of 3564 2296 e5783b7.exe 57 PID 2296 wrote to memory of 3752 2296 e5783b7.exe 58 PID 2296 wrote to memory of 3840 2296 e5783b7.exe 59 PID 2296 wrote to memory of 3908 2296 e5783b7.exe 60 PID 2296 wrote to memory of 3992 2296 e5783b7.exe 61 PID 2296 wrote to memory of 4176 2296 e5783b7.exe 62 PID 2296 wrote to memory of 700 2296 e5783b7.exe 74 PID 2296 wrote to memory of 2612 2296 e5783b7.exe 76 PID 2296 wrote to memory of 3640 2296 e5783b7.exe 77 PID 2296 wrote to memory of 2272 2296 e5783b7.exe 78 PID 2296 wrote to memory of 2140 2296 e5783b7.exe 83 PID 2296 wrote to memory of 1996 2296 e5783b7.exe 84 PID 2296 wrote to memory of 3528 2296 e5783b7.exe 85 PID 2296 wrote to memory of 3528 2296 e5783b7.exe 85 PID 3528 wrote to memory of 4756 3528 rundll32.exe 87 PID 3528 wrote to memory of 4756 3528 rundll32.exe 87 PID 3528 wrote to memory of 4756 3528 rundll32.exe 87 PID 3528 wrote to memory of 1160 3528 rundll32.exe 89 PID 3528 wrote to memory of 1160 3528 rundll32.exe 89 PID 3528 wrote to memory of 1160 3528 rundll32.exe 89 PID 2296 wrote to memory of 796 2296 e5783b7.exe 9 PID 2296 wrote to memory of 800 2296 e5783b7.exe 10 PID 2296 wrote to memory of 384 2296 e5783b7.exe 13 PID 2296 wrote to memory of 2808 2296 e5783b7.exe 49 PID 2296 wrote to memory of 2864 2296 e5783b7.exe 50 PID 2296 wrote to memory of 2984 2296 e5783b7.exe 51 PID 2296 wrote to memory of 3416 2296 e5783b7.exe 56 PID 2296 wrote to memory of 3564 2296 e5783b7.exe 57 PID 2296 wrote to memory of 3752 2296 e5783b7.exe 58 PID 2296 wrote to memory of 3840 2296 e5783b7.exe 59 PID 2296 wrote to memory of 3908 2296 e5783b7.exe 60 PID 2296 wrote to memory of 3992 2296 e5783b7.exe 61 PID 2296 wrote to memory of 4176 2296 e5783b7.exe 62 PID 2296 wrote to memory of 700 2296 e5783b7.exe 74 PID 2296 wrote to memory of 2612 2296 e5783b7.exe 76 PID 2296 wrote to memory of 4756 2296 e5783b7.exe 87 PID 2296 wrote to memory of 4756 2296 e5783b7.exe 87 PID 2296 wrote to memory of 1160 2296 e5783b7.exe 89 PID 2296 wrote to memory of 1160 2296 e5783b7.exe 89 PID 1160 wrote to memory of 796 1160 e579eb1.exe 9 PID 1160 wrote to memory of 800 1160 e579eb1.exe 10 PID 1160 wrote to memory of 384 1160 e579eb1.exe 13 PID 1160 wrote to memory of 2808 1160 e579eb1.exe 49 PID 1160 wrote to memory of 2864 1160 e579eb1.exe 50 PID 1160 wrote to memory of 2984 1160 e579eb1.exe 51 PID 1160 wrote to memory of 3416 1160 e579eb1.exe 56 PID 1160 wrote to memory of 3564 1160 e579eb1.exe 57 PID 1160 wrote to memory of 3752 1160 e579eb1.exe 58 PID 1160 wrote to memory of 3840 1160 e579eb1.exe 59 PID 1160 wrote to memory of 3908 1160 e579eb1.exe 60 PID 1160 wrote to memory of 3992 1160 e579eb1.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5783b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579eb1.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2864
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2984
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b48b4bd8d84759d387a3d686c9a0d3458171f02744bb3a0d2b9941b2aa4f4d9N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b48b4bd8d84759d387a3d686c9a0d3458171f02744bb3a0d2b9941b2aa4f4d9N.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\e5783b7.exeC:\Users\Admin\AppData\Local\Temp\e5783b7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\e578770.exeC:\Users\Admin\AppData\Local\Temp\e578770.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\e579eb1.exeC:\Users\Admin\AppData\Local\Temp\e579eb1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1160
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:700
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2612
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3640
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2272
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2140
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a56d481c661e5d4593e90a6861cd2a74
SHA12d86b9ad82d76d60bd00067e1eccd2cd821b8743
SHA25695222a4bb80531aa8d926a0f3e7bec9ec60f68c6bbb2f49a5689ced632530e81
SHA5128b9491a57f283811367c8b8e698f15a30c718e44dcbf77c0a2707ebf682ed52f7807b98539592abbe35393e40c569fe18bab2c5f223c1a060c952c939d7acd0a
-
Filesize
257B
MD5551fd7bab5728ee737aab97b0c22dad8
SHA1d249bd24900f74b5f5f6b7f30c9cd0cb5d5f30f1
SHA256f9f5899e216bbc507b25f52fa1f4ca850dab7c8bedcaa07ea80cc699611cfd2f
SHA512504372dd4f70246ca334f07e818a95a68a5c1a5a8550c73da2898a0d86eb9b439466898c84c8c10d28abe3cce80afcfaeff42fdf6488d529cd60232f7b128f8a