Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/12/2024, 06:11
Static task
static1
Behavioral task
behavioral1
Sample
7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe
Resource
win7-20240903-en
General
-
Target
7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe
-
Size
1.4MB
-
MD5
32eeac7beded0a9fb5f6012f5ac67590
-
SHA1
3bbbd088f4a2ff2d3e6dad602a5bed9de6495635
-
SHA256
7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725
-
SHA512
08f93f8570c69f080f6e83a65dab4a70e297527c65c0b23da0e14bbe5f8938c3c52b2523bac877aa320c9599e0d45ab7fa002ceaece92fefffe6aa3bf9189831
-
SSDEEP
24576:sU6K1uA4xACQ84KKX/rOwxoluXfw8+c7/3P750szsELRwMFwQPFr/+io:sUlQJPPOrmG5+A/Da8/LaMFZFT+T
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000e000000013ab3-3.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\M: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\R: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\W: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\H: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\I: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\N: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\T: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\V: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\Z: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\E: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\G: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\J: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\L: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\P: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\Q: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\X: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\O: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\S: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\U: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\Y: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\autorun.inf 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
resource yara_rule behavioral1/files/0x000e000000013ab3-3.dat upx behavioral1/memory/1708-19-0x0000000010000000-0x000000001007E000-memory.dmp upx behavioral1/memory/1708-17-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-21-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-23-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-25-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-27-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-28-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-26-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-22-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-24-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-45-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-44-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-46-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-48-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-47-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-50-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-51-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-53-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-54-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-57-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-67-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-71-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-72-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-75-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-76-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-79-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-80-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-83-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-84-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/1708-90-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 PID 1708 wrote to memory of 1104 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 19 PID 1708 wrote to memory of 1152 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 20 PID 1708 wrote to memory of 1196 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 21 PID 1708 wrote to memory of 836 1708 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe"C:\Users\Admin\AppData\Local\Temp\7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1708
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:836
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F76E33E_Rar\7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe
Filesize1.3MB
MD5096fba3ebea82e6cc6c8c7a71904fba8
SHA145097831e2bddc8eb6b621adf9c6ed9593bc5bdb
SHA2569170991e32e4d36499ebbf4538872ff49100fa62e3f30140688d6475d329bde7
SHA512cf6a85750897e7a2789c38be7e7f3b5e1f3532cf947173e74d360845e256bbc66899c8e93efdc1f8a9a7fffdf388e6427f4ccd0f877fe8daa3926c7bfb8574a6
-
Filesize
100KB
MD527ca8e3911ff71c08aab9c362e0c9eaa
SHA1904fa750600401363a8570decc825fa16fe169ea
SHA2560743051b7a1f11ea20b2c023a1ad93b536b024840bf767dc0fdccc3d73a33d22
SHA512f7a546ec69e115c80217f2b3a91308bb1112f86dd49775ab281437675239502b220ff38d6bf28f92e7197771bbc7878f5bea372d740b6d855275339c1f3ff3eb
-
Filesize
146KB
MD53d4839228c7ee77e28832879eeb17340
SHA1ebe4a6388c8c6831837e232b48b8f4266b7f711e
SHA2565d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954
SHA512f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56