Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2024, 06:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
120 seconds
General
-
Target
7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe
-
Size
1.4MB
-
MD5
32eeac7beded0a9fb5f6012f5ac67590
-
SHA1
3bbbd088f4a2ff2d3e6dad602a5bed9de6495635
-
SHA256
7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725
-
SHA512
08f93f8570c69f080f6e83a65dab4a70e297527c65c0b23da0e14bbe5f8938c3c52b2523bac877aa320c9599e0d45ab7fa002ceaece92fefffe6aa3bf9189831
-
SSDEEP
24576:sU6K1uA4xACQ84KKX/rOwxoluXfw8+c7/3P750szsELRwMFwQPFr/+io:sUlQJPPOrmG5+A/Da8/LaMFZFT+T
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000023cbc-17.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\R: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\W: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\X: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\E: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\H: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\L: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\M: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\U: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\V: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\Y: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\K: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\O: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\P: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\T: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\Z: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\G: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\I: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\J: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\Q: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened (read-only) \??\S: 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification F:\autorun.inf 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
resource yara_rule behavioral2/memory/3656-7-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-3-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-9-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-10-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-13-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-8-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-14-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-4-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-15-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-21-0x0000000010000000-0x000000001007E000-memory.dmp upx behavioral2/files/0x000a000000023cbc-17.dat upx behavioral2/memory/3656-22-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-36-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-23-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-37-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-38-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-40-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-43-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-44-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-46-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-48-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-50-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-53-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-56-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-58-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-59-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-60-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-68-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-71-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-72-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-74-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-76-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-77-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-79-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-82-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-84-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-86-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-88-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/3656-92-0x0000000002430000-0x00000000034BE000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe Token: SeDebugPrivilege 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3656 wrote to memory of 792 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 9 PID 3656 wrote to memory of 800 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 10 PID 3656 wrote to memory of 64 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 13 PID 3656 wrote to memory of 3084 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 51 PID 3656 wrote to memory of 3100 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 52 PID 3656 wrote to memory of 3156 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 53 PID 3656 wrote to memory of 3396 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 56 PID 3656 wrote to memory of 3556 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 57 PID 3656 wrote to memory of 3736 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 58 PID 3656 wrote to memory of 3836 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 59 PID 3656 wrote to memory of 3900 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 60 PID 3656 wrote to memory of 4000 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 61 PID 3656 wrote to memory of 4188 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 62 PID 3656 wrote to memory of 3176 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 74 PID 3656 wrote to memory of 3860 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 76 PID 3656 wrote to memory of 4316 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 77 PID 3656 wrote to memory of 1828 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 78 PID 3656 wrote to memory of 1476 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 83 PID 3656 wrote to memory of 792 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 9 PID 3656 wrote to memory of 800 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 10 PID 3656 wrote to memory of 64 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 13 PID 3656 wrote to memory of 3084 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 51 PID 3656 wrote to memory of 3100 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 52 PID 3656 wrote to memory of 3156 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 53 PID 3656 wrote to memory of 3396 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 56 PID 3656 wrote to memory of 3556 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 57 PID 3656 wrote to memory of 3736 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 58 PID 3656 wrote to memory of 3836 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 59 PID 3656 wrote to memory of 3900 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 60 PID 3656 wrote to memory of 4000 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 61 PID 3656 wrote to memory of 4188 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 62 PID 3656 wrote to memory of 3176 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 74 PID 3656 wrote to memory of 3860 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 76 PID 3656 wrote to memory of 792 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 9 PID 3656 wrote to memory of 800 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 10 PID 3656 wrote to memory of 64 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 13 PID 3656 wrote to memory of 3084 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 51 PID 3656 wrote to memory of 3100 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 52 PID 3656 wrote to memory of 3156 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 53 PID 3656 wrote to memory of 3396 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 56 PID 3656 wrote to memory of 3556 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 57 PID 3656 wrote to memory of 3736 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 58 PID 3656 wrote to memory of 3836 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 59 PID 3656 wrote to memory of 3900 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 60 PID 3656 wrote to memory of 4000 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 61 PID 3656 wrote to memory of 4188 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 62 PID 3656 wrote to memory of 3176 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 74 PID 3656 wrote to memory of 3860 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 76 PID 3656 wrote to memory of 792 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 9 PID 3656 wrote to memory of 800 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 10 PID 3656 wrote to memory of 64 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 13 PID 3656 wrote to memory of 3084 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 51 PID 3656 wrote to memory of 3100 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 52 PID 3656 wrote to memory of 3156 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 53 PID 3656 wrote to memory of 3396 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 56 PID 3656 wrote to memory of 3556 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 57 PID 3656 wrote to memory of 3736 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 58 PID 3656 wrote to memory of 3836 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 59 PID 3656 wrote to memory of 3900 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 60 PID 3656 wrote to memory of 4000 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 61 PID 3656 wrote to memory of 4188 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 62 PID 3656 wrote to memory of 3176 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 74 PID 3656 wrote to memory of 3860 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 76 PID 3656 wrote to memory of 792 3656 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe 9 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3100
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe"C:\Users\Admin\AppData\Local\Temp\7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3656
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3176
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4316
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1828
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1476
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x404 0x4701⤵PID:432
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E57AEDD_Rar\7068f2061bf5b05d4d905f2b48122816fe277a3371e4e4d537df2ac550d4e725N.exe
Filesize1.3MB
MD5096fba3ebea82e6cc6c8c7a71904fba8
SHA145097831e2bddc8eb6b621adf9c6ed9593bc5bdb
SHA2569170991e32e4d36499ebbf4538872ff49100fa62e3f30140688d6475d329bde7
SHA512cf6a85750897e7a2789c38be7e7f3b5e1f3532cf947173e74d360845e256bbc66899c8e93efdc1f8a9a7fffdf388e6427f4ccd0f877fe8daa3926c7bfb8574a6
-
Filesize
146KB
MD53d4839228c7ee77e28832879eeb17340
SHA1ebe4a6388c8c6831837e232b48b8f4266b7f711e
SHA2565d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954
SHA512f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56
-
Filesize
100KB
MD542d6dcc8841320ed1a2e47aa6e84a44f
SHA141eb24b919a95592f66ffad7af4dfc17cffc2a4e
SHA256f180ba129b5e311821439865c05981bba039c1b123971451ee48e0650a470362
SHA512ea0d86e3e57a9f00febe15d2236611dbe2c72f1436abe46757f7ed75130f1657b145c3ea6ef5e68636801cee2f08db4a7a4ef0c567b279f2a57f76316888cb9f