Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
85ae768c13ec6fd40f30c0d0cc0356befb50786e3d300ce0b78eafb3aa95b564.dll
Resource
win7-20240729-en
General
-
Target
85ae768c13ec6fd40f30c0d0cc0356befb50786e3d300ce0b78eafb3aa95b564.dll
-
Size
120KB
-
MD5
505775bc6fbe2457fea736df321faefd
-
SHA1
4818cea5f198e906b4584ddf2134235c0afc82bf
-
SHA256
85ae768c13ec6fd40f30c0d0cc0356befb50786e3d300ce0b78eafb3aa95b564
-
SHA512
bcd486dbdaa05de80db1d797a4181aac74361f28b9faaf2456b8e7072baa44e086dafc30c7ba26d207c15abbb7d8a6afa61397b19e19b9f453cfd8ab71e84169
-
SSDEEP
1536:KAjgel2pHKnfktQ13oJ45y/b8ddA7xowtqGHLXmZ0rO4Hikw92cDH9LTAW:zUpqnfkQ666bWdA7uw17yQnHikk2cDuW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57af2c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ca93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57af2c.exe -
Executes dropped EXE 4 IoCs
pid Process 2060 e57af2c.exe 820 e57b045.exe 1168 e57ca74.exe 3200 e57ca93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ca93.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57af2c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57af2c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57af2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ca93.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: e57af2c.exe File opened (read-only) \??\S: e57af2c.exe File opened (read-only) \??\H: e57af2c.exe File opened (read-only) \??\J: e57af2c.exe File opened (read-only) \??\L: e57af2c.exe File opened (read-only) \??\O: e57af2c.exe File opened (read-only) \??\P: e57af2c.exe File opened (read-only) \??\E: e57ca93.exe File opened (read-only) \??\G: e57af2c.exe File opened (read-only) \??\K: e57af2c.exe File opened (read-only) \??\M: e57af2c.exe File opened (read-only) \??\R: e57af2c.exe File opened (read-only) \??\T: e57af2c.exe File opened (read-only) \??\E: e57af2c.exe File opened (read-only) \??\I: e57af2c.exe File opened (read-only) \??\Q: e57af2c.exe -
resource yara_rule behavioral2/memory/2060-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-26-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-31-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-32-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-18-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-34-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-35-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-38-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-39-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-41-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-42-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-56-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-58-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-60-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-73-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-76-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-77-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-79-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-82-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-85-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-86-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-87-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-90-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-91-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-93-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2060-98-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/3200-127-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/3200-165-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57af2c.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57af2c.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57af2c.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57af2c.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57af7a e57af2c.exe File opened for modification C:\Windows\SYSTEM.INI e57af2c.exe File created C:\Windows\e57ff7e e57ca93.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57af2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b045.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ca74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ca93.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2060 e57af2c.exe 2060 e57af2c.exe 2060 e57af2c.exe 2060 e57af2c.exe 3200 e57ca93.exe 3200 e57ca93.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe Token: SeDebugPrivilege 2060 e57af2c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2176 3012 rundll32.exe 82 PID 3012 wrote to memory of 2176 3012 rundll32.exe 82 PID 3012 wrote to memory of 2176 3012 rundll32.exe 82 PID 2176 wrote to memory of 2060 2176 rundll32.exe 83 PID 2176 wrote to memory of 2060 2176 rundll32.exe 83 PID 2176 wrote to memory of 2060 2176 rundll32.exe 83 PID 2060 wrote to memory of 760 2060 e57af2c.exe 8 PID 2060 wrote to memory of 768 2060 e57af2c.exe 9 PID 2060 wrote to memory of 64 2060 e57af2c.exe 13 PID 2060 wrote to memory of 2496 2060 e57af2c.exe 42 PID 2060 wrote to memory of 2516 2060 e57af2c.exe 43 PID 2060 wrote to memory of 2800 2060 e57af2c.exe 48 PID 2060 wrote to memory of 3520 2060 e57af2c.exe 56 PID 2060 wrote to memory of 3688 2060 e57af2c.exe 57 PID 2060 wrote to memory of 3864 2060 e57af2c.exe 58 PID 2060 wrote to memory of 4020 2060 e57af2c.exe 59 PID 2060 wrote to memory of 4084 2060 e57af2c.exe 60 PID 2060 wrote to memory of 816 2060 e57af2c.exe 61 PID 2060 wrote to memory of 4120 2060 e57af2c.exe 62 PID 2060 wrote to memory of 724 2060 e57af2c.exe 74 PID 2060 wrote to memory of 4524 2060 e57af2c.exe 76 PID 2060 wrote to memory of 3012 2060 e57af2c.exe 81 PID 2060 wrote to memory of 2176 2060 e57af2c.exe 82 PID 2060 wrote to memory of 2176 2060 e57af2c.exe 82 PID 2176 wrote to memory of 820 2176 rundll32.exe 84 PID 2176 wrote to memory of 820 2176 rundll32.exe 84 PID 2176 wrote to memory of 820 2176 rundll32.exe 84 PID 2176 wrote to memory of 1168 2176 rundll32.exe 85 PID 2176 wrote to memory of 1168 2176 rundll32.exe 85 PID 2176 wrote to memory of 1168 2176 rundll32.exe 85 PID 2176 wrote to memory of 3200 2176 rundll32.exe 86 PID 2176 wrote to memory of 3200 2176 rundll32.exe 86 PID 2176 wrote to memory of 3200 2176 rundll32.exe 86 PID 2060 wrote to memory of 760 2060 e57af2c.exe 8 PID 2060 wrote to memory of 768 2060 e57af2c.exe 9 PID 2060 wrote to memory of 64 2060 e57af2c.exe 13 PID 2060 wrote to memory of 2496 2060 e57af2c.exe 42 PID 2060 wrote to memory of 2516 2060 e57af2c.exe 43 PID 2060 wrote to memory of 2800 2060 e57af2c.exe 48 PID 2060 wrote to memory of 3520 2060 e57af2c.exe 56 PID 2060 wrote to memory of 3688 2060 e57af2c.exe 57 PID 2060 wrote to memory of 3864 2060 e57af2c.exe 58 PID 2060 wrote to memory of 4020 2060 e57af2c.exe 59 PID 2060 wrote to memory of 4084 2060 e57af2c.exe 60 PID 2060 wrote to memory of 816 2060 e57af2c.exe 61 PID 2060 wrote to memory of 4120 2060 e57af2c.exe 62 PID 2060 wrote to memory of 724 2060 e57af2c.exe 74 PID 2060 wrote to memory of 4524 2060 e57af2c.exe 76 PID 2060 wrote to memory of 820 2060 e57af2c.exe 84 PID 2060 wrote to memory of 820 2060 e57af2c.exe 84 PID 2060 wrote to memory of 1168 2060 e57af2c.exe 85 PID 2060 wrote to memory of 1168 2060 e57af2c.exe 85 PID 2060 wrote to memory of 3200 2060 e57af2c.exe 86 PID 2060 wrote to memory of 3200 2060 e57af2c.exe 86 PID 3200 wrote to memory of 760 3200 e57ca93.exe 8 PID 3200 wrote to memory of 768 3200 e57ca93.exe 9 PID 3200 wrote to memory of 64 3200 e57ca93.exe 13 PID 3200 wrote to memory of 2496 3200 e57ca93.exe 42 PID 3200 wrote to memory of 2516 3200 e57ca93.exe 43 PID 3200 wrote to memory of 2800 3200 e57ca93.exe 48 PID 3200 wrote to memory of 3520 3200 e57ca93.exe 56 PID 3200 wrote to memory of 3688 3200 e57ca93.exe 57 PID 3200 wrote to memory of 3864 3200 e57ca93.exe 58 PID 3200 wrote to memory of 4020 3200 e57ca93.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ca93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57af2c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2516
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2800
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85ae768c13ec6fd40f30c0d0cc0356befb50786e3d300ce0b78eafb3aa95b564.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85ae768c13ec6fd40f30c0d0cc0356befb50786e3d300ce0b78eafb3aa95b564.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\e57af2c.exeC:\Users\Admin\AppData\Local\Temp\e57af2c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\e57b045.exeC:\Users\Admin\AppData\Local\Temp\e57b045.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\e57ca74.exeC:\Users\Admin\AppData\Local\Temp\e57ca74.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1168
-
-
C:\Users\Admin\AppData\Local\Temp\e57ca93.exeC:\Users\Admin\AppData\Local\Temp\e57ca93.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3200
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3688
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4084
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4120
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:724
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4524
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5aeedaa4ab3ec0bb5dc1871d489a38547
SHA122b183f00b9ffba0723481262b22228a66099e73
SHA25647db4fb291a3ea9bec3d18b293ea41fe2b34d0b63bd2de8a055c1325ce2eea9b
SHA5122ab218dd78c8d6abcd9de618211e71f91abe01b1f21fd13f7da844a95d5965d8b847b70e54af65068ff7651bc29a46df4ecaf54a8bfcd119a4fd94efa21b4e6f
-
Filesize
257B
MD51ae5f89a22200b445bcd0ab45bbacf35
SHA15085e6b1c16a6aed8195fbf0df50a49a3f0bdbb1
SHA256170f80fe8e945e4061fbf5957280f7cac10688dd00dceb8f3bbda8d637d1aec2
SHA5128e75d4ca79196c61708c7328b170ddb87a6894f484bbe7599754d25c3ce2a906a0a13be26ce7273ac5eb679f5ed453431bf94c908640d2f954fd154d4d00cffd