Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
11s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 08:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe
Resource
win7-20240903-en
windows7-x64
36 signatures
120 seconds
General
-
Target
e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe
-
Size
196KB
-
MD5
1437986dcc72bff639730b5ddcd5c4e0
-
SHA1
24efe4c5205aad98429b396d808ee0ae569509bb
-
SHA256
e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abf
-
SHA512
9921904331e31a0bd1a7acae2da2d98a76a4b418119b699624c0e23ceea913a7362e1bb80ea3dd67cd0bf7f9aed27d6305783270494a47ce75467007f3394fbe
-
SSDEEP
3072:habfe4OIN3HWlSSUGtic36N2lQBV+UdE+rECWp7hKeNSe:hEeK4SJGtDKxBV+UdvrEFp7hKm
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Floxif family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70273\\Ja301365bLay.com\"" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O17171Z\\TuxO17171Z.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70273\\Ja301365bLay.com\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O17171Z\\TuxO17171Z.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70273\\Ja301365bLay.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O17171Z\\TuxO17171Z.exe\"" EmangEloh.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" EmangEloh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe -
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x000d000000012276-3.dat floxif -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000d000000012276-3.dat acprotect -
Deletes itself 1 IoCs
pid Process 1728 winlogon.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd EmangEloh.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd winlogon.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd smss.exe -
Executes dropped EXE 4 IoCs
pid Process 2668 service.exe 2652 smss.exe 2708 EmangEloh.exe 1728 winlogon.exe -
Loads dropped DLL 15 IoCs
pid Process 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2668 service.exe 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2652 smss.exe 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2708 EmangEloh.exe 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 1728 winlogon.exe 1728 winlogon.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\56273280417l.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z627 = "C:\\Windows\\sa-200622.exe" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\56273280417l.exe" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z627 = "C:\\Windows\\sa-200622.exe" EmangEloh.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\56273280417l.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z627 = "C:\\Windows\\sa-200622.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: smss.exe File opened (read-only) \??\v: EmangEloh.exe File opened (read-only) \??\w: EmangEloh.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\i: smss.exe File opened (read-only) \??\y: smss.exe File opened (read-only) \??\N: EmangEloh.exe File opened (read-only) \??\j: smss.exe File opened (read-only) \??\r: smss.exe File opened (read-only) \??\e: EmangEloh.exe File opened (read-only) \??\g: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\r: EmangEloh.exe File opened (read-only) \??\q: winlogon.exe File opened (read-only) \??\r: winlogon.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\y: EmangEloh.exe File opened (read-only) \??\o: winlogon.exe File opened (read-only) \??\u: winlogon.exe File opened (read-only) \??\v: winlogon.exe File opened (read-only) \??\g: smss.exe File opened (read-only) \??\m: smss.exe File opened (read-only) \??\q: EmangEloh.exe File opened (read-only) \??\z: winlogon.exe File opened (read-only) \??\p: smss.exe File opened (read-only) \??\q: smss.exe File opened (read-only) \??\o: EmangEloh.exe File opened (read-only) \??\z: EmangEloh.exe File opened (read-only) \??\j: winlogon.exe File opened (read-only) \??\m: winlogon.exe File opened (read-only) \??\s: winlogon.exe File opened (read-only) \??\z: smss.exe File opened (read-only) \??\k: EmangEloh.exe File opened (read-only) \??\t: EmangEloh.exe File opened (read-only) \??\x: EmangEloh.exe File opened (read-only) \??\k: winlogon.exe File opened (read-only) \??\l: winlogon.exe File opened (read-only) \??\y: winlogon.exe File opened (read-only) \??\u: smss.exe File opened (read-only) \??\e: smss.exe File opened (read-only) \??\w: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\h: smss.exe File opened (read-only) \??\x: winlogon.exe File opened (read-only) \??\k: smss.exe File opened (read-only) \??\h: EmangEloh.exe File opened (read-only) \??\l: EmangEloh.exe File opened (read-only) \??\s: EmangEloh.exe File opened (read-only) \??\h: winlogon.exe File opened (read-only) \??\t: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\v: smss.exe File opened (read-only) \??\w: smss.exe File opened (read-only) \??\g: EmangEloh.exe File opened (read-only) \??\i: EmangEloh.exe File opened (read-only) \??\j: EmangEloh.exe File opened (read-only) \??\o: smss.exe File opened (read-only) \??\s: smss.exe File opened (read-only) \??\m: EmangEloh.exe File opened (read-only) \??\i: winlogon.exe File opened (read-only) \??\t: smss.exe File opened (read-only) \??\p: EmangEloh.exe File opened (read-only) \??\e: winlogon.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\56273280417l.exe EmangEloh.exe File opened for modification C:\Windows\SysWOW64\56273280417l.exe EmangEloh.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File created C:\Windows\SysWOW64\56273280417l.exe service.exe File created C:\Windows\SysWOW64\56273280417l.exe smss.exe File opened for modification C:\Windows\SysWOW64\X05778go\Z562732cie.cmd EmangEloh.exe File opened for modification C:\Windows\SysWOW64\X05778go\Z562732cie.cmd winlogon.exe File created C:\Windows\SysWOW64\56273280417l.exe winlogon.exe File created \??\c:\Windows\SysWOW64\IME\shared\Lagu - Server .scr service.exe File opened for modification C:\Windows\SysWOW64\562732080417l.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Windows\SysWOW64\X05778go\Z562732cie.cmd service.exe File opened for modification C:\Windows\SysWOW64\X05778go\Z562732cie.cmd smss.exe File opened for modification C:\Windows\SysWOW64\56273280417l.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll EmangEloh.exe File opened for modification C:\Windows\SysWOW64\56273280417l.exe winlogon.exe File opened for modification \??\c:\Windows\SysWOW64\IME\shared\Lagu - Server .scr service.exe File created C:\Windows\SysWOW64\X05778go\Z562732cie.cmd e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created C:\Windows\SysWOW64\562732080417l.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Windows\SysWOW64\56273280417l.exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe -
resource yara_rule behavioral1/files/0x000d000000012276-3.dat upx behavioral1/memory/2348-5-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2348-9-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-17-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-14-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-16-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-31-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-15-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-19-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-18-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-32-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-36-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-34-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/2348-88-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2668-87-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2708-145-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2668-152-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2348-154-0x00000000029C0000-0x0000000003A4E000-memory.dmp upx behavioral1/memory/1728-198-0x00000000028A0000-0x000000000392E000-memory.dmp upx behavioral1/memory/1728-195-0x00000000028A0000-0x000000000392E000-memory.dmp upx behavioral1/memory/1728-197-0x00000000028A0000-0x000000000392E000-memory.dmp upx behavioral1/memory/1728-194-0x00000000028A0000-0x000000000392E000-memory.dmp upx behavioral1/memory/1728-199-0x00000000028A0000-0x000000000392E000-memory.dmp upx behavioral1/memory/1728-192-0x00000000028A0000-0x000000000392E000-memory.dmp upx behavioral1/memory/2348-169-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2652-101-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2652-246-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2708-348-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1728-357-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\Blink 182 .exe service.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Norman virus Control 5.18 .exe service.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\Gallery .scr service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Blink 182 .exe service.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\Norman virus Control 5.18 .exe service.exe File created \??\c:\program files\common files\system\symsrv.dll.000 smss.exe File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\RaHasIA .exe service.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Norman virus Control 5.18 .exe service.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Windows Vista setup .scr service.exe File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\TutoriaL HAcking .exe service.exe File created \??\c:\Program Files\DVD Maker\Shared\Norman virus Control 5.18 .exe service.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\RaHasIA .exe service.exe File created \??\c:\Program Files (x86)\Google\Update\Download\Gallery .scr service.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Windows Vista setup .scr service.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\TutoriaL HAcking .exe service.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\sa-200622.exe smss.exe File opened for modification C:\Windows\sa-200622.exe EmangEloh.exe File opened for modification C:\Windows\M70273\EmangEloh.exe winlogon.exe File opened for modification C:\Windows\Ti80417ta.exe winlogon.exe File created C:\Windows\M70273\smss.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created C:\Windows\M70273\smss.exe service.exe File opened for modification C:\Windows\M70273\EmangEloh.exe smss.exe File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Lagu - Server .scr service.exe File opened for modification C:\Windows\M70273\Ja301365bLay.com service.exe File opened for modification C:\Windows\M70273\Ja301365bLay.com smss.exe File created \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\Data DosenKu .exe service.exe File created C:\Windows\M70273\EmangEloh.exe winlogon.exe File created C:\Windows\sa-200622.exe winlogon.exe File opened for modification C:\Windows\[TheMoonlight].txt winlogon.exe File created \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Lagu - Server .scr service.exe File opened for modification C:\Windows\M70273 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Windows\M70273\Ja301365bLay.com e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Windows\Ti80417ta.exe EmangEloh.exe File created C:\Windows\M70273\Ja301365bLay.com EmangEloh.exe File opened for modification C:\Windows\M70273\Ja301365bLay.com EmangEloh.exe File opened for modification C:\Windows\M70273\Ja301365bLay.com winlogon.exe File opened for modification \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\Data DosenKu .exe service.exe File created C:\Windows\sa-200622.exe smss.exe File opened for modification C:\Windows\Ti80417ta.exe smss.exe File created C:\Windows\sa-200622.exe EmangEloh.exe File created \??\c:\Windows\ServiceProfiles\LocalService\Downloads\THe Best Ungu .scr service.exe File opened for modification \??\c:\Windows\ServiceProfiles\LocalService\Downloads\THe Best Ungu .scr service.exe File opened for modification \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Lagu - Server .scr service.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File created C:\Windows\M70273\smss.exe smss.exe File opened for modification C:\Windows\M70273\EmangEloh.exe EmangEloh.exe File created \??\c:\Windows\Downloaded Program Files\New mp3 BaraT !! .exe service.exe File opened for modification C:\Windows\sa-200622.exe winlogon.exe File opened for modification C:\Windows\M70273 smss.exe File opened for modification C:\Windows\[TheMoonlight].txt EmangEloh.exe File opened for modification C:\Windows\system\msvbvm60.dll winlogon.exe File opened for modification \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Lagu - Server .scr service.exe File created C:\Windows\M70273\EmangEloh.exe EmangEloh.exe File opened for modification C:\Windows\M70273 winlogon.exe File created C:\Windows\M70273\Ja301365bLay.com winlogon.exe File opened for modification C:\Windows\M70273 service.exe File created C:\Windows\M70273\EmangEloh.exe service.exe File opened for modification C:\Windows\Ti80417ta.exe service.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll EmangEloh.exe File opened for modification C:\Windows\system\msvbvm60.dll e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created C:\Windows\M70273\EmangEloh.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Windows\Ti080417ta.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification \??\c:\Windows\SoftwareDistribution\Download\Blink 182 .exe service.exe File created C:\Windows\M70273\smss.exe EmangEloh.exe File opened for modification C:\Windows\M70273\EmangEloh.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Windows\sa-200622.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created C:\Windows\[TheMoonlight].txt smss.exe File opened for modification C:\Windows\sa-200622.exe service.exe File created C:\Windows\M70273\smss.exe winlogon.exe File opened for modification C:\Windows\SYSTEM.INI e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created C:\Windows\Ti080417ta.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created C:\Windows\sa-200622.exe service.exe File created \??\c:\Windows\SoftwareDistribution\Download\Blink 182 .exe service.exe File created C:\Windows\Ti80417ta.exe service.exe File opened for modification C:\Windows\M70273\EmangEloh.exe service.exe File created C:\Windows\Ti80417ta.exe EmangEloh.exe File created C:\Windows\Ti80417ta.exe winlogon.exe File created C:\Windows\sa-200622.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EmangEloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2652 smss.exe 1728 winlogon.exe 1728 winlogon.exe 2708 EmangEloh.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 2668 service.exe Token: SeDebugPrivilege 2652 smss.exe Token: SeDebugPrivilege 2708 EmangEloh.exe Token: SeDebugPrivilege 1728 winlogon.exe Token: SeDebugPrivilege 1728 winlogon.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 2668 service.exe 2652 smss.exe 2708 EmangEloh.exe 1728 winlogon.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1108 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 19 PID 2348 wrote to memory of 1172 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 20 PID 2348 wrote to memory of 1196 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 21 PID 2348 wrote to memory of 2028 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 23 PID 2348 wrote to memory of 2668 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 30 PID 2348 wrote to memory of 2668 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 30 PID 2348 wrote to memory of 2668 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 30 PID 2348 wrote to memory of 2668 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 30 PID 2348 wrote to memory of 2652 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 31 PID 2348 wrote to memory of 2652 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 31 PID 2348 wrote to memory of 2652 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 31 PID 2348 wrote to memory of 2652 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 31 PID 2348 wrote to memory of 2708 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 32 PID 2348 wrote to memory of 2708 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 32 PID 2348 wrote to memory of 2708 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 32 PID 2348 wrote to memory of 2708 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 32 PID 2348 wrote to memory of 1728 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 33 PID 2348 wrote to memory of 1728 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 33 PID 2348 wrote to memory of 1728 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 33 PID 2348 wrote to memory of 1728 2348 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 33 PID 1728 wrote to memory of 1108 1728 winlogon.exe 19 PID 1728 wrote to memory of 1172 1728 winlogon.exe 20 PID 1728 wrote to memory of 1196 1728 winlogon.exe 21 PID 1728 wrote to memory of 2028 1728 winlogon.exe 23 PID 1728 wrote to memory of 2668 1728 winlogon.exe 30 PID 1728 wrote to memory of 2668 1728 winlogon.exe 30 PID 1728 wrote to memory of 2652 1728 winlogon.exe 31 PID 1728 wrote to memory of 2652 1728 winlogon.exe 31 PID 1728 wrote to memory of 2708 1728 winlogon.exe 32 PID 1728 wrote to memory of 2708 1728 winlogon.exe 32 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe"C:\Users\Admin\AppData\Local\Temp\e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2348 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O17171Z\service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O17171Z\service.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
C:\Windows\M70273\smss.exe"C:\Windows\M70273\smss.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
C:\Windows\M70273\EmangEloh.exe"C:\Windows\M70273\EmangEloh.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O17171Z\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O17171Z\winlogon.exe"3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1728
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2028
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2AppInit DLLs
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5f5d015d85a20e76a31a0c0edb852c346
SHA19bcd858e1840bb15718ab0adae9e66b2a9f2f122
SHA256af7f880b56a0a676d32369d8bcfb19cc4be633d8073e69feb0c42d7ecd8b0790
SHA512727f8e373749ba7f7a155e75bf5f007039b15ff45be3fe3b4ed2a5bfd5892bef1112a3532c23f0752e702e11de66d3ba2a40cb612b287e8793470d25959a2ade
-
Filesize
196KB
MD51437986dcc72bff639730b5ddcd5c4e0
SHA124efe4c5205aad98429b396d808ee0ae569509bb
SHA256e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abf
SHA5129921904331e31a0bd1a7acae2da2d98a76a4b418119b699624c0e23ceea913a7362e1bb80ea3dd67cd0bf7f9aed27d6305783270494a47ce75467007f3394fbe
-
Filesize
256B
MD521a3615cd4a7266d1d7a3c5f03bd616d
SHA112b172cd6edd5e2f7f10d042325b34c5f8ac0ee1
SHA256df30e048a3af903c9dbb169e07eadf869fece3960c11f958a1bdeca7fef20fde
SHA512e7fd6486a7d16bf7293be9c6c305d19723d13315e6cffafaebf5f11fc26e390010e25bd505c01ad336ccf11adc0a0e9d98d08b1c374ead4efaaf4c9ab32ceacd
-
Filesize
109B
MD568c7836c8ff19e87ca33a7959a2bdff5
SHA1cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA5123656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab