Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
22s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 08:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe
Resource
win7-20240903-en
windows7-x64
36 signatures
120 seconds
General
-
Target
e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe
-
Size
196KB
-
MD5
1437986dcc72bff639730b5ddcd5c4e0
-
SHA1
24efe4c5205aad98429b396d808ee0ae569509bb
-
SHA256
e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abf
-
SHA512
9921904331e31a0bd1a7acae2da2d98a76a4b418119b699624c0e23ceea913a7362e1bb80ea3dd67cd0bf7f9aed27d6305783270494a47ce75467007f3394fbe
-
SSDEEP
3072:habfe4OIN3HWlSSUGtic36N2lQBV+UdE+rECWp7hKeNSe:hEeK4SJGtDKxBV+UdvrEFp7hKm
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Floxif family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja634608bLay.com\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O41524Z\\TuxO41524Z.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja634608bLay.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O41524Z\\TuxO41524Z.exe\"" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja634608bLay.com\"" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O41524Z\\TuxO41524Z.exe\"" winlogon.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" service.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" service.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" service.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" service.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" service.exe -
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x000d000000023b7c-3.dat floxif -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000d000000023b7c-3.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe -
Deletes itself 1 IoCs
pid Process 3588 service.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd EmangEloh.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd winlogon.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd service.exe -
Executes dropped EXE 4 IoCs
pid Process 3588 service.exe 684 smss.exe 4344 EmangEloh.exe 4992 winlogon.exe -
Loads dropped DLL 1 IoCs
pid Process 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" service.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" service.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1136065TT4 = "C:\\Windows\\system32\\805165423741l.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z051 = "C:\\Windows\\sa-533065.exe" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1136065TT4 = "C:\\Windows\\system32\\805165423741l.exe" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z051 = "C:\\Windows\\sa-533065.exe" EmangEloh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1136065TT4 = "C:\\Windows\\system32\\805165423741l.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z051 = "C:\\Windows\\sa-533065.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" service.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: EmangEloh.exe File opened (read-only) \??\j: winlogon.exe File opened (read-only) \??\v: winlogon.exe File opened (read-only) \??\N: EmangEloh.exe File opened (read-only) \??\t: EmangEloh.exe File opened (read-only) \??\J: service.exe File opened (read-only) \??\E: service.exe File opened (read-only) \??\H: service.exe File opened (read-only) \??\v: EmangEloh.exe File opened (read-only) \??\z: EmangEloh.exe File opened (read-only) \??\o: winlogon.exe File opened (read-only) \??\x: winlogon.exe File opened (read-only) \??\u: EmangEloh.exe File opened (read-only) \??\p: winlogon.exe File opened (read-only) \??\e: smss.exe File opened (read-only) \??\i: smss.exe File opened (read-only) \??\z: smss.exe File opened (read-only) \??\g: EmangEloh.exe File opened (read-only) \??\u: smss.exe File opened (read-only) \??\u: winlogon.exe File opened (read-only) \??\w: winlogon.exe File opened (read-only) \??\h: winlogon.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\r: smss.exe File opened (read-only) \??\y: EmangEloh.exe File opened (read-only) \??\g: winlogon.exe File opened (read-only) \??\o: EmangEloh.exe File opened (read-only) \??\l: smss.exe File opened (read-only) \??\t: smss.exe File opened (read-only) \??\h: EmangEloh.exe File opened (read-only) \??\k: EmangEloh.exe File opened (read-only) \??\m: smss.exe File opened (read-only) \??\p: EmangEloh.exe File opened (read-only) \??\e: EmangEloh.exe File opened (read-only) \??\e: winlogon.exe File opened (read-only) \??\i: winlogon.exe File opened (read-only) \??\l: winlogon.exe File opened (read-only) \??\o: smss.exe File opened (read-only) \??\p: smss.exe File opened (read-only) \??\w: smss.exe File opened (read-only) \??\x: smss.exe File opened (read-only) \??\s: winlogon.exe File opened (read-only) \??\y: winlogon.exe File opened (read-only) \??\z: winlogon.exe File opened (read-only) \??\y: smss.exe File opened (read-only) \??\s: EmangEloh.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\k: smss.exe File opened (read-only) \??\q: EmangEloh.exe File opened (read-only) \??\x: EmangEloh.exe File opened (read-only) \??\k: winlogon.exe File opened (read-only) \??\m: winlogon.exe File opened (read-only) \??\q: winlogon.exe File opened (read-only) \??\r: winlogon.exe File opened (read-only) \??\h: smss.exe File opened (read-only) \??\s: smss.exe File opened (read-only) \??\v: smss.exe File opened (read-only) \??\l: EmangEloh.exe File opened (read-only) \??\t: winlogon.exe File opened (read-only) \??\G: service.exe File opened (read-only) \??\g: smss.exe File opened (read-only) \??\j: smss.exe File opened (read-only) \??\m: EmangEloh.exe File opened (read-only) \??\r: EmangEloh.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\New mp3 BaraT !! .exe service.exe File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Gallery .scr service.exe File opened for modification C:\Windows\SysWOW64\805165423741l.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created C:\Windows\SysWOW64\805165423741l.exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe service.exe File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe service.exe File created C:\Windows\SysWOW64\X38112go\Z805165cie.cmd e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created C:\Windows\SysWOW64\805165423741l.exe smss.exe File opened for modification C:\Windows\SysWOW64\X38112go\Z805165cie.cmd winlogon.exe File created \??\c:\Windows\SysWOW64\IME\SHARED\TutoriaL HAcking .exe service.exe File opened for modification C:\Windows\SysWOW64\805165423741l.exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll EmangEloh.exe File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Gallery .scr service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Windows\SysWOW64\805165423741l.exe EmangEloh.exe File created \??\c:\Windows\SysWOW64\IME\SHARED\New mp3 BaraT !! .exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\805165423741l.exe winlogon.exe File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\TutoriaL HAcking .exe service.exe File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\New mp3 BaraT !! .exe service.exe File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Lagu - Server .scr service.exe File opened for modification C:\Windows\SysWOW64\X38112go\Z805165cie.cmd smss.exe File opened for modification C:\Windows\SysWOW64\805165423741l.exe smss.exe File opened for modification C:\Windows\SysWOW64\X38112go\Z805165cie.cmd EmangEloh.exe File created C:\Windows\SysWOW64\805165423741l.exe EmangEloh.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File opened for modification C:\Windows\SysWOW64\X38112go\Z805165cie.cmd service.exe File created C:\Windows\SysWOW64\805165423741l.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created C:\Windows\SysWOW64\805165423741l.exe winlogon.exe File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\New mp3 BaraT !! .exe service.exe File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Lagu - Server .scr service.exe -
resource yara_rule behavioral2/files/0x000d000000023b7c-3.dat upx behavioral2/memory/4032-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4032-12-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-13-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-17-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-16-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-23-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-19-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-18-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-14-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-10-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-142-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4032-177-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-186-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/4032-144-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/4032-143-0x0000000002A00000-0x0000000003A8E000-memory.dmp upx behavioral2/memory/3588-281-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-283-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-285-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-288-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-287-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-284-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-282-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-286-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-279-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-305-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-306-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-307-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-308-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-309-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-311-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-312-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-313-0x00000000030B0000-0x000000000413E000-memory.dmp upx behavioral2/memory/3588-314-0x00000000030B0000-0x000000000413E000-memory.dmp upx -
Drops file in Program Files directory 28 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\Updates\Download\RaHasIA .exe service.exe File created \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Data DosenKu .exe service.exe File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Data DosenKu .exe service.exe File opened for modification \??\c:\Program Files\dotnet\shared\New mp3 BaraT !! .exe service.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Love Song .scr service.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Blink 182 .exe service.exe File opened for modification \??\c:\Program Files\Microsoft Office\Updates\Download\RaHasIA .exe service.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Blink 182 .exe service.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Love Song .scr service.exe File created \??\c:\Program Files (x86)\Common Files\Microsoft Shared\TutoriaL HAcking .exe service.exe File created \??\c:\Program Files (x86)\Google\Update\Download\Blink 182 .exe service.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Windows Vista setup .scr service.exe File created \??\c:\Program Files\Common Files\microsoft shared\New mp3 BaraT !! .exe service.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Windows Vista setup .scr service.exe File created \??\c:\Program Files\dotnet\shared\New mp3 BaraT !! .exe service.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Love Song .scr service.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\TutoriaL HAcking .exe service.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Norman virus Control 5.18 .exe service.exe File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\TutoriaL HAcking .exe service.exe File created C:\Program Files\Common Files\System\symsrv.dll e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\New mp3 BaraT !! .exe service.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\TutoriaL HAcking .exe service.exe File created \??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Data DosenKu .exe service.exe File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Windows Vista setup .scr service.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Windows Vista setup .scr service.exe File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Norman virus Control 5.18 .exe service.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\Blink 182 .exe service.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Love Song .scr service.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\RaHasIA .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\New mp3 BaraT !! .exe service.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\Lagu - Server .scr service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\Gallery .scr service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\Blink 182 .exe service.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\THe Best Ungu .scr service.exe File created C:\Windows\Ti423741ta.exe e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File opened for modification C:\Windows\M13616\EmangEloh.exe EmangEloh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\Titip Folder Jangan DiHapus .exe service.exe File created C:\Windows\M13616\EmangEloh.exe EmangEloh.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\Data DosenKu .exe service.exe File created C:\Windows\Ti423741ta.exe winlogon.exe File created C:\Windows\M13616\Ja634608bLay.com EmangEloh.exe File created \??\c:\Windows\InputMethod\SHARED\THe Best Ungu .scr service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\RaHasIA .exe service.exe File created C:\Windows\Ti423741ta.exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\Data DosenKu .exe service.exe File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\Blink 182 .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\Data DosenKu .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\Titip Folder Jangan DiHapus .exe service.exe File created C:\Windows\M13616\smss.exe smss.exe File created \??\c:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\Data DosenKu .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\Lagu - Server .scr service.exe File created C:\Windows\sa-533065.exe EmangEloh.exe File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\Data DosenKu .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\Blink 182 .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\Data DosenKu .exe service.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\Data DosenKu .exe service.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\New mp3 BaraT !! .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\TutoriaL HAcking .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\THe Best Ungu .scr service.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\Titip Folder Jangan DiHapus .exe service.exe File opened for modification C:\Windows\M13616\Ja634608bLay.com EmangEloh.exe File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\Data DosenKu .exe service.exe File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\Love Song .scr service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\Norman virus Control 5.18 .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\THe Best Ungu .scr service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\THe Best Ungu .scr service.exe File opened for modification \??\c:\Windows\Downloaded Program Files\Norman virus Control 5.18 .exe service.exe File created \??\c:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\Love Song .scr service.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\M13616\Ja634608bLay.com smss.exe File created C:\Windows\Ti423741ta.exe EmangEloh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\THe Best Ungu .scr service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\Gallery .scr service.exe File created C:\Windows\M13616\Ja634608bLay.com service.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\TutoriaL HAcking .exe service.exe File created \??\c:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\Lagu - Server .scr service.exe File created C:\Windows\M13616\EmangEloh.exe service.exe File created \??\c:\Windows\SoftwareDistribution\Download\THe Best Ungu .scr service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\Windows Vista setup .scr service.exe File opened for modification C:\Windows\M13616\Ja634608bLay.com e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\Norman virus Control 5.18 .exe service.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\Titip Folder Jangan DiHapus .exe service.exe File opened for modification C:\Windows\[TheMoonlight].txt winlogon.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\Blink 182 .exe service.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\New mp3 BaraT !! .exe service.exe File created C:\Windows\M13616\smss.exe service.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\Data DosenKu .exe service.exe File created \??\c:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\Norman virus Control 5.18 .exe service.exe File opened for modification C:\Windows\sa-533065.exe service.exe File opened for modification C:\Windows\M13616 smss.exe File opened for modification C:\Windows\M13616 EmangEloh.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\Titip Folder Jangan DiHapus .exe service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EmangEloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 3588 service.exe 3588 service.exe 3588 service.exe 3588 service.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe Token: SeDebugPrivilege 3588 service.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 3588 service.exe 684 smss.exe 4344 EmangEloh.exe 4992 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4032 wrote to memory of 784 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 8 PID 4032 wrote to memory of 792 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 9 PID 4032 wrote to memory of 332 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 13 PID 4032 wrote to memory of 2648 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 44 PID 4032 wrote to memory of 2660 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 45 PID 4032 wrote to memory of 2816 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 50 PID 4032 wrote to memory of 3368 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 56 PID 4032 wrote to memory of 3540 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 57 PID 4032 wrote to memory of 3764 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 58 PID 4032 wrote to memory of 3852 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 59 PID 4032 wrote to memory of 3912 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 60 PID 4032 wrote to memory of 4004 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 61 PID 4032 wrote to memory of 3424 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 62 PID 4032 wrote to memory of 2480 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 74 PID 4032 wrote to memory of 2232 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 76 PID 4032 wrote to memory of 5084 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 83 PID 4032 wrote to memory of 3588 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 85 PID 4032 wrote to memory of 3588 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 85 PID 4032 wrote to memory of 3588 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 85 PID 4032 wrote to memory of 684 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 86 PID 4032 wrote to memory of 684 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 86 PID 4032 wrote to memory of 684 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 86 PID 4032 wrote to memory of 4344 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 87 PID 4032 wrote to memory of 4344 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 87 PID 4032 wrote to memory of 4344 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 87 PID 4032 wrote to memory of 4992 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 88 PID 4032 wrote to memory of 4992 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 88 PID 4032 wrote to memory of 4992 4032 e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe 88 PID 3588 wrote to memory of 784 3588 service.exe 8 PID 3588 wrote to memory of 792 3588 service.exe 9 PID 3588 wrote to memory of 332 3588 service.exe 13 PID 3588 wrote to memory of 2648 3588 service.exe 44 PID 3588 wrote to memory of 2660 3588 service.exe 45 PID 3588 wrote to memory of 2816 3588 service.exe 50 PID 3588 wrote to memory of 3368 3588 service.exe 56 PID 3588 wrote to memory of 3540 3588 service.exe 57 PID 3588 wrote to memory of 3764 3588 service.exe 58 PID 3588 wrote to memory of 3852 3588 service.exe 59 PID 3588 wrote to memory of 3912 3588 service.exe 60 PID 3588 wrote to memory of 4004 3588 service.exe 61 PID 3588 wrote to memory of 3424 3588 service.exe 62 PID 3588 wrote to memory of 2480 3588 service.exe 74 PID 3588 wrote to memory of 2232 3588 service.exe 76 PID 3588 wrote to memory of 684 3588 service.exe 86 PID 3588 wrote to memory of 684 3588 service.exe 86 PID 3588 wrote to memory of 4344 3588 service.exe 87 PID 3588 wrote to memory of 4344 3588 service.exe 87 PID 3588 wrote to memory of 4992 3588 service.exe 88 PID 3588 wrote to memory of 4992 3588 service.exe 88 PID 3588 wrote to memory of 784 3588 service.exe 8 PID 3588 wrote to memory of 792 3588 service.exe 9 PID 3588 wrote to memory of 332 3588 service.exe 13 PID 3588 wrote to memory of 2648 3588 service.exe 44 PID 3588 wrote to memory of 2660 3588 service.exe 45 PID 3588 wrote to memory of 2816 3588 service.exe 50 PID 3588 wrote to memory of 3368 3588 service.exe 56 PID 3588 wrote to memory of 3540 3588 service.exe 57 PID 3588 wrote to memory of 3764 3588 service.exe 58 PID 3588 wrote to memory of 3852 3588 service.exe 59 PID 3588 wrote to memory of 3912 3588 service.exe 60 PID 3588 wrote to memory of 4004 3588 service.exe 61 PID 3588 wrote to memory of 3424 3588 service.exe 62 PID 3588 wrote to memory of 2480 3588 service.exe 74 PID 3588 wrote to memory of 2232 3588 service.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" service.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2660
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2816
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe"C:\Users\Admin\AppData\Local\Temp\e03f8c459fed4f5579b51ccfaec32b2c5d6eaf01bdc14df9ec0531586a7b5abfN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4032 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3588
-
-
C:\Windows\M13616\smss.exe"C:\Windows\M13616\smss.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:684
-
-
C:\Windows\M13616\EmangEloh.exe"C:\Windows\M13616\EmangEloh.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4344
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4992
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3424
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2480
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2232
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5084
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4252
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
120KB
MD5f5d015d85a20e76a31a0c0edb852c346
SHA19bcd858e1840bb15718ab0adae9e66b2a9f2f122
SHA256af7f880b56a0a676d32369d8bcfb19cc4be633d8073e69feb0c42d7ecd8b0790
SHA512727f8e373749ba7f7a155e75bf5f007039b15ff45be3fe3b4ed2a5bfd5892bef1112a3532c23f0752e702e11de66d3ba2a40cb612b287e8793470d25959a2ade
-
Filesize
257B
MD53c7a180e4a31b26558320460afe7d5c0
SHA1026d4ea139c75e7a61b3c4570e8f4c39500b9a05
SHA25646560181d937cbaa08a4081ee00157af0b94b7f1d978ad4124df94abfca74094
SHA5125edf696a5695d58a9941bbac904f4870151b7573d8a6e0a959d86bb30d5ce538ccdfb99a2a2ed2dd6b9c9e255bd2024284c3117af70bc8d9dda31a2965859d96
-
Filesize
109B
MD568c7836c8ff19e87ca33a7959a2bdff5
SHA1cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA5123656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
100KB
MD5626871a7a0fcf1cf08351bae44ec6ca5
SHA1e68772f0dfe17804e939c875e76a92894f502b6e
SHA2564a7f7cf4ff7cacf926f2f73766e3804ac6ece59f8b53257183b9aea0fecb6130
SHA5120a3e8fb1c9ec6895f8fd2c479bef28041ed1f701fcc2cbcd05443a20eb50a2747c070ae7208afc9538a75778671079ca3556a64615e2e2108a320b80ef6b4a73