Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2024, 11:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
General
-
Target
4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe
-
Size
856KB
-
MD5
0615ed5d5753d60dd6308523a7a8814e
-
SHA1
1e63142c48d890b59bbd82c77f435e6206631f1e
-
SHA256
4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f
-
SHA512
1d9b075b7bb4f693c6d0c0e62b40104f77dd6ba7b014541ff770376c18919609c20c4dd18dd1236966cc7721e7b274df6c439e30810c164f601b0adafe08226a
-
SSDEEP
24576:CECdXeb/rR0FPEGNiHWd0A/TPFMceJEvNrRe:pIFPEGNiHW9TtMHJoNVe
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\L: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\N: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\P: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\R: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\T: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\Y: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\G: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\I: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\U: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\W: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\E: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\H: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\M: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\O: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\S: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\V: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\X: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\Z: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\J: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened (read-only) \??\K: 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\autorun.inf 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
resource yara_rule behavioral2/memory/4076-3-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-10-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-19-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-13-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-21-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-9-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-7-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-6-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-5-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-4-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-1-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-22-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-23-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-24-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-25-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-26-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-28-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-29-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-30-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-32-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-34-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-36-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-37-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-40-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-42-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-45-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-46-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-49-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-51-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-53-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-54-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-61-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-63-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-64-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-66-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-67-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-69-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-70-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-71-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-74-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-78-0x00000000023F0000-0x00000000034AA000-memory.dmp upx behavioral2/memory/4076-89-0x00000000023F0000-0x00000000034AA000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\7-Zip\7z.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e576b2d 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe File opened for modification C:\Windows\SYSTEM.INI 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\BrowserMachineCode 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserMachineCode\MachineGuid = "56030B179CB3F87280758E97B7C56FDF" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe Token: SeDebugPrivilege 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4076 wrote to memory of 2984 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 49 PID 4076 wrote to memory of 3052 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 51 PID 4076 wrote to memory of 2512 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 53 PID 4076 wrote to memory of 3468 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 56 PID 4076 wrote to memory of 3588 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 57 PID 4076 wrote to memory of 3776 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 58 PID 4076 wrote to memory of 3872 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 59 PID 4076 wrote to memory of 3940 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 60 PID 4076 wrote to memory of 4028 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 61 PID 4076 wrote to memory of 4128 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 62 PID 4076 wrote to memory of 4484 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 74 PID 4076 wrote to memory of 844 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 76 PID 4076 wrote to memory of 2984 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 49 PID 4076 wrote to memory of 3052 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 51 PID 4076 wrote to memory of 2512 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 53 PID 4076 wrote to memory of 3468 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 56 PID 4076 wrote to memory of 3588 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 57 PID 4076 wrote to memory of 3776 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 58 PID 4076 wrote to memory of 3872 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 59 PID 4076 wrote to memory of 3940 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 60 PID 4076 wrote to memory of 4028 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 61 PID 4076 wrote to memory of 4128 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 62 PID 4076 wrote to memory of 4484 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 74 PID 4076 wrote to memory of 844 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 76 PID 4076 wrote to memory of 2984 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 49 PID 4076 wrote to memory of 3052 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 51 PID 4076 wrote to memory of 2512 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 53 PID 4076 wrote to memory of 3468 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 56 PID 4076 wrote to memory of 3588 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 57 PID 4076 wrote to memory of 3776 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 58 PID 4076 wrote to memory of 3872 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 59 PID 4076 wrote to memory of 3940 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 60 PID 4076 wrote to memory of 4028 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 61 PID 4076 wrote to memory of 4128 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 62 PID 4076 wrote to memory of 4484 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 74 PID 4076 wrote to memory of 844 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 76 PID 4076 wrote to memory of 2984 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 49 PID 4076 wrote to memory of 3052 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 51 PID 4076 wrote to memory of 2512 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 53 PID 4076 wrote to memory of 3468 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 56 PID 4076 wrote to memory of 3588 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 57 PID 4076 wrote to memory of 3776 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 58 PID 4076 wrote to memory of 3872 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 59 PID 4076 wrote to memory of 3940 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 60 PID 4076 wrote to memory of 4028 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 61 PID 4076 wrote to memory of 4128 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 62 PID 4076 wrote to memory of 4484 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 74 PID 4076 wrote to memory of 844 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 76 PID 4076 wrote to memory of 2984 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 49 PID 4076 wrote to memory of 3052 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 51 PID 4076 wrote to memory of 2512 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 53 PID 4076 wrote to memory of 3468 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 56 PID 4076 wrote to memory of 3588 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 57 PID 4076 wrote to memory of 3776 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 58 PID 4076 wrote to memory of 3872 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 59 PID 4076 wrote to memory of 3940 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 60 PID 4076 wrote to memory of 4028 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 61 PID 4076 wrote to memory of 4128 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 62 PID 4076 wrote to memory of 4484 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 74 PID 4076 wrote to memory of 844 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 76 PID 4076 wrote to memory of 2984 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 49 PID 4076 wrote to memory of 3052 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 51 PID 4076 wrote to memory of 2512 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 53 PID 4076 wrote to memory of 3468 4076 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe 56 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3052
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2512
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe"C:\Users\Admin\AppData\Local\Temp\4ba49e1f864ef0116890eea6440d7a8562b498574c1d15467990f5860523572f.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4076
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4128
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4484
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:844
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD55076fca13c319da69e586190a4df17d4
SHA171e9c7c12cae171fad10f80fe777b2c82004f274
SHA25620a3ea132a566740c2fe8bb4e8b7559d7abf3358309241a507a935d7a3fe24e1
SHA512aab700a7652f1b64ed09c8cd2fb0b04219f41075fb2ef73f6d0c20e16098b4f5252a9d9e04c647abe11ae6f8f32a21caf8e485d948065431c92f2b4d5292b9d9