Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 15:10
Static task
static1
Behavioral task
behavioral1
Sample
82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll
Resource
win7-20240903-en
General
-
Target
82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll
-
Size
120KB
-
MD5
005dddd4d453daf2c6e1dfcf5005a9b2
-
SHA1
1036e2c9fc35288aaeafbf405598a8185788aa20
-
SHA256
82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175
-
SHA512
5d3c06a8b81a5671b1b84fc179be8f45c64dcf2811cb3459b83e89aafbc4cb330a780a346e2b1c66fdde34f87444b297c601d08521833df16a741fc40c606c44
-
SSDEEP
1536:BlO+6YXHf3lXPCUcg3u3ZDBaEM9FDhFOW2G8kutBUlF8QD7Zint9Q5ndQGD/Vhd:BZZHFC9gnEoF9J8kYUBDKAqGLR
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76edb9.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76edb9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76edb9.exe -
Executes dropped EXE 3 IoCs
pid Process 1928 f76cc06.exe 2864 f76cdbb.exe 2220 f76edb9.exe -
Loads dropped DLL 6 IoCs
pid Process 2344 rundll32.exe 2344 rundll32.exe 2344 rundll32.exe 2344 rundll32.exe 2344 rundll32.exe 2344 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cc06.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76edb9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76edb9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76edb9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76edb9.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f76cc06.exe File opened (read-only) \??\L: f76cc06.exe File opened (read-only) \??\P: f76cc06.exe File opened (read-only) \??\S: f76cc06.exe File opened (read-only) \??\E: f76cc06.exe File opened (read-only) \??\I: f76cc06.exe File opened (read-only) \??\K: f76cc06.exe File opened (read-only) \??\O: f76cc06.exe File opened (read-only) \??\R: f76cc06.exe File opened (read-only) \??\E: f76edb9.exe File opened (read-only) \??\G: f76edb9.exe File opened (read-only) \??\H: f76edb9.exe File opened (read-only) \??\G: f76cc06.exe File opened (read-only) \??\J: f76cc06.exe File opened (read-only) \??\M: f76cc06.exe File opened (read-only) \??\N: f76cc06.exe File opened (read-only) \??\Q: f76cc06.exe File opened (read-only) \??\T: f76cc06.exe -
resource yara_rule behavioral1/memory/1928-20-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-23-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-24-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-22-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-21-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-19-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-18-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-26-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-17-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-25-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-61-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-62-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-63-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-64-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-65-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-67-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-68-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-69-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-70-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-84-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-88-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-110-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1928-154-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2864-186-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f771c18 f76cdbb.exe File created C:\Windows\f771dfc f76edb9.exe File created C:\Windows\f76cc63 f76cc06.exe File opened for modification C:\Windows\SYSTEM.INI f76cc06.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76cc06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76cdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76edb9.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1928 f76cc06.exe 1928 f76cc06.exe 2864 f76cdbb.exe 2220 f76edb9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 1928 f76cc06.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2864 f76cdbb.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe Token: SeDebugPrivilege 2220 f76edb9.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2344 2068 rundll32.exe 30 PID 2068 wrote to memory of 2344 2068 rundll32.exe 30 PID 2068 wrote to memory of 2344 2068 rundll32.exe 30 PID 2068 wrote to memory of 2344 2068 rundll32.exe 30 PID 2068 wrote to memory of 2344 2068 rundll32.exe 30 PID 2068 wrote to memory of 2344 2068 rundll32.exe 30 PID 2068 wrote to memory of 2344 2068 rundll32.exe 30 PID 2344 wrote to memory of 1928 2344 rundll32.exe 31 PID 2344 wrote to memory of 1928 2344 rundll32.exe 31 PID 2344 wrote to memory of 1928 2344 rundll32.exe 31 PID 2344 wrote to memory of 1928 2344 rundll32.exe 31 PID 1928 wrote to memory of 1048 1928 f76cc06.exe 18 PID 1928 wrote to memory of 1124 1928 f76cc06.exe 20 PID 1928 wrote to memory of 1164 1928 f76cc06.exe 21 PID 1928 wrote to memory of 1948 1928 f76cc06.exe 23 PID 1928 wrote to memory of 2068 1928 f76cc06.exe 29 PID 1928 wrote to memory of 2344 1928 f76cc06.exe 30 PID 1928 wrote to memory of 2344 1928 f76cc06.exe 30 PID 2344 wrote to memory of 2864 2344 rundll32.exe 32 PID 2344 wrote to memory of 2864 2344 rundll32.exe 32 PID 2344 wrote to memory of 2864 2344 rundll32.exe 32 PID 2344 wrote to memory of 2864 2344 rundll32.exe 32 PID 2344 wrote to memory of 2220 2344 rundll32.exe 34 PID 2344 wrote to memory of 2220 2344 rundll32.exe 34 PID 2344 wrote to memory of 2220 2344 rundll32.exe 34 PID 2344 wrote to memory of 2220 2344 rundll32.exe 34 PID 1928 wrote to memory of 1048 1928 f76cc06.exe 18 PID 1928 wrote to memory of 1124 1928 f76cc06.exe 20 PID 1928 wrote to memory of 1164 1928 f76cc06.exe 21 PID 1928 wrote to memory of 1948 1928 f76cc06.exe 23 PID 1928 wrote to memory of 2864 1928 f76cc06.exe 32 PID 1928 wrote to memory of 2864 1928 f76cc06.exe 32 PID 1928 wrote to memory of 2220 1928 f76cc06.exe 34 PID 1928 wrote to memory of 2220 1928 f76cc06.exe 34 PID 2864 wrote to memory of 1048 2864 f76cdbb.exe 18 PID 2864 wrote to memory of 1124 2864 f76cdbb.exe 20 PID 2864 wrote to memory of 1164 2864 f76cdbb.exe 21 PID 2864 wrote to memory of 1948 2864 f76cdbb.exe 23 PID 2220 wrote to memory of 1048 2220 f76edb9.exe 18 PID 2220 wrote to memory of 1124 2220 f76edb9.exe 20 PID 2220 wrote to memory of 1164 2220 f76edb9.exe 21 PID 2220 wrote to memory of 1948 2220 f76edb9.exe 23 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cc06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cdbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76edb9.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1048
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1124
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1164
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\f76cc06.exeC:\Users\Admin\AppData\Local\Temp\f76cc06.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\f76cdbb.exeC:\Users\Admin\AppData\Local\Temp\f76cdbb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\f76edb9.exeC:\Users\Admin\AppData\Local\Temp\f76edb9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2220
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1948
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5eec4af4552e980f926080361966a89b5
SHA1ed2992f6790c74386cbada13b5eb9e5f9a8905c9
SHA25654f65e012ea853c19ca8a3c99aa17d34761812e3dde3da99a52e96f72d61a1c3
SHA512d5c50d4f7f3e9e64d7f125b1506e514e5c2832e7298db18270df6735883e3128750de35153b386a86bdd190447b4bc1007569a4d1fe54a09cf067d548ed44612
-
Filesize
97KB
MD5c961515ad078fd7bf66e7aa030289959
SHA170a37672dbd8b0cd7132a1769c0080bbfd8e1c2c
SHA256b31bf0e3dd22240e2105c9a4f4cbb970f9ebc3e74484fcc5c8c159c5e48f05b3
SHA512d38d4daa372bde76a4d8515acc9854e7bb1b663157122dc71d3f5744e95c2a4076d907a0f6037494ca005f1221727ddb1c63587b8d6b61335fad7cd700dc1c52