Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 19:12 UTC
Behavioral task
behavioral1
Sample
04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe
-
Size
361KB
-
MD5
f10fd296b99bff4da1fbc7b80c5a901c
-
SHA1
f6d59f98eea031a80c58ce9ac437b9f6181fbb68
-
SHA256
04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d
-
SHA512
7b49f50a5779d6a304c28d7a9b27d68b397d0c548cc777bcde6cee0b565ac7ed68344f5c85fac542dbbd48bed6e9bba96617bfc763146147561f38be8a1d5bdf
-
SSDEEP
6144:l2TV1wBuGKyaROfTgoGcJ25GUUCDHGJuMqjh6NG3q3p+ry28c8d/8kK:sbFA0oNYGUUEb0NG3lrgcQ/NK
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\U: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\Z: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\S: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\V: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\E: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\G: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\M: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\P: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\J: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\K: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\O: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\Q: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\T: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\W: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\X: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\Y: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\H: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\I: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\L: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened (read-only) \??\R: 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened for modification F:\autorun.inf 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
resource yara_rule behavioral1/memory/1640-0-0x0000000000400000-0x0000000000512000-memory.dmp upx behavioral1/memory/1640-5-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-8-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-6-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-7-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-10-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-4-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-9-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-1-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-3-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-13-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-12-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-33-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-35-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-34-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-38-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-39-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-40-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-41-0x0000000000400000-0x0000000000512000-memory.dmp upx behavioral1/memory/1640-43-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-45-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-47-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-65-0x0000000000400000-0x0000000000512000-memory.dmp upx behavioral1/memory/1640-68-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-70-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx behavioral1/memory/1640-73-0x0000000001E20000-0x0000000002EAE000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe Token: SeDebugPrivilege 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 PID 1640 wrote to memory of 1064 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 18 PID 1640 wrote to memory of 1128 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 19 PID 1640 wrote to memory of 1152 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 20 PID 1640 wrote to memory of 284 1640 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1128
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe"C:\Users\Admin\AppData\Local\Temp\04cdf9972803a3ca62d0799868921f3727d15b6a89325e69ab9386910ea1d43d.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1640
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:284
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5175a31d0d83c2814326627c577bb4cf9
SHA18778e8d62a6622b2bd9a2f5aeb7dabbf8b11635b
SHA256bb138105616c29a1525bb400ac3808a5268125b7b8446c922ed937856f2c78f5
SHA512ffb4f227d015c12c0114663ba3ce1019293b399e79a38a7d71bcd2a58f69a7381c563082572f0d0c6fd355f9764efde13124006b3faba105b1f2a0b52856d4e3