Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 20:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
155738cb19add2654c6d3fff1190fb372145a1c4c8c9ab3ffd204a6cc13484ba.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
155738cb19add2654c6d3fff1190fb372145a1c4c8c9ab3ffd204a6cc13484ba.dll
-
Size
120KB
-
MD5
d42ccb63a29c50719ea1f60e898c8284
-
SHA1
4e9971be1042ce23bde196456485339855a4203f
-
SHA256
155738cb19add2654c6d3fff1190fb372145a1c4c8c9ab3ffd204a6cc13484ba
-
SHA512
fdc50dc4dc13ab81d9f187402087e49cb79ac29dc3f3439e3d6734b9c91d3ccfc5e02f73e5cbaf1cf130a01c5ef5849d4ea7587408af45cf70675e701774695c
-
SSDEEP
3072:5pUT8LXnzplC0/EY9dTkNJWf7HeO9pm6:jVLXLskTew
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577e58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577e58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5799cf.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5799cf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5799cf.exe -
Executes dropped EXE 4 IoCs
pid Process 3900 e577e58.exe 2696 e577fa0.exe 3948 e5799bf.exe 412 e5799cf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5799cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577e58.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5799cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5799cf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5799cf.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: e577e58.exe File opened (read-only) \??\Q: e577e58.exe File opened (read-only) \??\R: e577e58.exe File opened (read-only) \??\E: e577e58.exe File opened (read-only) \??\S: e577e58.exe File opened (read-only) \??\G: e577e58.exe File opened (read-only) \??\H: e577e58.exe File opened (read-only) \??\J: e577e58.exe File opened (read-only) \??\I: e577e58.exe File opened (read-only) \??\K: e577e58.exe File opened (read-only) \??\L: e577e58.exe File opened (read-only) \??\M: e577e58.exe File opened (read-only) \??\N: e577e58.exe File opened (read-only) \??\P: e577e58.exe File opened (read-only) \??\E: e5799cf.exe -
resource yara_rule behavioral2/memory/3900-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-19-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-25-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-32-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-13-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-42-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-43-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-58-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-60-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-61-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-75-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-77-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-80-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-83-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-84-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-86-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-88-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-92-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-94-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3900-98-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/412-131-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/412-166-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e577e58.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e577e58.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e577e58.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e577e58.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57cef8 e5799cf.exe File created C:\Windows\e577ea6 e577e58.exe File opened for modification C:\Windows\SYSTEM.INI e577e58.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577e58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577fa0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5799bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5799cf.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3900 e577e58.exe 3900 e577e58.exe 3900 e577e58.exe 3900 e577e58.exe 412 e5799cf.exe 412 e5799cf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe Token: SeDebugPrivilege 3900 e577e58.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1476 1684 rundll32.exe 83 PID 1684 wrote to memory of 1476 1684 rundll32.exe 83 PID 1684 wrote to memory of 1476 1684 rundll32.exe 83 PID 1476 wrote to memory of 3900 1476 rundll32.exe 84 PID 1476 wrote to memory of 3900 1476 rundll32.exe 84 PID 1476 wrote to memory of 3900 1476 rundll32.exe 84 PID 3900 wrote to memory of 780 3900 e577e58.exe 8 PID 3900 wrote to memory of 776 3900 e577e58.exe 9 PID 3900 wrote to memory of 336 3900 e577e58.exe 13 PID 3900 wrote to memory of 2868 3900 e577e58.exe 49 PID 3900 wrote to memory of 2888 3900 e577e58.exe 50 PID 3900 wrote to memory of 2968 3900 e577e58.exe 51 PID 3900 wrote to memory of 3396 3900 e577e58.exe 56 PID 3900 wrote to memory of 3524 3900 e577e58.exe 57 PID 3900 wrote to memory of 3720 3900 e577e58.exe 58 PID 3900 wrote to memory of 3812 3900 e577e58.exe 59 PID 3900 wrote to memory of 3876 3900 e577e58.exe 60 PID 3900 wrote to memory of 3956 3900 e577e58.exe 61 PID 3900 wrote to memory of 432 3900 e577e58.exe 62 PID 3900 wrote to memory of 2556 3900 e577e58.exe 74 PID 3900 wrote to memory of 3288 3900 e577e58.exe 76 PID 3900 wrote to memory of 4368 3900 e577e58.exe 81 PID 3900 wrote to memory of 1684 3900 e577e58.exe 82 PID 3900 wrote to memory of 1476 3900 e577e58.exe 83 PID 3900 wrote to memory of 1476 3900 e577e58.exe 83 PID 1476 wrote to memory of 2696 1476 rundll32.exe 85 PID 1476 wrote to memory of 2696 1476 rundll32.exe 85 PID 1476 wrote to memory of 2696 1476 rundll32.exe 85 PID 1476 wrote to memory of 3948 1476 rundll32.exe 87 PID 1476 wrote to memory of 3948 1476 rundll32.exe 87 PID 1476 wrote to memory of 3948 1476 rundll32.exe 87 PID 1476 wrote to memory of 412 1476 rundll32.exe 88 PID 1476 wrote to memory of 412 1476 rundll32.exe 88 PID 1476 wrote to memory of 412 1476 rundll32.exe 88 PID 3900 wrote to memory of 780 3900 e577e58.exe 8 PID 3900 wrote to memory of 776 3900 e577e58.exe 9 PID 3900 wrote to memory of 336 3900 e577e58.exe 13 PID 3900 wrote to memory of 2868 3900 e577e58.exe 49 PID 3900 wrote to memory of 2888 3900 e577e58.exe 50 PID 3900 wrote to memory of 2968 3900 e577e58.exe 51 PID 3900 wrote to memory of 3396 3900 e577e58.exe 56 PID 3900 wrote to memory of 3524 3900 e577e58.exe 57 PID 3900 wrote to memory of 3720 3900 e577e58.exe 58 PID 3900 wrote to memory of 3812 3900 e577e58.exe 59 PID 3900 wrote to memory of 3876 3900 e577e58.exe 60 PID 3900 wrote to memory of 3956 3900 e577e58.exe 61 PID 3900 wrote to memory of 432 3900 e577e58.exe 62 PID 3900 wrote to memory of 2556 3900 e577e58.exe 74 PID 3900 wrote to memory of 3288 3900 e577e58.exe 76 PID 3900 wrote to memory of 2696 3900 e577e58.exe 85 PID 3900 wrote to memory of 2696 3900 e577e58.exe 85 PID 3900 wrote to memory of 3948 3900 e577e58.exe 87 PID 3900 wrote to memory of 3948 3900 e577e58.exe 87 PID 3900 wrote to memory of 412 3900 e577e58.exe 88 PID 3900 wrote to memory of 412 3900 e577e58.exe 88 PID 412 wrote to memory of 780 412 e5799cf.exe 8 PID 412 wrote to memory of 776 412 e5799cf.exe 9 PID 412 wrote to memory of 336 412 e5799cf.exe 13 PID 412 wrote to memory of 2868 412 e5799cf.exe 49 PID 412 wrote to memory of 2888 412 e5799cf.exe 50 PID 412 wrote to memory of 2968 412 e5799cf.exe 51 PID 412 wrote to memory of 3396 412 e5799cf.exe 56 PID 412 wrote to memory of 3524 412 e5799cf.exe 57 PID 412 wrote to memory of 3720 412 e5799cf.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5799cf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2888
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2968
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\155738cb19add2654c6d3fff1190fb372145a1c4c8c9ab3ffd204a6cc13484ba.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\155738cb19add2654c6d3fff1190fb372145a1c4c8c9ab3ffd204a6cc13484ba.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\e577e58.exeC:\Users\Admin\AppData\Local\Temp\e577e58.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\e577fa0.exeC:\Users\Admin\AppData\Local\Temp\e577fa0.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\e5799bf.exeC:\Users\Admin\AppData\Local\Temp\e5799bf.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3948
-
-
C:\Users\Admin\AppData\Local\Temp\e5799cf.exeC:\Users\Admin\AppData\Local\Temp\e5799cf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:412
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3524
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:432
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2556
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3288
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4368
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e5187e346b4474f19bd50084ca7085cc
SHA1b03b97fe7770a0f5848298b24824ef963d9744b2
SHA25675be5cfd57923a7049e38433015daca3f910e398440747fe95c384204d180832
SHA512e0e7f5aa26b449d5456d69a8814bfa39305465b8428ea66d3e728ae60dc1343108ec04a465f34f56571644e67418132fef3441ad4901455f4a4c87a2657b292b
-
Filesize
257B
MD57940f5bb7db0082608606aea5f629897
SHA1fbcb8cc2011644b1dca35bb9a40e73d0fb010a94
SHA256af6a1b72c1e82e1919fd9f4c69d27c6421fdfa5e79762b75540207923b963738
SHA5123bd4a962d8534e409f4f1add2f2ba4cc4ae803c4d21f466aeb4e2a049a9887782182892ec55cdc55df1215bfddb5ef2cb39237cef5bc255a3f0e0815bc4f08fa