Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/01/2025, 12:43
Behavioral task
behavioral1
Sample
d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
120 seconds
General
-
Target
d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe
-
Size
708KB
-
MD5
6bcde3e955429f9ef45523a341d85126
-
SHA1
9a6c19105967f70333e95c11ac76a53babf9aff6
-
SHA256
d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e
-
SHA512
ba1de53291fca48e7d2306d2d5807abc9aab185e13d5418af13fab3345ca41a2c06c016be40ff7acb9fbfa1812136e17b5207940aa033bb624d747671f63efb5
-
SSDEEP
12288:7qU89vzAaKUaQqbWQrPBFSHvkJO1tmPY+QL2TFDhvfo:svzrpEWQ7zmvFYQL2FNQ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Detect Neshta payload 6 IoCs
resource yara_rule behavioral1/memory/1876-0-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral1/files/0x00070000000193d9-6.dat family_neshta behavioral1/memory/1876-50-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral1/memory/1876-60-0x000000002D170000-0x000000002D1A8000-memory.dmp family_neshta behavioral1/memory/1876-79-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral1/memory/1876-210-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Disables Task Manager via registry modification
-
Loads dropped DLL 2 IoCs
pid Process 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
resource yara_rule behavioral1/memory/1876-9-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-14-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-16-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-13-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-11-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-17-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-12-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-18-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-15-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-21-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-20-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-37-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-39-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-40-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-41-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-44-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-45-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-47-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-48-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-59-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-62-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-69-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-70-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-72-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-141-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-156-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-157-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-160-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-161-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-164-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-165-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/1876-211-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe File opened for modification C:\Windows\svchost.com d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe Token: SeDebugPrivilege 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1876 wrote to memory of 1128 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 19 PID 1876 wrote to memory of 1184 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 20 PID 1876 wrote to memory of 1260 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 21 PID 1876 wrote to memory of 1544 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 25 PID 1876 wrote to memory of 1128 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 19 PID 1876 wrote to memory of 1184 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 20 PID 1876 wrote to memory of 1260 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 21 PID 1876 wrote to memory of 1544 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 25 PID 1876 wrote to memory of 1128 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 19 PID 1876 wrote to memory of 1184 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 20 PID 1876 wrote to memory of 1260 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 21 PID 1876 wrote to memory of 1544 1876 d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1184
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe"C:\Users\Admin\AppData\Local\Temp\d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1876
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1544
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F76FA27_Rar\d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe
Filesize636KB
MD584a781ca5f8a74e1bc0435a86f621e30
SHA1c09984c8f65019a657225c71b033da2806860e8e
SHA25614fae45010f78d936311204bc7bbc27f44ee7b27aca345b1c765fcbad80c8f50
SHA5121c7f08ca26871cb9f10b8cb4900d28014d6a262baa04b1891996c4e0abe30bbd6ede70de4e12f7f084fd8b9509dfa3dfaae4d4a01bd6d33274b2f7193ef2eecc
-
Filesize
213KB
MD5f91b4a1064ff3c8f3c3c8c6ec30971f5
SHA1cc4b6887d58d643a1130bdc73bb00e890ad0c47a
SHA256ba044f9246873626d7525eab6f65c433bbe0efaae109d528f4970d069493a6fe
SHA5127771eff34f1767f77e62ae7527fb2de37083fd8abfdae3096d92c0adf5d2be67cafe39f48d1949417cccaa5e6e16a02448cf746dc4071359bcc6c0cebfabc136
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156