Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 22:20
Behavioral task
behavioral1
Sample
2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe
Resource
win7-20240903-en
General
-
Target
2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe
-
Size
885KB
-
MD5
27ff90d09ce687ec73df98beb893f897
-
SHA1
c27f85bbb51cf31ae672aa76ca43d3ad079d01c2
-
SHA256
2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67
-
SHA512
3e3f45da09864cbb33dd6b550d28aba3a9f255b697b7de94da6aa6b338bef1206a39df0feb50a22bc8175feef01199d0d45fe98751cffd95e97a95593ed71127
-
SSDEEP
12288:EMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Evx9tIJa:EnsJ39LyjbJkQFMhmC+6GD9AZ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Xred family
-
Deletes itself 1 IoCs
pid Process 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Executes dropped EXE 1 IoCs
pid Process 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Loads dropped DLL 2 IoCs
pid Process 1932 2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 1932 2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe File opened (read-only) \??\G: ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
resource yara_rule behavioral1/memory/2480-22-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-24-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-26-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-25-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-51-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-23-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-49-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-48-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-33-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-20-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-53-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-54-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-55-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-57-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-56-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-59-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-66-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx behavioral1/memory/2480-60-0x0000000001DE0000-0x0000000002E6E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Suspicious behavior: MapViewOfSection 25 IoCs
pid Process 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe Token: SeDebugPrivilege 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2480 1932 2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 31 PID 1932 wrote to memory of 2480 1932 2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 31 PID 1932 wrote to memory of 2480 1932 2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 31 PID 1932 wrote to memory of 2480 1932 2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 31 PID 2480 wrote to memory of 384 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 3 PID 2480 wrote to memory of 384 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 3 PID 2480 wrote to memory of 384 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 3 PID 2480 wrote to memory of 384 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 3 PID 2480 wrote to memory of 384 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 3 PID 2480 wrote to memory of 384 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 3 PID 2480 wrote to memory of 384 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 3 PID 2480 wrote to memory of 392 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 4 PID 2480 wrote to memory of 392 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 4 PID 2480 wrote to memory of 392 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 4 PID 2480 wrote to memory of 392 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 4 PID 2480 wrote to memory of 392 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 4 PID 2480 wrote to memory of 392 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 4 PID 2480 wrote to memory of 392 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 4 PID 2480 wrote to memory of 432 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 5 PID 2480 wrote to memory of 432 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 5 PID 2480 wrote to memory of 432 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 5 PID 2480 wrote to memory of 432 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 5 PID 2480 wrote to memory of 432 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 5 PID 2480 wrote to memory of 432 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 5 PID 2480 wrote to memory of 432 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 5 PID 2480 wrote to memory of 476 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 6 PID 2480 wrote to memory of 476 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 6 PID 2480 wrote to memory of 476 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 6 PID 2480 wrote to memory of 476 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 6 PID 2480 wrote to memory of 476 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 6 PID 2480 wrote to memory of 476 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 6 PID 2480 wrote to memory of 476 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 6 PID 2480 wrote to memory of 492 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 7 PID 2480 wrote to memory of 492 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 7 PID 2480 wrote to memory of 492 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 7 PID 2480 wrote to memory of 492 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 7 PID 2480 wrote to memory of 492 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 7 PID 2480 wrote to memory of 492 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 7 PID 2480 wrote to memory of 492 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 7 PID 2480 wrote to memory of 500 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 8 PID 2480 wrote to memory of 500 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 8 PID 2480 wrote to memory of 500 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 8 PID 2480 wrote to memory of 500 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 8 PID 2480 wrote to memory of 500 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 8 PID 2480 wrote to memory of 500 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 8 PID 2480 wrote to memory of 500 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 8 PID 2480 wrote to memory of 592 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 9 PID 2480 wrote to memory of 592 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 9 PID 2480 wrote to memory of 592 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 9 PID 2480 wrote to memory of 592 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 9 PID 2480 wrote to memory of 592 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 9 PID 2480 wrote to memory of 592 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 9 PID 2480 wrote to memory of 592 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 9 PID 2480 wrote to memory of 672 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 10 PID 2480 wrote to memory of 672 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 10 PID 2480 wrote to memory of 672 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 10 PID 2480 wrote to memory of 672 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 10 PID 2480 wrote to memory of 672 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 10 PID 2480 wrote to memory of 672 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 10 PID 2480 wrote to memory of 672 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 10 PID 2480 wrote to memory of 752 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 11 PID 2480 wrote to memory of 752 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 11 PID 2480 wrote to memory of 752 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 11 PID 2480 wrote to memory of 752 2480 ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe 11 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1336
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:316
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:840
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2120
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:960
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:108
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1020
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1028
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1116
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1532
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:3052
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1616
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe"C:\Users\Admin\AppData\Local\Temp\2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2480
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
885KB
MD527ff90d09ce687ec73df98beb893f897
SHA1c27f85bbb51cf31ae672aa76ca43d3ad079d01c2
SHA2562dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67
SHA5123e3f45da09864cbb33dd6b550d28aba3a9f255b697b7de94da6aa6b338bef1206a39df0feb50a22bc8175feef01199d0d45fe98751cffd95e97a95593ed71127
-
Filesize
912KB
MD5d083c47aaf61703d283facd2f89d3fef
SHA1e7c7fe9a617d67b3ccad162e20b144f0a7fbf354
SHA256c22cbb9ba2dd4a770cef411d9089a1a082a7fd9fb043b3a35b868892be5f5e7d
SHA512124c9f007c535a236f7018857f5de862f689a251afc344eac0d705190a260235038c2d75cdfeec7c295db48c574ce15718397d2c6380685529d9d1171cfe2d45
-
\Users\Admin\AppData\Local\Temp\._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe
Filesize132KB
MD5df1a5688c382996d68c40f2d861d7326
SHA13dcdf803e8621c8f89d98e48fb2cfe499918b21c
SHA256eb036c4a775ddb2df834c0d3a46a103a964abebe4f74321ac19cd80a6270900a
SHA512004ec9d54129139a19fe3d307692fdea721f931174e9ded20d7f57236c0c226fcbea706c10f1e0e527bfa2b67cf394db75b6386102a57dbd3b2a842226b8143f