Analysis
-
max time kernel
124s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08-02-2025 16:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe
Resource
win7-20241010-en
windows7-x64
23 signatures
150 seconds
General
-
Target
0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe
-
Size
11.2MB
-
MD5
a429e4925084ffe2bf3b86219a3e4d97
-
SHA1
472f6701f1f6d531b3dd3cce282c3593bd1037ee
-
SHA256
0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c
-
SHA512
674a9691aae070698ba6277f13499088fa9b5759e2a07aeb46c228512b23aa5a7c49cd7ee950471d43676712195e4578b407e5fb17642c307166301a2dbe6b99
-
SSDEEP
196608:4IJaU6Vz0Yq/xBWFU28OYcRSh4eZ02d1Cargnap4LWUvJ0kjpdGThgy/0Z+ZPu:/F6yZWU28PW0LN7pwvb8TB0Im
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Executes dropped EXE 1 IoCs
pid Process 2764 DeltaForceMiniloader.exe -
Loads dropped DLL 1 IoCs
pid Process 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Enumerates connected drives 3 TTPs 43 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: DeltaForceMiniloader.exe File opened (read-only) \??\O: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\L: DeltaForceMiniloader.exe File opened (read-only) \??\S: DeltaForceMiniloader.exe File opened (read-only) \??\U: DeltaForceMiniloader.exe File opened (read-only) \??\V: DeltaForceMiniloader.exe File opened (read-only) \??\X: DeltaForceMiniloader.exe File opened (read-only) \??\I: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\E: DeltaForceMiniloader.exe File opened (read-only) \??\K: DeltaForceMiniloader.exe File opened (read-only) \??\L: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\Z: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\S: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\J: DeltaForceMiniloader.exe File opened (read-only) \??\K: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\U: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\W: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\X: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\Y: DeltaForceMiniloader.exe File opened (read-only) \??\G: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\W: DeltaForceMiniloader.exe File opened (read-only) \??\E: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\J: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\P: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\R: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\T: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\F: DeltaForceMiniloader.exe File opened (read-only) \??\Q: DeltaForceMiniloader.exe File opened (read-only) \??\V: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\N: DeltaForceMiniloader.exe File opened (read-only) \??\Z: DeltaForceMiniloader.exe File opened (read-only) \??\N: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\Q: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\G: DeltaForceMiniloader.exe File opened (read-only) \??\M: DeltaForceMiniloader.exe File opened (read-only) \??\H: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\Y: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\O: DeltaForceMiniloader.exe File opened (read-only) \??\P: DeltaForceMiniloader.exe File opened (read-only) \??\R: DeltaForceMiniloader.exe File opened (read-only) \??\M: 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened (read-only) \??\H: DeltaForceMiniloader.exe File opened (read-only) \??\I: DeltaForceMiniloader.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\autorun.inf 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
resource yara_rule behavioral1/memory/2216-5-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-23-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-22-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-7-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-3-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-4-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-24-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-8-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-6-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-37-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-38-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-41-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-55-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-54-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-57-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-58-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-74-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-75-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-78-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-79-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-81-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-83-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-85-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-87-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-94-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-96-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2216-97-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeltaForceMiniloader.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2764 DeltaForceMiniloader.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeDebugPrivilege 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe Token: SeCreateGlobalPrivilege 2764 DeltaForceMiniloader.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2764 DeltaForceMiniloader.exe 2764 DeltaForceMiniloader.exe 2764 DeltaForceMiniloader.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2764 DeltaForceMiniloader.exe 2764 DeltaForceMiniloader.exe 2764 DeltaForceMiniloader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2764 DeltaForceMiniloader.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 2764 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 29 PID 2216 wrote to memory of 2764 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 29 PID 2216 wrote to memory of 2764 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 29 PID 2216 wrote to memory of 2764 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 29 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 2764 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 29 PID 2216 wrote to memory of 2764 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 29 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 PID 2216 wrote to memory of 1252 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 18 PID 2216 wrote to memory of 1348 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 19 PID 2216 wrote to memory of 1412 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 20 PID 2216 wrote to memory of 1264 2216 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe 22 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1252
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1348
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe"C:\Users\Admin\AppData\Local\Temp\0e1e60497457512b76b4cca00fa24029b8a5c6ca1450ae62a162b29abb74b19c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2216 -
C:\Users\Admin\AppData\Local\DeltaForceMiniloader\DeltaForceMiniloader.exe"C:\Users\Admin\AppData\Local\DeltaForceMiniloader\DeltaForceMiniloader.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1264
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD5ee5ef0b4228a3368865d09d356e1f425
SHA11de28e6a6d1001244a18769eac87fe2ab57466a8
SHA256575f63d837599be48eb726134df9494bf82284ef8813f90ec00d825b041700dd
SHA512a1a3ca6adcb46e4d6dea9d81edecfa1ec8a855f0d11565ae323f2a4329bd1ed1b7ee102810a5a618cd1c838a7647cfafc5b9a23ca13ed2a98a7e9e82a799a197
-
Filesize
113B
MD51e8cf5946a37d9a084be613554260815
SHA194b5aee19918d59c83785ac27de9c7c076f12091
SHA256e8a59173f505dbedf4dd37eec210e5e539a243e46f521a8ba8d2ec13fd99d29f
SHA512abe7ebaf55dbccb4fc8c1a39c36427f381568642dde0855208244133cae23dbca7a8776c3b67303673413ed6047574e22e349697bfb22fe5f9395bcf86f8a2cb
-
Filesize
3KB
MD57b1a58ee33bfd46ac14b53065e1e038d
SHA13e50ff8f61cc67d96fd03bf34e4861d5852c8da7
SHA256eeb9c9a561a7ab10b88d6b02647604f058c431958bd0c785cd089e046352e746
SHA5121abbe6e9281788d7cfb53d064af9937241a5bd226c0379bc8737a02e3d96374444697f9d852da8c11c9238e966de87293332d1e28f40d0017a869a279c94669c
-
Filesize
101KB
MD5468473588388a174c9968053481445ee
SHA1391242deaa09813b216c02a5f60bbd9420110a93
SHA256bfe07e37fedd7c2d73f75711ef84a04f0d14709d8a0827541d4257ec6c78946e
SHA512fddfc866dc64e6dc8ef5ddd82b6ae067b168a7dfbc0caf7b0dbdaf9f34dda2c3210e4ee6ede74819cee41405d2568639cfe2e36bbc1b61fca119ffdb5aac6722
-
Filesize
2.7MB
MD583afc082ed4de70d47be303d4f2b4c94
SHA130b3b74fe543c07568eff1c4330481857f08a534
SHA2563741b6216f5b0c779cc0c2a4c2400b89f4a5526d785f0b4dc542a5da2a7aa234
SHA5127513995574b643cf6527f61b32f22cfd3e6eabdac6ebec8b80ac6084e7d1a560cb526dcac1c2b5b1466b7ad5fc4b814f37f039f10d2340ea7f208997b5a53eea
-
Filesize
100KB
MD51851746bcdcb257adcc6eedb98aa5fac
SHA18a4e8f6d3d3b7e0fe96e81778d5c5aa153a47ec0
SHA2569ae1e0b573c43ce55d1944d5e5fd337946c913b6238cfbe699ead06a38bc83e7
SHA5124c07fcaf79224acf56322934c86c109d1590323e2e24218c329ecbf76f0f7d138a357ea1e9057955a2196d1078e13cfd24c2af018ec2474563069539675394af