55197b221b742624fe02c92ca89485fd67180a0feec6fd5ea794d3d388178ddd

General

Score

N/A

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

description
Token: SeDebugPrivilege

Modifies Winlogon for persistence 2 TTPs 1 IoCs

Modify Registry

description
\REGISTRY\USER\S-1-5-21-1548117458-596549244-604853198-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\C8OUBe6FBXe29UD0\\5peYqcul4U1a.exe\",explorer.exe"

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

description	pid
PID 1324 wrote to memory of 1472	1472

Suspicious use of SetThreadContext 1 IoCs

description	pid
PID 1324 set thread context of 1472	1472

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

description	pid
PID 1472 wrote to memory of 340	340

Suspicious use of SetThreadContext 1 IoCs

description	pid
PID 1472 set thread context of 340	340

Drops file in system dir 3 IoCs

description
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

description
Token: SeShutdownPrivilege

Drops file in system dir 2 IoCs

description
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

description
Token: SeShutdownPrivilege