File.exe

Tags

Signatures

• Modifies security service

  Tags

  evasion

  TTPs

  Modify RegistryModify Existing Service

• Suspicious use of NtCreateUserProcessOtherParentProcess

• Executes dropped EXE

• Possible privilege escalation attempt

  Tags

  exploit

• Stops running service(s)

  Tags

  evasion

  TTPs

  Modify Existing ServiceService Stop

• Checks computer location settings

  Description

  Looks up country code configured in the registry, likely geofence.

  TTPs

  Query RegistrySystem Information Discovery

• Loads dropped DLL

• Modifies file permissions

  Tags

  discovery

  TTPs

  File Permissions Modification

• Looks up external IP address via web service

  Description

  Uses a legitimate IP lookup service to find the infected system's external IP.

• Drops file in System32 directory

• Suspicious use of SetThreadContext

Related Tasks