Overview

overview

10

Static

static

36af8eb23e7b3c...9a.exe

windows7_x64

10

36af8eb23e7b3c...9a.exe

windows10-2004_x64

10
General
Target

36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

Filesize

883KB

Completed

20-05-2022 22:06

Task

behavioral1

Score
10/10
MD5

1a0cc91e3e90d89d7a717fd6d3787c64

SHA1

ce4323bc4033f2f81ee3903ac2fb7873f6bd0ade

SHA256

36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a

SHA256

d67c64c1ac8a8935990ae86ffda9cf208348a29db0ccf1e513c550fe5b91beb55ab9700253d4f5030acd87765229a7971237ae38844e924a9a68b01dbb432b85

Malware Config

Extracted

Family

sality
C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif
Signatures 20

Filter: none

Defense Evasion
Discovery
Lateral Movement
Persistence
Privilege Escalation
  • Modifies firewall policy service
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Sality

    Description

    Sality is backdoor written in C++, first discovered in 2003.

    Tags

  • UAC bypass

    Tags

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/656-55-0x0000000001F50000-0x000000000300A000-memory.dmpupx
    behavioral1/memory/656-56-0x0000000001F50000-0x000000000300A000-memory.dmpupx
  • Windows security modification
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Tags

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Checks whether UAC is enabled
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Tags

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Enumerates connected drives
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\G:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\O:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\F:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\T:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\Z:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\R:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\S:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\E:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\J:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\L:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\N:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\P:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\H:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\I:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\K:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\M:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\Q:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Writes to the Master Boot Record (MBR)
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\PhysicalDrive036af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Drops autorun.inf file

    Description

    Malware can abuse Windows Autorun to spread further via attached volumes.

    TTPs

    Replication Through Removable Media
  • Drops file in Program Files directory
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\7-Zip\7z.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\7-Zip\7zFM.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\7-Zip\7zG.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\7-Zip\Uninstall.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Drops file in Windows directory
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\6c0a7d36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Windows\SYSTEM.INI36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies Internet Explorer settings
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com\ = "63"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com\Total = "63"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe = "11000"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com\NumberOfSubdomains = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious behavior: EnumeratesProcesses
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    pidprocess
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious use of AdjustPrivilegeToken
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious use of FindShellTrayWindow
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    pidprocess
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious use of SetWindowsHookEx
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    pidprocess
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    65636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious use of WriteProcessMemory
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 52865636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 69665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 656 wrote to memory of 124465636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhost.exe
    PID 656 wrote to memory of 133265636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDwm.exe
    PID 656 wrote to memory of 137665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 656 wrote to memory of 203665636af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
  • System policy modification
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
Processes 7
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
      "C:\Users\Admin\AppData\Local\Temp\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe"
      Modifies firewall policy service
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:656
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    PID:1332
  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    PID:1244
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    PID:2036
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    PID:528
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    PID:696
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                Persistence
                Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads

                • memory/656-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

                  Download

                • memory/656-55-0x0000000001F50000-0x000000000300A000-memory.dmp

                  Download

                • memory/656-57-0x0000000000370000-0x0000000000372000-memory.dmp

                  Download

                • memory/656-56-0x0000000001F50000-0x000000000300A000-memory.dmp

                  Download

                • memory/656-58-0x0000000005F80000-0x0000000006A3A000-memory.dmp

                  Download