Analysis
-
max time kernel
172s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:03
Static task
static1
Behavioral task
behavioral1
Sample
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
Resource
win7-20220414-en
General
-
Target
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
-
Size
883KB
-
MD5
1a0cc91e3e90d89d7a717fd6d3787c64
-
SHA1
ce4323bc4033f2f81ee3903ac2fb7873f6bd0ade
-
SHA256
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a
-
SHA512
d67c64c1ac8a8935990ae86ffda9cf208348a29db0ccf1e513c550fe5b91beb55ab9700253d4f5030acd87765229a7971237ae38844e924a9a68b01dbb432b85
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Processes:
resource yara_rule behavioral2/memory/3724-130-0x00000000024B0000-0x000000000356A000-memory.dmp upx behavioral2/memory/3724-131-0x00000000024B0000-0x000000000356A000-memory.dmp upx -
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription ioc process File opened (read-only) \??\L: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\S: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\U: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\X: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\Z: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\F: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\K: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\J: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\O: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\R: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\E: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\G: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\Q: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\T: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\V: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\W: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\H: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\N: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\P: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\I: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened (read-only) \??\M: 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription ioc process File opened for modification \??\PhysicalDrive0 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 11 IoCs
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\7-Zip\7z.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Drops file in Windows directory 2 IoCs
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription ioc process File created C:\Windows\e56e554 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe File opened for modification C:\Windows\SYSTEM.INI 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe = "11000" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7654.com\Total = "63" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7654.com 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7654.com\NumberOfSubdomains = "1" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\news.7654.com\ = "63" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exepid process 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription pid process Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Token: SeDebugPrivilege 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exepid process 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exepid process 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription pid process target process PID 3724 wrote to memory of 768 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 772 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 1020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe dwm.exe PID 3724 wrote to memory of 2972 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe sihost.exe PID 3724 wrote to memory of 3020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe svchost.exe PID 3724 wrote to memory of 2296 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe taskhostw.exe PID 3724 wrote to memory of 3164 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Explorer.EXE PID 3724 wrote to memory of 3260 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe svchost.exe PID 3724 wrote to memory of 3456 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe DllHost.exe PID 3724 wrote to memory of 3556 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe StartMenuExperienceHost.exe PID 3724 wrote to memory of 3624 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe RuntimeBroker.exe PID 3724 wrote to memory of 3712 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe SearchApp.exe PID 3724 wrote to memory of 3860 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe RuntimeBroker.exe PID 3724 wrote to memory of 2040 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe backgroundTaskHost.exe PID 3724 wrote to memory of 768 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 772 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 1020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe dwm.exe PID 3724 wrote to memory of 2972 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe sihost.exe PID 3724 wrote to memory of 3020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe svchost.exe PID 3724 wrote to memory of 2296 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe taskhostw.exe PID 3724 wrote to memory of 3164 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Explorer.EXE PID 3724 wrote to memory of 3260 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe svchost.exe PID 3724 wrote to memory of 3456 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe DllHost.exe PID 3724 wrote to memory of 3556 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe StartMenuExperienceHost.exe PID 3724 wrote to memory of 3624 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe RuntimeBroker.exe PID 3724 wrote to memory of 3712 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe SearchApp.exe PID 3724 wrote to memory of 3860 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe RuntimeBroker.exe PID 3724 wrote to memory of 2040 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe backgroundTaskHost.exe PID 3724 wrote to memory of 768 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 772 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 1020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe dwm.exe PID 3724 wrote to memory of 2972 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe sihost.exe PID 3724 wrote to memory of 3020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe svchost.exe PID 3724 wrote to memory of 2296 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe taskhostw.exe PID 3724 wrote to memory of 3164 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Explorer.EXE PID 3724 wrote to memory of 3260 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe svchost.exe PID 3724 wrote to memory of 3456 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe DllHost.exe PID 3724 wrote to memory of 3556 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe StartMenuExperienceHost.exe PID 3724 wrote to memory of 3624 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe RuntimeBroker.exe PID 3724 wrote to memory of 3712 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe SearchApp.exe PID 3724 wrote to memory of 3860 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe RuntimeBroker.exe PID 3724 wrote to memory of 2040 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe backgroundTaskHost.exe PID 3724 wrote to memory of 768 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 772 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 1020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe dwm.exe PID 3724 wrote to memory of 2972 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe sihost.exe PID 3724 wrote to memory of 3020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe svchost.exe PID 3724 wrote to memory of 2296 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe taskhostw.exe PID 3724 wrote to memory of 3164 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Explorer.EXE PID 3724 wrote to memory of 3260 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe svchost.exe PID 3724 wrote to memory of 3456 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe DllHost.exe PID 3724 wrote to memory of 3556 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe StartMenuExperienceHost.exe PID 3724 wrote to memory of 3624 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe RuntimeBroker.exe PID 3724 wrote to memory of 3712 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe SearchApp.exe PID 3724 wrote to memory of 3860 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe RuntimeBroker.exe PID 3724 wrote to memory of 2040 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe backgroundTaskHost.exe PID 3724 wrote to memory of 4784 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe backgroundTaskHost.exe PID 3724 wrote to memory of 768 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 772 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe fontdrvhost.exe PID 3724 wrote to memory of 1020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe dwm.exe PID 3724 wrote to memory of 2972 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe sihost.exe PID 3724 wrote to memory of 3020 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe svchost.exe PID 3724 wrote to memory of 2296 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe taskhostw.exe PID 3724 wrote to memory of 3164 3724 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe"C:\Users\Admin\AppData\Local\Temp\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe"2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵