General
Target

36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

Filesize

883KB

Completed

20-05-2022 22:07

Task

behavioral2

Score
10/10
MD5

1a0cc91e3e90d89d7a717fd6d3787c64

SHA1

ce4323bc4033f2f81ee3903ac2fb7873f6bd0ade

SHA256

36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a

SHA256

d67c64c1ac8a8935990ae86ffda9cf208348a29db0ccf1e513c550fe5b91beb55ab9700253d4f5030acd87765229a7971237ae38844e924a9a68b01dbb432b85

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures 20

Filter: none

Defense Evasion
Discovery
Lateral Movement
Persistence
Privilege Escalation
  • Modifies firewall policy service
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Sality

    Description

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3724-130-0x00000000024B0000-0x000000000356A000-memory.dmpupx
    behavioral2/memory/3724-131-0x00000000024B0000-0x000000000356A000-memory.dmpupx
  • Windows security modification
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Checks whether UAC is enabled
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Enumerates connected drives
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\L:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\S:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\U:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\X:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\Z:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\F:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\K:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\J:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\O:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\R:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\E:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\G:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\Q:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\T:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\V:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\W:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\H:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\N:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\P:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\I:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened (read-only)\??\M:36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Writes to the Master Boot Record (MBR)
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    TTPs

    Bootkit

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\PhysicalDrive036af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Drops autorun.inf file

    Description

    Malware can abuse Windows Autorun to spread further via attached volumes.

    TTPs

    Replication Through Removable Media
  • Drops file in Program Files directory
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\7-Zip\Uninstall.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\7-Zip\7z.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\7-Zip\7zFM.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Program Files\7-Zip\7zG.exe36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Drops file in Windows directory
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\e56e55436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    File opened for modificationC:\Windows\SYSTEM.INI36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies Internet Explorer settings
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe = "11000"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7654.com\Total = "63"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7654.com36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\7654.com\NumberOfSubdomains = "1"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Key created\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\news.7654.com\ = "63"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious behavior: EnumeratesProcesses
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    pidprocess
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious use of AdjustPrivilegeToken
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    Token: SeDebugPrivilege372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious use of FindShellTrayWindow
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    pidprocess
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious use of SetWindowsHookEx
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    pidprocess
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
    372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
  • Suspicious use of WriteProcessMemory
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3724 wrote to memory of 768372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 772372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 1020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedwm.exe
    PID 3724 wrote to memory of 2972372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesihost.exe
    PID 3724 wrote to memory of 3020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesvchost.exe
    PID 3724 wrote to memory of 2296372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhostw.exe
    PID 3724 wrote to memory of 3164372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 3724 wrote to memory of 3260372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesvchost.exe
    PID 3724 wrote to memory of 3456372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 3724 wrote to memory of 3556372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeStartMenuExperienceHost.exe
    PID 3724 wrote to memory of 3624372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeRuntimeBroker.exe
    PID 3724 wrote to memory of 3712372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeSearchApp.exe
    PID 3724 wrote to memory of 3860372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeRuntimeBroker.exe
    PID 3724 wrote to memory of 2040372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exebackgroundTaskHost.exe
    PID 3724 wrote to memory of 768372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 772372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 1020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedwm.exe
    PID 3724 wrote to memory of 2972372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesihost.exe
    PID 3724 wrote to memory of 3020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesvchost.exe
    PID 3724 wrote to memory of 2296372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhostw.exe
    PID 3724 wrote to memory of 3164372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 3724 wrote to memory of 3260372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesvchost.exe
    PID 3724 wrote to memory of 3456372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 3724 wrote to memory of 3556372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeStartMenuExperienceHost.exe
    PID 3724 wrote to memory of 3624372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeRuntimeBroker.exe
    PID 3724 wrote to memory of 3712372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeSearchApp.exe
    PID 3724 wrote to memory of 3860372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeRuntimeBroker.exe
    PID 3724 wrote to memory of 2040372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exebackgroundTaskHost.exe
    PID 3724 wrote to memory of 768372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 772372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 1020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedwm.exe
    PID 3724 wrote to memory of 2972372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesihost.exe
    PID 3724 wrote to memory of 3020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesvchost.exe
    PID 3724 wrote to memory of 2296372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhostw.exe
    PID 3724 wrote to memory of 3164372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 3724 wrote to memory of 3260372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesvchost.exe
    PID 3724 wrote to memory of 3456372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 3724 wrote to memory of 3556372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeStartMenuExperienceHost.exe
    PID 3724 wrote to memory of 3624372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeRuntimeBroker.exe
    PID 3724 wrote to memory of 3712372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeSearchApp.exe
    PID 3724 wrote to memory of 3860372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeRuntimeBroker.exe
    PID 3724 wrote to memory of 2040372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exebackgroundTaskHost.exe
    PID 3724 wrote to memory of 768372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 772372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 1020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedwm.exe
    PID 3724 wrote to memory of 2972372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesihost.exe
    PID 3724 wrote to memory of 3020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesvchost.exe
    PID 3724 wrote to memory of 2296372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhostw.exe
    PID 3724 wrote to memory of 3164372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
    PID 3724 wrote to memory of 3260372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesvchost.exe
    PID 3724 wrote to memory of 3456372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeDllHost.exe
    PID 3724 wrote to memory of 3556372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeStartMenuExperienceHost.exe
    PID 3724 wrote to memory of 3624372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeRuntimeBroker.exe
    PID 3724 wrote to memory of 3712372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeSearchApp.exe
    PID 3724 wrote to memory of 3860372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeRuntimeBroker.exe
    PID 3724 wrote to memory of 2040372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exebackgroundTaskHost.exe
    PID 3724 wrote to memory of 4784372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exebackgroundTaskHost.exe
    PID 3724 wrote to memory of 768372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 772372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exefontdrvhost.exe
    PID 3724 wrote to memory of 1020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exedwm.exe
    PID 3724 wrote to memory of 2972372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesihost.exe
    PID 3724 wrote to memory of 3020372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exesvchost.exe
    PID 3724 wrote to memory of 2296372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exetaskhostw.exe
    PID 3724 wrote to memory of 3164372436af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exeExplorer.EXE
  • System policy modification
    36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
Processes 17
  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    PID:768
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    PID:1020
  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    PID:772
  • C:\Windows\system32\sihost.exe
    sihost.exe
    PID:2972
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    PID:3020
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
    PID:3260
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    PID:3624
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    PID:3860
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    PID:3712
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    PID:3556
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    PID:3456
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    PID:3164
    • C:\Users\Admin\AppData\Local\Temp\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
      "C:\Users\Admin\AppData\Local\Temp\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe"
      Modifies firewall policy service
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3724
  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    PID:2296
  • C:\Windows\system32\backgroundTaskHost.exe
    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
    PID:2040
  • C:\Windows\system32\backgroundTaskHost.exe
    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
    PID:4784
  • C:\Windows\System32\wuapihost.exe
    C:\Windows\System32\wuapihost.exe -Embedding
    PID:2028
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • memory/3724-130-0x00000000024B0000-0x000000000356A000-memory.dmp

                • memory/3724-131-0x00000000024B0000-0x000000000356A000-memory.dmp