sality | a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Windows security bypass 2 TTPs 12 IoCs

Disabling Security Tools

Modify Registry

Processes:

a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Au_.exe

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
suricata: ET MALWARE Sality - Fake Opera User-Agent
suricata: ET MALWARE Sality - Fake Opera User-Agent
suricata
suricata: ET MALWARE Win32.Sality-GR Checkin
suricata: ET MALWARE Win32.Sality-GR Checkin
suricata
Contacts a large (845) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	Au_.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

Au_.exe

pid process

892 Au_.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

2308 netsh.exe
2248 netsh.exe

pid	process
892	Au_.exe

pid	process
2308	netsh.exe
2248	netsh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4896-131-0x0000000002600000-0x0000000003633000-memory.dmp	upx
behavioral2/memory/4896-133-0x0000000002600000-0x0000000003633000-memory.dmp	upx
behavioral2/memory/892-140-0x0000000005400000-0x0000000006433000-memory.dmp	upx
behavioral2/memory/892-143-0x0000000005400000-0x0000000006433000-memory.dmp	upx
behavioral2/memory/892-145-0x0000000005400000-0x0000000006433000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

Au_.exe

pid process

892 Au_.exe

pid	process
892	Au_.exe

Windows security modification 2 TTPs 14 IoCs

Disabling Security Tools

Modify Registry

Processes:

Au_.exea96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Au_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Au_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Au_.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jvisualvm.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\rmid.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\keytool.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\policytool.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\protocolhandler.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jabswitch.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\OLicenseHeartbeat.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\GRAPH.EXE	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\VPREVIEW.EXE	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\pack200.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\rmid.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\CLIENT\AppVDllSurrogate64.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\ktab.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\javah.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\serialver.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\officeappguardwin32.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX64\MICROSOFT ANALYSIS SERVICES\AS OLEDB\140\SQLDumper.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\Common.DBConnection.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\javap.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ADDINS\MICROSOFT POWER QUERY FOR EXCEL INTEGRATED\BIN\Microsoft.Mashup.Container.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\orbd.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\javaw.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\msoasb.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE16\LICLUA.EXE	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\servertool.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\xjc.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\FLTLDR.EXE	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jsadebugd.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\orbd.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\SELFCERT.EXE	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\rmiregistry.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\policytool.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\CLIENT\AppVLP.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\javafxpackager.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jinfo.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\policytool.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\LIB\VISUALVM\PLATFORM\LIB\nbexec64.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\INTEGRATION\Integrator.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\misc.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOHTMED.EXE	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jarsigner.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jrunscript.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\servertool.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\MSOXMLED.EXE	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOInstaller.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\rmiregistry.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\msoadfsb.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\orbd.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\rmiregistry.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\javaw.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\java.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\javaws.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\keytool.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\wsgen.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\msoia.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOUC.EXE	Au_.exe
File opened for modification	C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\Common.DBConnection64.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\chrome_proxy.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\java-rmi.exe	Au_.exe

Drops file in Windows directory 1 IoCs

Processes:

a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exe

pid	process
4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe
892	Au_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe

description	pid	process
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Token: SeDebugPrivilege	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exe

description	pid	process	target process
PID 4896 wrote to memory of 2308	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	netsh.exe
PID 4896 wrote to memory of 2308	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	netsh.exe
PID 4896 wrote to memory of 2308	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	netsh.exe
PID 4896 wrote to memory of 804	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	fontdrvhost.exe
PID 4896 wrote to memory of 808	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	fontdrvhost.exe
PID 4896 wrote to memory of 64	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	dwm.exe
PID 4896 wrote to memory of 2332	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	sihost.exe
PID 4896 wrote to memory of 2344	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	svchost.exe
PID 4896 wrote to memory of 2464	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	taskhostw.exe
PID 4896 wrote to memory of 2432	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	Explorer.EXE
PID 4896 wrote to memory of 3188	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	svchost.exe
PID 4896 wrote to memory of 3384	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	DllHost.exe
PID 4896 wrote to memory of 3484	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	StartMenuExperienceHost.exe
PID 4896 wrote to memory of 3548	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	RuntimeBroker.exe
PID 4896 wrote to memory of 3632	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	SearchApp.exe
PID 4896 wrote to memory of 3820	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	RuntimeBroker.exe
PID 4896 wrote to memory of 4536	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	RuntimeBroker.exe
PID 4896 wrote to memory of 2308	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	netsh.exe
PID 4896 wrote to memory of 2308	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	netsh.exe
PID 4896 wrote to memory of 892	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	Au_.exe
PID 4896 wrote to memory of 892	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	Au_.exe
PID 4896 wrote to memory of 892	4896	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe	Au_.exe
PID 892 wrote to memory of 2248	892	Au_.exe	netsh.exe
PID 892 wrote to memory of 2248	892	Au_.exe	netsh.exe
PID 892 wrote to memory of 2248	892	Au_.exe	netsh.exe
PID 892 wrote to memory of 804	892	Au_.exe	fontdrvhost.exe
PID 892 wrote to memory of 808	892	Au_.exe	fontdrvhost.exe
PID 892 wrote to memory of 64	892	Au_.exe	dwm.exe
PID 892 wrote to memory of 2332	892	Au_.exe	sihost.exe
PID 892 wrote to memory of 2344	892	Au_.exe	svchost.exe
PID 892 wrote to memory of 2464	892	Au_.exe	taskhostw.exe
PID 892 wrote to memory of 2432	892	Au_.exe	Explorer.EXE
PID 892 wrote to memory of 3188	892	Au_.exe	svchost.exe
PID 892 wrote to memory of 3384	892	Au_.exe	DllHost.exe
PID 892 wrote to memory of 3484	892	Au_.exe	StartMenuExperienceHost.exe
PID 892 wrote to memory of 3548	892	Au_.exe	RuntimeBroker.exe
PID 892 wrote to memory of 3632	892	Au_.exe	SearchApp.exe
PID 892 wrote to memory of 3820	892	Au_.exe	RuntimeBroker.exe
PID 892 wrote to memory of 4536	892	Au_.exe	RuntimeBroker.exe
PID 892 wrote to memory of 2248	892	Au_.exe	netsh.exe
PID 892 wrote to memory of 2248	892	Au_.exe	netsh.exe
PID 892 wrote to memory of 804	892	Au_.exe	fontdrvhost.exe
PID 892 wrote to memory of 808	892	Au_.exe	fontdrvhost.exe
PID 892 wrote to memory of 64	892	Au_.exe	dwm.exe
PID 892 wrote to memory of 2332	892	Au_.exe	sihost.exe
PID 892 wrote to memory of 2344	892	Au_.exe	svchost.exe
PID 892 wrote to memory of 2464	892	Au_.exe	taskhostw.exe
PID 892 wrote to memory of 2432	892	Au_.exe	Explorer.EXE
PID 892 wrote to memory of 3188	892	Au_.exe	svchost.exe
PID 892 wrote to memory of 3384	892	Au_.exe	DllHost.exe
PID 892 wrote to memory of 3484	892	Au_.exe	StartMenuExperienceHost.exe
PID 892 wrote to memory of 3548	892	Au_.exe	RuntimeBroker.exe
PID 892 wrote to memory of 3632	892	Au_.exe	SearchApp.exe
PID 892 wrote to memory of 3820	892	Au_.exe	RuntimeBroker.exe
PID 892 wrote to memory of 4536	892	Au_.exe	RuntimeBroker.exe
PID 892 wrote to memory of 804	892	Au_.exe	fontdrvhost.exe
PID 892 wrote to memory of 808	892	Au_.exe	fontdrvhost.exe
PID 892 wrote to memory of 64	892	Au_.exe	dwm.exe
PID 892 wrote to memory of 2332	892	Au_.exe	sihost.exe
PID 892 wrote to memory of 2344	892	Au_.exe	svchost.exe
PID 892 wrote to memory of 2464	892	Au_.exe	taskhostw.exe
PID 892 wrote to memory of 2432	892	Au_.exe	Explorer.EXE
PID 892 wrote to memory of 3188	892	Au_.exe	svchost.exe
PID 892 wrote to memory of 3384	892	Au_.exe	DllHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:64

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3820

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3484

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
"C:\Users\Admin\AppData\Local\Temp\a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe"
2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4896

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:2308

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:892

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
4⤵
- Modifies Windows Firewall
PID:2248

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:3448

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:4400

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:1804

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:3628

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:3152

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:4572

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:364

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:4016

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:2372

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:4560

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE"
4⤵
PID:3420

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2344

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2588

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4880

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2084

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4184

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4796

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry