sality | 533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c

Modify Existing Service

T1031

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exefwynor.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exefwynor.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fwynor.exe

Windows security bypass 2 TTPs 12 IoCs

Disabling Security Tools

Modify Registry

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exefwynor.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fwynor.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exefwynor.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	fwynor.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

fwynor.exe

pid process

2700 fwynor.exe

pid	process
2700	fwynor.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4740-131-0x0000000002810000-0x000000000389E000-memory.dmp	upx
behavioral2/memory/4740-135-0x0000000002810000-0x000000000389E000-memory.dmp	upx
behavioral2/memory/4740-138-0x0000000002810000-0x000000000389E000-memory.dmp	upx
behavioral2/memory/2700-140-0x0000000002700000-0x000000000378E000-memory.dmp	upx
behavioral2/memory/2700-142-0x0000000002700000-0x000000000378E000-memory.dmp	upx
behavioral2/memory/2700-143-0x0000000002700000-0x000000000378E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disabling Security Tools

Modify Registry

Processes:

fwynor.exe533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	fwynor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	fwynor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

fwynor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\fwynor.exe"	fwynor.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exefwynor.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fwynor.exe

Drops file in Program Files directory 11 IoCs

Processes:

fwynor.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	fwynor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	fwynor.exe

Drops file in Windows directory 1 IoCs

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exefwynor.exe

pid	process
4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe
2700	fwynor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe

description	pid	process
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Token: SeDebugPrivilege	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exefwynor.exe

description	pid	process	target process
PID 4740 wrote to memory of 808	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	fontdrvhost.exe
PID 4740 wrote to memory of 816	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	fontdrvhost.exe
PID 4740 wrote to memory of 416	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	dwm.exe
PID 4740 wrote to memory of 2416	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	sihost.exe
PID 4740 wrote to memory of 2452	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	svchost.exe
PID 4740 wrote to memory of 2564	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	taskhostw.exe
PID 4740 wrote to memory of 796	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	Explorer.EXE
PID 4740 wrote to memory of 3108	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	svchost.exe
PID 4740 wrote to memory of 3304	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	DllHost.exe
PID 4740 wrote to memory of 3392	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	StartMenuExperienceHost.exe
PID 4740 wrote to memory of 3468	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	RuntimeBroker.exe
PID 4740 wrote to memory of 3556	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	SearchApp.exe
PID 4740 wrote to memory of 3852	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	RuntimeBroker.exe
PID 4740 wrote to memory of 4368	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	RuntimeBroker.exe
PID 4740 wrote to memory of 2700	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	fwynor.exe
PID 4740 wrote to memory of 2700	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	fwynor.exe
PID 4740 wrote to memory of 2700	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	fwynor.exe
PID 4740 wrote to memory of 4888	4740	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe	backgroundTaskHost.exe
PID 2700 wrote to memory of 808	2700	fwynor.exe	fontdrvhost.exe
PID 2700 wrote to memory of 816	2700	fwynor.exe	fontdrvhost.exe
PID 2700 wrote to memory of 416	2700	fwynor.exe	dwm.exe
PID 2700 wrote to memory of 2416	2700	fwynor.exe	sihost.exe
PID 2700 wrote to memory of 2452	2700	fwynor.exe	svchost.exe
PID 2700 wrote to memory of 2564	2700	fwynor.exe	taskhostw.exe
PID 2700 wrote to memory of 796	2700	fwynor.exe	Explorer.EXE
PID 2700 wrote to memory of 3108	2700	fwynor.exe	svchost.exe
PID 2700 wrote to memory of 3304	2700	fwynor.exe	DllHost.exe
PID 2700 wrote to memory of 3392	2700	fwynor.exe	StartMenuExperienceHost.exe
PID 2700 wrote to memory of 3468	2700	fwynor.exe	RuntimeBroker.exe
PID 2700 wrote to memory of 3556	2700	fwynor.exe	SearchApp.exe
PID 2700 wrote to memory of 3852	2700	fwynor.exe	RuntimeBroker.exe
PID 2700 wrote to memory of 4368	2700	fwynor.exe	RuntimeBroker.exe
PID 2700 wrote to memory of 4888	2700	fwynor.exe	backgroundTaskHost.exe
PID 2700 wrote to memory of 808	2700	fwynor.exe	fontdrvhost.exe
PID 2700 wrote to memory of 816	2700	fwynor.exe	fontdrvhost.exe
PID 2700 wrote to memory of 416	2700	fwynor.exe	dwm.exe
PID 2700 wrote to memory of 2416	2700	fwynor.exe	sihost.exe
PID 2700 wrote to memory of 2452	2700	fwynor.exe	svchost.exe
PID 2700 wrote to memory of 2564	2700	fwynor.exe	taskhostw.exe
PID 2700 wrote to memory of 796	2700	fwynor.exe	Explorer.EXE
PID 2700 wrote to memory of 3108	2700	fwynor.exe	svchost.exe
PID 2700 wrote to memory of 3304	2700	fwynor.exe	DllHost.exe
PID 2700 wrote to memory of 3392	2700	fwynor.exe	StartMenuExperienceHost.exe
PID 2700 wrote to memory of 3468	2700	fwynor.exe	RuntimeBroker.exe
PID 2700 wrote to memory of 3556	2700	fwynor.exe	SearchApp.exe
PID 2700 wrote to memory of 3852	2700	fwynor.exe	RuntimeBroker.exe
PID 2700 wrote to memory of 4368	2700	fwynor.exe	RuntimeBroker.exe
PID 2700 wrote to memory of 808	2700	fwynor.exe	fontdrvhost.exe
PID 2700 wrote to memory of 816	2700	fwynor.exe	fontdrvhost.exe
PID 2700 wrote to memory of 416	2700	fwynor.exe	dwm.exe
PID 2700 wrote to memory of 2416	2700	fwynor.exe	sihost.exe
PID 2700 wrote to memory of 2452	2700	fwynor.exe	svchost.exe
PID 2700 wrote to memory of 2564	2700	fwynor.exe	taskhostw.exe
PID 2700 wrote to memory of 796	2700	fwynor.exe	Explorer.EXE
PID 2700 wrote to memory of 3108	2700	fwynor.exe	svchost.exe
PID 2700 wrote to memory of 3304	2700	fwynor.exe	DllHost.exe
PID 2700 wrote to memory of 3392	2700	fwynor.exe	StartMenuExperienceHost.exe
PID 2700 wrote to memory of 3468	2700	fwynor.exe	RuntimeBroker.exe
PID 2700 wrote to memory of 3556	2700	fwynor.exe	SearchApp.exe
PID 2700 wrote to memory of 3852	2700	fwynor.exe	RuntimeBroker.exe
PID 2700 wrote to memory of 4368	2700	fwynor.exe	RuntimeBroker.exe
PID 2700 wrote to memory of 808	2700	fwynor.exe	fontdrvhost.exe
PID 2700 wrote to memory of 816	2700	fwynor.exe	fontdrvhost.exe
PID 2700 wrote to memory of 416	2700	fwynor.exe	dwm.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exefwynor.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fwynor.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:816

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:416

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:4888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3556

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe
"C:\Users\Admin\AppData\Local\Temp\533be406ce5edf8ba5a2f02835fa6a96192f426d27a2e571dc69e35f0352cb6c.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4740

C:\ProgramData\fwynor.exe
"C:\ProgramData\fwynor.exe"
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2700

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

6

Bypass User Account Control

T1088

Disabling Security Tools

3