Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2022 14:43
Static task
static1
Behavioral task
behavioral1
Sample
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
Resource
win7-20220718-en
General
-
Target
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
-
Size
567KB
-
MD5
742fa4d87468c0627133ec45629c692d
-
SHA1
d9bb92a9b3a050394f8008d76e94eb8cffb82787
-
SHA256
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2
-
SHA512
70218d835228e6180971e833ef477f9e8648bc03d877b466d8d4778f7598278dab46bec44767265c7a66873eea09d7a13d36496d156c53e4fcc1893db17b9bb4
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svhost.exe -
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe -
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svhost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" svhost.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3696 svhost.exe -
Processes:
resource yara_rule behavioral2/memory/3696-136-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/3696-140-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/3696-142-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/3696-141-0x0000000003610000-0x000000000469E000-memory.dmp upx behavioral2/memory/3696-145-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/3696-146-0x0000000003610000-0x000000000469E000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe.lnk 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe -
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc svhost.exe -
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svhost.exedescription ioc process File opened (read-only) \??\E: svhost.exe File opened (read-only) \??\G: svhost.exe File opened (read-only) \??\M: svhost.exe File opened (read-only) \??\N: svhost.exe File opened (read-only) \??\X: svhost.exe File opened (read-only) \??\F: svhost.exe File opened (read-only) \??\I: svhost.exe File opened (read-only) \??\O: svhost.exe File opened (read-only) \??\R: svhost.exe File opened (read-only) \??\Z: svhost.exe File opened (read-only) \??\K: svhost.exe File opened (read-only) \??\L: svhost.exe File opened (read-only) \??\T: svhost.exe File opened (read-only) \??\U: svhost.exe File opened (read-only) \??\V: svhost.exe File opened (read-only) \??\W: svhost.exe File opened (read-only) \??\Y: svhost.exe File opened (read-only) \??\H: svhost.exe File opened (read-only) \??\J: svhost.exe File opened (read-only) \??\P: svhost.exe File opened (read-only) \??\Q: svhost.exe File opened (read-only) \??\S: svhost.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
svhost.exedescription ioc process File opened for modification C:\autorun.inf svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exedescription pid process target process PID 4956 set thread context of 3696 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe -
Drops file in Program Files directory 11 IoCs
Processes:
svhost.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe svhost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe svhost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe svhost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe svhost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe svhost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe svhost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe svhost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe svhost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe svhost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe svhost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe svhost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svhost.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Windows\svhost.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exesvhost.exepid process 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 3696 svhost.exe 3696 svhost.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe 3696 svhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exesvhost.exedescription pid process Token: SeDebugPrivilege 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe Token: SeDebugPrivilege 3696 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 3696 svhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.execmd.exesvhost.exedescription pid process target process PID 4956 wrote to memory of 2572 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe cmd.exe PID 4956 wrote to memory of 2572 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe cmd.exe PID 4956 wrote to memory of 2572 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe cmd.exe PID 2572 wrote to memory of 4700 2572 cmd.exe reg.exe PID 2572 wrote to memory of 4700 2572 cmd.exe reg.exe PID 2572 wrote to memory of 4700 2572 cmd.exe reg.exe PID 4956 wrote to memory of 3696 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 4956 wrote to memory of 3696 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 4956 wrote to memory of 3696 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 4956 wrote to memory of 3696 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 4956 wrote to memory of 3696 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 4956 wrote to memory of 3696 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 4956 wrote to memory of 3696 4956 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 3696 wrote to memory of 780 3696 svhost.exe fontdrvhost.exe PID 3696 wrote to memory of 788 3696 svhost.exe fontdrvhost.exe PID 3696 wrote to memory of 996 3696 svhost.exe dwm.exe PID 3696 wrote to memory of 2432 3696 svhost.exe sihost.exe PID 3696 wrote to memory of 2456 3696 svhost.exe svchost.exe PID 3696 wrote to memory of 2732 3696 svhost.exe taskhostw.exe PID 3696 wrote to memory of 2616 3696 svhost.exe Explorer.EXE PID 3696 wrote to memory of 2652 3696 svhost.exe svchost.exe PID 3696 wrote to memory of 3272 3696 svhost.exe DllHost.exe PID 3696 wrote to memory of 3364 3696 svhost.exe StartMenuExperienceHost.exe PID 3696 wrote to memory of 3432 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 3524 3696 svhost.exe SearchApp.exe PID 3696 wrote to memory of 3688 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 4956 3696 svhost.exe 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe PID 3696 wrote to memory of 4956 3696 svhost.exe 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe PID 3696 wrote to memory of 4984 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 780 3696 svhost.exe fontdrvhost.exe PID 3696 wrote to memory of 788 3696 svhost.exe fontdrvhost.exe PID 3696 wrote to memory of 996 3696 svhost.exe dwm.exe PID 3696 wrote to memory of 2432 3696 svhost.exe sihost.exe PID 3696 wrote to memory of 2456 3696 svhost.exe svchost.exe PID 3696 wrote to memory of 2732 3696 svhost.exe taskhostw.exe PID 3696 wrote to memory of 2616 3696 svhost.exe Explorer.EXE PID 3696 wrote to memory of 2652 3696 svhost.exe svchost.exe PID 3696 wrote to memory of 3272 3696 svhost.exe DllHost.exe PID 3696 wrote to memory of 3364 3696 svhost.exe StartMenuExperienceHost.exe PID 3696 wrote to memory of 3432 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 3524 3696 svhost.exe SearchApp.exe PID 3696 wrote to memory of 3688 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 4984 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 4948 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 780 3696 svhost.exe fontdrvhost.exe PID 3696 wrote to memory of 788 3696 svhost.exe fontdrvhost.exe PID 3696 wrote to memory of 996 3696 svhost.exe dwm.exe PID 3696 wrote to memory of 2432 3696 svhost.exe sihost.exe PID 3696 wrote to memory of 2456 3696 svhost.exe svchost.exe PID 3696 wrote to memory of 2732 3696 svhost.exe taskhostw.exe PID 3696 wrote to memory of 2616 3696 svhost.exe Explorer.EXE PID 3696 wrote to memory of 2652 3696 svhost.exe svchost.exe PID 3696 wrote to memory of 3272 3696 svhost.exe DllHost.exe PID 3696 wrote to memory of 3364 3696 svhost.exe StartMenuExperienceHost.exe PID 3696 wrote to memory of 3432 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 3524 3696 svhost.exe SearchApp.exe PID 3696 wrote to memory of 3688 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 4948 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 4352 3696 svhost.exe backgroundTaskHost.exe PID 3696 wrote to memory of 4924 3696 svhost.exe RuntimeBroker.exe PID 3696 wrote to memory of 4184 3696 svhost.exe DllHost.exe PID 3696 wrote to memory of 780 3696 svhost.exe fontdrvhost.exe PID 3696 wrote to memory of 788 3696 svhost.exe fontdrvhost.exe PID 3696 wrote to memory of 996 3696 svhost.exe dwm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe"C:\Users\Admin\AppData\Local\Temp\5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows\svhost.exe.lnk" /f4⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
C:\Users\Admin\AppData\Roaming\Windows\svhost.exeFilesize
567KB
MD5742fa4d87468c0627133ec45629c692d
SHA1d9bb92a9b3a050394f8008d76e94eb8cffb82787
SHA2565c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2
SHA51270218d835228e6180971e833ef477f9e8648bc03d877b466d8d4778f7598278dab46bec44767265c7a66873eea09d7a13d36496d156c53e4fcc1893db17b9bb4
-
memory/2572-132-0x0000000000000000-mapping.dmp
-
memory/3696-140-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3696-135-0x0000000000000000-mapping.dmp
-
memory/3696-136-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3696-142-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3696-141-0x0000000003610000-0x000000000469E000-memory.dmpFilesize
16.6MB
-
memory/3696-145-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3696-146-0x0000000003610000-0x000000000469E000-memory.dmpFilesize
16.6MB
-
memory/4700-133-0x0000000000000000-mapping.dmp
-
memory/4956-131-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4956-130-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4956-147-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB