Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 21:23
Static task
static1
Behavioral task
behavioral1
Sample
b0b0b8c1e356acced8ae97b9fd448932.exe
Resource
win7-20220715-en
General
-
Target
b0b0b8c1e356acced8ae97b9fd448932.exe
-
Size
131KB
-
MD5
b0b0b8c1e356acced8ae97b9fd448932
-
SHA1
b6b9c6f0bb858e5899e7cea98f7f43940b0235df
-
SHA256
232f83fad3deda8644c603c068c057d8a163698efedc2c13651eebb46215375a
-
SHA512
8914e78ea7ccb0ebff3367e69345a496e14637e54c436885559d2f7cd6a26e608202161aadfb69317f764bb00a6b6f14391935e1450f818edfcd0152509d9f6b
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b0b0b8c1e356acced8ae97b9fd448932.exe -
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b0b0b8c1e356acced8ae97b9fd448932.exe -
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b0b0b8c1e356acced8ae97b9fd448932.exe -
Processes:
resource yara_rule behavioral2/memory/2256-130-0x0000000000A90000-0x0000000001B4A000-memory.dmp upx behavioral2/memory/2256-132-0x0000000000A90000-0x0000000001B4A000-memory.dmp upx -
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b0b0b8c1e356acced8ae97b9fd448932.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc b0b0b8c1e356acced8ae97b9fd448932.exe -
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b0b0b8c1e356acced8ae97b9fd448932.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process File opened (read-only) \??\K: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\M: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\O: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\P: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\Q: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\X: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\Y: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\I: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\H: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\R: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\W: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\Z: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\F: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\G: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\N: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\S: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\T: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\U: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\V: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\E: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\L: b0b0b8c1e356acced8ae97b9fd448932.exe File opened (read-only) \??\J: b0b0b8c1e356acced8ae97b9fd448932.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process File opened for modification C:\autorun.inf b0b0b8c1e356acced8ae97b9fd448932.exe -
Drops file in Program Files directory 11 IoCs
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\7-Zip\7zG.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe b0b0b8c1e356acced8ae97b9fd448932.exe -
Drops file in Windows directory 2 IoCs
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process File created C:\Windows\e56a722 b0b0b8c1e356acced8ae97b9fd448932.exe File opened for modification C:\Windows\SYSTEM.INI b0b0b8c1e356acced8ae97b9fd448932.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exepid process 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe 2256 b0b0b8c1e356acced8ae97b9fd448932.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription pid process Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Token: SeDebugPrivilege 2256 b0b0b8c1e356acced8ae97b9fd448932.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription pid process target process PID 2256 wrote to memory of 768 2256 b0b0b8c1e356acced8ae97b9fd448932.exe fontdrvhost.exe PID 2256 wrote to memory of 776 2256 b0b0b8c1e356acced8ae97b9fd448932.exe fontdrvhost.exe PID 2256 wrote to memory of 1020 2256 b0b0b8c1e356acced8ae97b9fd448932.exe dwm.exe PID 2256 wrote to memory of 2508 2256 b0b0b8c1e356acced8ae97b9fd448932.exe sihost.exe PID 2256 wrote to memory of 2604 2256 b0b0b8c1e356acced8ae97b9fd448932.exe svchost.exe PID 2256 wrote to memory of 2864 2256 b0b0b8c1e356acced8ae97b9fd448932.exe taskhostw.exe PID 2256 wrote to memory of 752 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Explorer.EXE PID 2256 wrote to memory of 3100 2256 b0b0b8c1e356acced8ae97b9fd448932.exe svchost.exe PID 2256 wrote to memory of 3308 2256 b0b0b8c1e356acced8ae97b9fd448932.exe DllHost.exe PID 2256 wrote to memory of 3412 2256 b0b0b8c1e356acced8ae97b9fd448932.exe StartMenuExperienceHost.exe PID 2256 wrote to memory of 3480 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 3564 2256 b0b0b8c1e356acced8ae97b9fd448932.exe SearchApp.exe PID 2256 wrote to memory of 3788 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 4292 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 2076 2256 b0b0b8c1e356acced8ae97b9fd448932.exe backgroundTaskHost.exe PID 2256 wrote to memory of 4588 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 3440 2256 b0b0b8c1e356acced8ae97b9fd448932.exe backgroundTaskHost.exe PID 2256 wrote to memory of 768 2256 b0b0b8c1e356acced8ae97b9fd448932.exe fontdrvhost.exe PID 2256 wrote to memory of 776 2256 b0b0b8c1e356acced8ae97b9fd448932.exe fontdrvhost.exe PID 2256 wrote to memory of 1020 2256 b0b0b8c1e356acced8ae97b9fd448932.exe dwm.exe PID 2256 wrote to memory of 2508 2256 b0b0b8c1e356acced8ae97b9fd448932.exe sihost.exe PID 2256 wrote to memory of 2604 2256 b0b0b8c1e356acced8ae97b9fd448932.exe svchost.exe PID 2256 wrote to memory of 2864 2256 b0b0b8c1e356acced8ae97b9fd448932.exe taskhostw.exe PID 2256 wrote to memory of 752 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Explorer.EXE PID 2256 wrote to memory of 3100 2256 b0b0b8c1e356acced8ae97b9fd448932.exe svchost.exe PID 2256 wrote to memory of 3308 2256 b0b0b8c1e356acced8ae97b9fd448932.exe DllHost.exe PID 2256 wrote to memory of 3412 2256 b0b0b8c1e356acced8ae97b9fd448932.exe StartMenuExperienceHost.exe PID 2256 wrote to memory of 3480 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 3564 2256 b0b0b8c1e356acced8ae97b9fd448932.exe SearchApp.exe PID 2256 wrote to memory of 3788 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 4292 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 2076 2256 b0b0b8c1e356acced8ae97b9fd448932.exe backgroundTaskHost.exe PID 2256 wrote to memory of 4588 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 3440 2256 b0b0b8c1e356acced8ae97b9fd448932.exe backgroundTaskHost.exe PID 2256 wrote to memory of 768 2256 b0b0b8c1e356acced8ae97b9fd448932.exe fontdrvhost.exe PID 2256 wrote to memory of 776 2256 b0b0b8c1e356acced8ae97b9fd448932.exe fontdrvhost.exe PID 2256 wrote to memory of 1020 2256 b0b0b8c1e356acced8ae97b9fd448932.exe dwm.exe PID 2256 wrote to memory of 2508 2256 b0b0b8c1e356acced8ae97b9fd448932.exe sihost.exe PID 2256 wrote to memory of 2604 2256 b0b0b8c1e356acced8ae97b9fd448932.exe svchost.exe PID 2256 wrote to memory of 2864 2256 b0b0b8c1e356acced8ae97b9fd448932.exe taskhostw.exe PID 2256 wrote to memory of 752 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Explorer.EXE PID 2256 wrote to memory of 3100 2256 b0b0b8c1e356acced8ae97b9fd448932.exe svchost.exe PID 2256 wrote to memory of 3308 2256 b0b0b8c1e356acced8ae97b9fd448932.exe DllHost.exe PID 2256 wrote to memory of 3412 2256 b0b0b8c1e356acced8ae97b9fd448932.exe StartMenuExperienceHost.exe PID 2256 wrote to memory of 3480 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 3564 2256 b0b0b8c1e356acced8ae97b9fd448932.exe SearchApp.exe PID 2256 wrote to memory of 3788 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 4292 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 2076 2256 b0b0b8c1e356acced8ae97b9fd448932.exe backgroundTaskHost.exe PID 2256 wrote to memory of 4588 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 768 2256 b0b0b8c1e356acced8ae97b9fd448932.exe fontdrvhost.exe PID 2256 wrote to memory of 776 2256 b0b0b8c1e356acced8ae97b9fd448932.exe fontdrvhost.exe PID 2256 wrote to memory of 1020 2256 b0b0b8c1e356acced8ae97b9fd448932.exe dwm.exe PID 2256 wrote to memory of 2508 2256 b0b0b8c1e356acced8ae97b9fd448932.exe sihost.exe PID 2256 wrote to memory of 2604 2256 b0b0b8c1e356acced8ae97b9fd448932.exe svchost.exe PID 2256 wrote to memory of 2864 2256 b0b0b8c1e356acced8ae97b9fd448932.exe taskhostw.exe PID 2256 wrote to memory of 752 2256 b0b0b8c1e356acced8ae97b9fd448932.exe Explorer.EXE PID 2256 wrote to memory of 3100 2256 b0b0b8c1e356acced8ae97b9fd448932.exe svchost.exe PID 2256 wrote to memory of 3308 2256 b0b0b8c1e356acced8ae97b9fd448932.exe DllHost.exe PID 2256 wrote to memory of 3412 2256 b0b0b8c1e356acced8ae97b9fd448932.exe StartMenuExperienceHost.exe PID 2256 wrote to memory of 3480 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 3564 2256 b0b0b8c1e356acced8ae97b9fd448932.exe SearchApp.exe PID 2256 wrote to memory of 3788 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe PID 2256 wrote to memory of 4292 2256 b0b0b8c1e356acced8ae97b9fd448932.exe RuntimeBroker.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
b0b0b8c1e356acced8ae97b9fd448932.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b0b0b8c1e356acced8ae97b9fd448932.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b0b0b8c1e356acced8ae97b9fd448932.exe"C:\Users\Admin\AppData\Local\Temp\b0b0b8c1e356acced8ae97b9fd448932.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵