Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 15:43
Behavioral task
behavioral1
Sample
5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe
Resource
win7-20220812-en
General
-
Target
5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe
-
Size
416KB
-
MD5
2bbb76dfa85550ef8f69f58006efb410
-
SHA1
6811ec43e5216065ef28f4c88ad7717057cc1b07
-
SHA256
5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a
-
SHA512
20b9e00fa199192370772cc98bee0eb9e152f1650d8e15f91fdd5e79b24d516e2f9428de3d6bb7939cd857a9dd20896c03b58fd6750989dfa167d3e61edb5d5e
-
SSDEEP
12288:elQ8fXEBvuwjInnLEzRi1Al/P9QpNZ4PuYu7:ehEBWwMLgiU/PSrZ4PuT7
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe scvshosts.exe" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3184 netsh.exe -
resource yara_rule behavioral2/memory/4808-132-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral2/memory/4808-133-0x0000000003360000-0x0000000004393000-memory.dmp upx behavioral2/memory/4808-139-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral2/memory/4808-140-0x0000000003360000-0x0000000004393000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\scvshosts.exe" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\i: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\t: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\w: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\b: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\h: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\j: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\k: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\n: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\s: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\v: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\x: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\f: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\g: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\l: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\p: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\u: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\y: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\a: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\m: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\o: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\q: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\r: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened (read-only) \??\z: 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4808-139-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\setting.ini 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\WINDOWS\SysWOW64\SCVSHOSTS.EXE 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File created C:\Windows\SysWOW64\scvshosts.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\Windows\SysWOW64\scvshosts.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File created C:\Windows\SysWOW64\blastclnnn.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\Windows\SysWOW64\blastclnnn.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\Windows\SysWOW64\autorun.ini 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File created C:\Windows\SysWOW64\setting.ini 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\scvshosts.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\Windows\scvshosts.exe 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File opened for modification C:\Windows\SYSTEM.INI 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe File created C:\Windows\hinhem.scr 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe Token: SeDebugPrivilege 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4808 wrote to memory of 780 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 78 PID 4808 wrote to memory of 788 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 9 PID 4808 wrote to memory of 332 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 16 PID 4808 wrote to memory of 3184 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 80 PID 4808 wrote to memory of 3184 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 80 PID 4808 wrote to memory of 3184 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 80 PID 4808 wrote to memory of 2372 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 21 PID 4808 wrote to memory of 2380 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 57 PID 4808 wrote to memory of 2476 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 22 PID 4808 wrote to memory of 2228 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 29 PID 4808 wrote to memory of 3108 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 53 PID 4808 wrote to memory of 3308 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 52 PID 4808 wrote to memory of 3404 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 38 PID 4808 wrote to memory of 3512 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 30 PID 4808 wrote to memory of 3620 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 33 PID 4808 wrote to memory of 3824 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 31 PID 4808 wrote to memory of 4700 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 34 PID 4808 wrote to memory of 4292 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 82 PID 4808 wrote to memory of 4292 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 82 PID 4808 wrote to memory of 4292 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 82 PID 4292 wrote to memory of 3448 4292 cmd.exe 84 PID 4292 wrote to memory of 3448 4292 cmd.exe 84 PID 4292 wrote to memory of 3448 4292 cmd.exe 84 PID 4808 wrote to memory of 1136 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 85 PID 4808 wrote to memory of 1136 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 85 PID 4808 wrote to memory of 1136 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 85 PID 1136 wrote to memory of 4752 1136 cmd.exe 87 PID 1136 wrote to memory of 4752 1136 cmd.exe 87 PID 1136 wrote to memory of 4752 1136 cmd.exe 87 PID 4808 wrote to memory of 780 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 78 PID 4808 wrote to memory of 788 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 9 PID 4808 wrote to memory of 332 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 16 PID 4808 wrote to memory of 2372 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 21 PID 4808 wrote to memory of 2380 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 57 PID 4808 wrote to memory of 2476 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 22 PID 4808 wrote to memory of 2228 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 29 PID 4808 wrote to memory of 3108 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 53 PID 4808 wrote to memory of 3308 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 52 PID 4808 wrote to memory of 3404 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 38 PID 4808 wrote to memory of 3512 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 30 PID 4808 wrote to memory of 3620 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 33 PID 4808 wrote to memory of 3824 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 31 PID 4808 wrote to memory of 4700 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 34 PID 4808 wrote to memory of 780 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 78 PID 4808 wrote to memory of 788 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 9 PID 4808 wrote to memory of 332 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 16 PID 4808 wrote to memory of 2372 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 21 PID 4808 wrote to memory of 2380 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 57 PID 4808 wrote to memory of 2476 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 22 PID 4808 wrote to memory of 2228 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 29 PID 4808 wrote to memory of 3108 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 53 PID 4808 wrote to memory of 3308 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 52 PID 4808 wrote to memory of 3404 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 38 PID 4808 wrote to memory of 3512 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 30 PID 4808 wrote to memory of 3620 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 33 PID 4808 wrote to memory of 3824 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 31 PID 4808 wrote to memory of 4700 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 34 PID 4808 wrote to memory of 780 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 78 PID 4808 wrote to memory of 788 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 9 PID 4808 wrote to memory of 332 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 16 PID 4808 wrote to memory of 2372 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 21 PID 4808 wrote to memory of 2380 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 57 PID 4808 wrote to memory of 2476 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 22 PID 4808 wrote to memory of 2228 4808 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe 29 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2372
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2476
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe"C:\Users\Admin\AppData\Local\Temp\5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4808 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
PID:3184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:3448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe4⤵PID:4752
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:5116
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:4428
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:1104
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3512
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4700
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3404
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2380
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
3Modify Registry
6