sality | b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Executes dropped EXE 2 IoCs

pid	Process
568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
880	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1760-55-0x0000000001FD0000-0x000000000305E000-memory.dmp	upx
behavioral1/memory/1760-57-0x0000000001FD0000-0x000000000305E000-memory.dmp	upx
behavioral1/memory/1760-61-0x0000000001FD0000-0x000000000305E000-memory.dmp	upx
behavioral1/memory/1760-101-0x0000000001FD0000-0x000000000305E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe System Incorporated = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\Reader_sl.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vqvkvf = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Vqvkvf.exe"	notepad.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Enumerates connected drives 3 TTPs 35 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\I:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\L:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\D:	notepad.exe
File opened (read-only)	\??\J:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\N:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\E:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\F:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\H:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\G:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\M:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\K:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
File opened (read-only)	\??\O:	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 568 set thread context of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
848	svchost.exe
880	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	880	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
Token: SeDebugPrivilege	848	svchost.exe
Token: SeDebugPrivilege	1648	calc.exe
Token: SeDebugPrivilege	1568	notepad.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1112	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	5
PID 1760 wrote to memory of 1176	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	10
PID 1760 wrote to memory of 1204	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	7
PID 1760 wrote to memory of 1112	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	5
PID 1760 wrote to memory of 1176	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	10
PID 1760 wrote to memory of 1204	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	7
PID 1760 wrote to memory of 1112	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	5
PID 1760 wrote to memory of 1176	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	10
PID 1760 wrote to memory of 1204	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	7
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 1760 wrote to memory of 568	1760	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	27
PID 568 wrote to memory of 848	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	29
PID 568 wrote to memory of 848	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	29
PID 568 wrote to memory of 848	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	29
PID 568 wrote to memory of 848	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	29
PID 568 wrote to memory of 1648	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	28
PID 568 wrote to memory of 1648	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	28
PID 568 wrote to memory of 1648	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	28
PID 568 wrote to memory of 1648	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	28
PID 568 wrote to memory of 1648	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	28
PID 568 wrote to memory of 1648	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	28
PID 568 wrote to memory of 848	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	29
PID 848 wrote to memory of 1568	848	svchost.exe	30
PID 848 wrote to memory of 1568	848	svchost.exe	30
PID 848 wrote to memory of 1568	848	svchost.exe	30
PID 848 wrote to memory of 1568	848	svchost.exe	30
PID 848 wrote to memory of 1568	848	svchost.exe	30
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 568 wrote to memory of 880	568	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	31
PID 880 wrote to memory of 848	880	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	29
PID 880 wrote to memory of 848	880	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	29
PID 880 wrote to memory of 1648	880	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	28
PID 880 wrote to memory of 1648	880	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	28
PID 880 wrote to memory of 1568	880	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	30
PID 880 wrote to memory of 1568	880	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe	30

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
  "C:\Users\Admin\AppData\Local\Temp\b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
    "C:\Users\Admin\AppData\Local\Temp\b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\SysWOW64\calc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1648
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Adds Run key to start application
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\SysWOW64\notepad.exe"
        5⤵
        Adds Run key to start application
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe
      "C:\Users\Admin\AppData\Local\Temp\b9605f80ee0f224142ca3d2f614d618c64eb7d351ea21f95bc7d56fed56e69e6.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:880

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry