Analysis
-
max time kernel
73s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 16:52
Static task
static1
Behavioral task
behavioral1
Sample
44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe
Resource
win7-20220812-en
windows7-x64
20 signatures
150 seconds
General
-
Target
44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe
-
Size
667KB
-
MD5
300e3f51957787fe3a0a27572a80ad20
-
SHA1
b2ddf592123cba982e04199f759a902f61f40b44
-
SHA256
44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460
-
SHA512
27170c020b651a172707b0be18b0fc875a294dca53a9e86c464bf115f629cab9caa13bbd58ba4636103e5164628050d89171e5697e125d5269f400ca622d1b12
-
SSDEEP
6144:uRC0LS6V23ltSpcW3Go+jE7RkCrphFbaSKh8KBQexaZm:uRC0OqAnSCW29ARkghNvGYeoZm
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 4952 WaterMark.exe -
resource yara_rule behavioral2/memory/1932-132-0x0000000003860000-0x00000000048EE000-memory.dmp upx behavioral2/memory/1932-135-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1932-136-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1932-140-0x0000000000400000-0x00000000004B2000-memory.dmp upx behavioral2/memory/1932-141-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4952-147-0x0000000000400000-0x00000000004B2000-memory.dmp upx behavioral2/memory/1932-145-0x0000000003860000-0x00000000048EE000-memory.dmp upx behavioral2/memory/4952-150-0x0000000000400000-0x00000000004B2000-memory.dmp upx behavioral2/memory/4952-152-0x0000000000400000-0x00000000004B2000-memory.dmp upx behavioral2/memory/4952-151-0x0000000000400000-0x00000000004B2000-memory.dmp upx behavioral2/memory/4952-156-0x0000000000400000-0x0000000000421000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px7EAA.tmp 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2658820904" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371522951" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987969" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2658820904" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C9DEC678-42B4-11ED-89AC-F6DE28FD18F9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2658820904" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2665070994" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987969" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2665070994" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987969" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987969" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C9D79E87-42B4-11ED-89AC-F6DE28FD18F9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987969" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987969" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2658820904" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe 4952 WaterMark.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5116 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe Token: SeDebugPrivilege 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4004 iexplore.exe 5116 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4004 iexplore.exe 4004 iexplore.exe 5116 iexplore.exe 5116 iexplore.exe 316 IEXPLORE.EXE 316 IEXPLORE.EXE 260 IEXPLORE.EXE 260 IEXPLORE.EXE 316 IEXPLORE.EXE 316 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 4952 WaterMark.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1932 wrote to memory of 772 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 83 PID 1932 wrote to memory of 780 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 82 PID 1932 wrote to memory of 1012 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 79 PID 1932 wrote to memory of 2368 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 53 PID 1932 wrote to memory of 2384 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 52 PID 1932 wrote to memory of 2660 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 44 PID 1932 wrote to memory of 2204 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 41 PID 1932 wrote to memory of 2952 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 40 PID 1932 wrote to memory of 3264 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 39 PID 1932 wrote to memory of 3368 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 38 PID 1932 wrote to memory of 3432 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 37 PID 1932 wrote to memory of 3508 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 36 PID 1932 wrote to memory of 3708 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 35 PID 1932 wrote to memory of 4952 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 63 PID 1932 wrote to memory of 4952 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 63 PID 1932 wrote to memory of 4952 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 63 PID 1932 wrote to memory of 1308 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 20 PID 1932 wrote to memory of 4688 1932 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe 15 PID 4952 wrote to memory of 1060 4952 WaterMark.exe 75 PID 4952 wrote to memory of 1060 4952 WaterMark.exe 75 PID 4952 wrote to memory of 1060 4952 WaterMark.exe 75 PID 4952 wrote to memory of 1060 4952 WaterMark.exe 75 PID 4952 wrote to memory of 1060 4952 WaterMark.exe 75 PID 4952 wrote to memory of 1060 4952 WaterMark.exe 75 PID 4952 wrote to memory of 1060 4952 WaterMark.exe 75 PID 4952 wrote to memory of 1060 4952 WaterMark.exe 75 PID 4952 wrote to memory of 1060 4952 WaterMark.exe 75 PID 4952 wrote to memory of 4004 4952 WaterMark.exe 84 PID 4952 wrote to memory of 4004 4952 WaterMark.exe 84 PID 4952 wrote to memory of 5116 4952 WaterMark.exe 85 PID 4952 wrote to memory of 5116 4952 WaterMark.exe 85 PID 4004 wrote to memory of 260 4004 iexplore.exe 87 PID 4004 wrote to memory of 260 4004 iexplore.exe 87 PID 4004 wrote to memory of 260 4004 iexplore.exe 87 PID 5116 wrote to memory of 316 5116 iexplore.exe 86 PID 5116 wrote to memory of 316 5116 iexplore.exe 86 PID 5116 wrote to memory of 316 5116 iexplore.exe 86 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe
Processes
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe"C:\Users\Admin\AppData\Local\Temp\44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1932 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1060
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4004 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:260
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5116 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:316
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1308
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3708
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3508
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3432
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3368
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2952
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2204
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2368
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
667KB
MD5300e3f51957787fe3a0a27572a80ad20
SHA1b2ddf592123cba982e04199f759a902f61f40b44
SHA25644c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460
SHA51227170c020b651a172707b0be18b0fc875a294dca53a9e86c464bf115f629cab9caa13bbd58ba4636103e5164628050d89171e5697e125d5269f400ca622d1b12
-
Filesize
667KB
MD5300e3f51957787fe3a0a27572a80ad20
SHA1b2ddf592123cba982e04199f759a902f61f40b44
SHA25644c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460
SHA51227170c020b651a172707b0be18b0fc875a294dca53a9e86c464bf115f629cab9caa13bbd58ba4636103e5164628050d89171e5697e125d5269f400ca622d1b12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5fd70739fca5345a28f924f9102ae10ee
SHA16ce3f92183544f3bf52cb76364591589cb940a19
SHA256f238404cc643efddef8ff430f128cdc8ec1513969eaac24b5e5bce81248a91e7
SHA512a787d3a2bceeaed2f2a29f357df6ae17d5b9f66a3c561550d5f83c308ad26a1ddf876488151ff5e51ce93bfb9d0c7b8ca812d595e8d3ebdda7d805707ac1b278
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5fd70739fca5345a28f924f9102ae10ee
SHA16ce3f92183544f3bf52cb76364591589cb940a19
SHA256f238404cc643efddef8ff430f128cdc8ec1513969eaac24b5e5bce81248a91e7
SHA512a787d3a2bceeaed2f2a29f357df6ae17d5b9f66a3c561550d5f83c308ad26a1ddf876488151ff5e51ce93bfb9d0c7b8ca812d595e8d3ebdda7d805707ac1b278
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD547a5c78770e7ed0d11d89cb045cc7303
SHA1161a8e501ffa447954b1e4d8b1161129aa47002b
SHA256b7d85489e67ac7c9ca467b05e738db0e15474b791cb8c2197c75cb8fde29b4ac
SHA512b8bcbacdd7132580e5e0e1c6e7db9512ba16cd5650b20289703c5b01b70d2dc597882c7617e200849f9c98aff312068d6f5fec7fb2f34d92c1ffe0f2942c5b63
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5423e86aec034ce55bc2bde9f8de664ff
SHA17016bc3685bfd9796606065a4545ab3d3a80ed08
SHA25691fde2f7a4afaacaf2a291fe9ae06844d57dfffb71c7ec0857acfa901d14bfb6
SHA512bb6359221b9ad4146c5193b25956029dbe4d1d55c826ee9174eff30f78aaefb125d21e2b9eaf9610c65a9d54fab2fcdac529fda03f77726c49e4a7dd2932b167
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5423e86aec034ce55bc2bde9f8de664ff
SHA17016bc3685bfd9796606065a4545ab3d3a80ed08
SHA25691fde2f7a4afaacaf2a291fe9ae06844d57dfffb71c7ec0857acfa901d14bfb6
SHA512bb6359221b9ad4146c5193b25956029dbe4d1d55c826ee9174eff30f78aaefb125d21e2b9eaf9610c65a9d54fab2fcdac529fda03f77726c49e4a7dd2932b167
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9D79E87-42B4-11ED-89AC-F6DE28FD18F9}.dat
Filesize5KB
MD5b926d14c2e151fe020d69e241c8a4aa5
SHA18a0f51b7bd5f1aac402c9a1ad1f687d94340a7d0
SHA256f8fab701d5a2f84c72c65fbb759247872029c3dbd8043f9588b8c4724b618f31
SHA512d0efb876fd0e1c2248d7a07a6549e71b6f6a38e43445d5ad6e1ed4b2792d103c72dcc87e80b5651f4f3840964a11e8789b98f8096ba6a3093529f2d8f63d777e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9DEC678-42B4-11ED-89AC-F6DE28FD18F9}.dat
Filesize5KB
MD57f66d2d2f1d27fba217774b098797cc5
SHA16059cf3c36a0e77c06ab079c644b2e3b55b41d48
SHA256b5424e88db278d1d9263e32d51954d8c831513ca1f50dd0a4d52b6dc2fc94e53
SHA512fa196141fa61667eb7c125c9d3557a23f696ccf4806fe0e0467c3a8ac19c86ef5ea03edc6150c6577cf61eadd2862432143a63c601f29b11ca81c077c26493e0