Analysis
-
max time kernel
150s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 18:24
Static task
static1
Behavioral task
behavioral1
Sample
5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe
Resource
win7-20220901-en
windows7-x64
2 signatures
150 seconds
General
-
Target
5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe
-
Size
483KB
-
MD5
4385ccf2a9cda0dcd34e04701a84051d
-
SHA1
fcff233674fff4aae2c7ef4b5404eaea4b7ca55f
-
SHA256
5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca
-
SHA512
c31ce2b141748ea8fdaae50fb7bd18781da7e5d85e19a915af6e24166adfc8a0d6dc3d78f7813c20cb9df2815b9c77a3f07741a9bca8a4c6926807b19da4c46b
-
SSDEEP
6144:ioLY3VafUTGekL7sHRn+ZZGzLI2hXWaBn4GgmRhXjxS6fgALAo4pg+dFu121GvOl:+MU/kviR+WzE2lBFr5zpN2EFBLehuq
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" netsh.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" netsh.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 2992 netsh.exe 1096 netsh.exe -
resource yara_rule behavioral2/memory/852-133-0x00000000022D0000-0x0000000003303000-memory.dmp upx behavioral2/memory/852-135-0x00000000022D0000-0x0000000003303000-memory.dmp upx behavioral2/memory/1096-137-0x00000000031F0000-0x0000000004223000-memory.dmp upx behavioral2/memory/1096-140-0x00000000031F0000-0x0000000004223000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 1096 netsh.exe 1096 netsh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe Token: SeDebugPrivilege 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 852 wrote to memory of 1096 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 84 PID 852 wrote to memory of 1096 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 84 PID 852 wrote to memory of 1096 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 84 PID 852 wrote to memory of 800 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 8 PID 852 wrote to memory of 808 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 80 PID 852 wrote to memory of 376 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 77 PID 852 wrote to memory of 2372 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 14 PID 852 wrote to memory of 2408 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 53 PID 852 wrote to memory of 2460 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 50 PID 852 wrote to memory of 740 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 42 PID 852 wrote to memory of 3196 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 41 PID 852 wrote to memory of 3380 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 40 PID 852 wrote to memory of 3468 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 39 PID 852 wrote to memory of 3644 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 15 PID 852 wrote to memory of 3724 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 38 PID 852 wrote to memory of 3872 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 37 PID 852 wrote to memory of 4796 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 34 PID 852 wrote to memory of 4240 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 18 PID 852 wrote to memory of 4972 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 17 PID 852 wrote to memory of 1096 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 84 PID 852 wrote to memory of 1096 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 84 PID 852 wrote to memory of 820 852 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe 85 PID 1096 wrote to memory of 2992 1096 netsh.exe 86 PID 1096 wrote to memory of 2992 1096 netsh.exe 86 PID 1096 wrote to memory of 2992 1096 netsh.exe 86 PID 1096 wrote to memory of 800 1096 netsh.exe 8 PID 1096 wrote to memory of 808 1096 netsh.exe 80 PID 1096 wrote to memory of 376 1096 netsh.exe 77 PID 1096 wrote to memory of 2372 1096 netsh.exe 14 PID 1096 wrote to memory of 2408 1096 netsh.exe 53 PID 1096 wrote to memory of 2460 1096 netsh.exe 50 PID 1096 wrote to memory of 740 1096 netsh.exe 42 PID 1096 wrote to memory of 3196 1096 netsh.exe 41 PID 1096 wrote to memory of 3380 1096 netsh.exe 40 PID 1096 wrote to memory of 3468 1096 netsh.exe 39 PID 1096 wrote to memory of 3644 1096 netsh.exe 15 PID 1096 wrote to memory of 3724 1096 netsh.exe 38 PID 1096 wrote to memory of 3872 1096 netsh.exe 37 PID 1096 wrote to memory of 4796 1096 netsh.exe 34 PID 1096 wrote to memory of 4972 1096 netsh.exe 17 PID 1096 wrote to memory of 820 1096 netsh.exe 85 PID 1096 wrote to memory of 2992 1096 netsh.exe 86 PID 1096 wrote to memory of 2992 1096 netsh.exe 86 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3644
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4972
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4240
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3872
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3468
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3196
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe"C:\Users\Admin\AppData\Local\Temp\5cc15956e081b113955aa82356912fc21878db1d34e5037f230a5c068b249bca.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:852 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Modifies Windows Firewall
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:820
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
PID:2992
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2408
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258B
MD5e3cf22df86fcf85e1352d73fa62d328b
SHA155b066a26c4b1ea05187ac5fe7592ed0c6032b17
SHA256df5e8818af4491ca690c592d17acdec9175a58541230a2bddd8bf7b8138affbc
SHA512fb7ef902967f04f02113c811f9371e07240f9897a42b12dac4d32ce86ad6b90f8fd0e41b4eb75e1fb159761acf59839ff4eceb19551e850be56f248a2047777d