Analysis
-
max time kernel
144s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 18:09
Behavioral task
behavioral1
Sample
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe
Resource
win7-20220812-en
General
-
Target
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe
-
Size
105KB
-
MD5
02f376268da07095c9978dcaec6488e9
-
SHA1
5ee6cbc3d725452117d2a2af08d96a50f460971e
-
SHA256
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb
-
SHA512
62094687040271acddfbf4b223ded049f07d2ee8bde4e7c9e67bd771dac8a255515e25ea9b4d3bf9095fe2c7f07c7ea1862d2ff7604f24a18124b652b92f9782
-
SSDEEP
3072:odKr0ExPTJ5Gx1lB6jm9wadIhwG25MgN9yjR:oqxxPK1mjm9w1yLNAjR
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe -
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe -
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 380 takeown.exe 4400 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/4132-132-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/4132-134-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/4132-137-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/4132-139-0x00000000021E0000-0x000000000326E000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 380 takeown.exe 4400 icacls.exe -
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe -
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe -
Drops file in Windows directory 1 IoCs
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exepid process 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exedescription pid process Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Token: SeDebugPrivilege 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.execmd.exedescription pid process target process PID 4132 wrote to memory of 1848 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe cmd.exe PID 4132 wrote to memory of 1848 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe cmd.exe PID 4132 wrote to memory of 1848 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe cmd.exe PID 1848 wrote to memory of 380 1848 cmd.exe takeown.exe PID 1848 wrote to memory of 380 1848 cmd.exe takeown.exe PID 1848 wrote to memory of 380 1848 cmd.exe takeown.exe PID 4132 wrote to memory of 772 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe fontdrvhost.exe PID 1848 wrote to memory of 4400 1848 cmd.exe icacls.exe PID 1848 wrote to memory of 4400 1848 cmd.exe icacls.exe PID 1848 wrote to memory of 4400 1848 cmd.exe icacls.exe PID 4132 wrote to memory of 780 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe fontdrvhost.exe PID 4132 wrote to memory of 1012 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe dwm.exe PID 4132 wrote to memory of 2368 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe sihost.exe PID 4132 wrote to memory of 2384 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe svchost.exe PID 4132 wrote to memory of 2660 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe taskhostw.exe PID 4132 wrote to memory of 2204 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Explorer.EXE PID 4132 wrote to memory of 2952 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe svchost.exe PID 4132 wrote to memory of 3264 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe DllHost.exe PID 4132 wrote to memory of 3368 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe StartMenuExperienceHost.exe PID 4132 wrote to memory of 3432 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe RuntimeBroker.exe PID 4132 wrote to memory of 3508 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe SearchApp.exe PID 4132 wrote to memory of 3708 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe RuntimeBroker.exe PID 4132 wrote to memory of 1308 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe RuntimeBroker.exe PID 4132 wrote to memory of 1708 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe backgroundTaskHost.exe PID 4132 wrote to memory of 4952 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe Conhost.exe PID 4132 wrote to memory of 1848 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe cmd.exe PID 4132 wrote to memory of 1848 4132 d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe"C:\Users\Admin\AppData\Local\Temp\d32bdcd96a6860a49ce2d25fbc469a69ab43e30388f7761c6e51725168aa46cb.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F ""4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "" /grant "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\banish.cmdFilesize
760B
MD54f4199874adea9219f1e4ad27d97d9c4
SHA1dc1dae4f4865f84e1d0f572cacd94f48b83fa289
SHA256099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff
SHA512c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017
-
memory/380-136-0x0000000000000000-mapping.dmp
-
memory/1848-133-0x0000000000000000-mapping.dmp
-
memory/4132-132-0x00000000021E0000-0x000000000326E000-memory.dmpFilesize
16.6MB
-
memory/4132-134-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4132-137-0x00000000021E0000-0x000000000326E000-memory.dmpFilesize
16.6MB
-
memory/4132-139-0x00000000021E0000-0x000000000326E000-memory.dmpFilesize
16.6MB
-
memory/4400-138-0x0000000000000000-mapping.dmp