Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2022, 23:35
Static task
static1
Behavioral task
behavioral1
Sample
4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe
Resource
win7-20220901-en
windows7-x64
15 signatures
150 seconds
General
-
Target
4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe
-
Size
382KB
-
MD5
6e0dbe50fc2413946260ec860ae38baa
-
SHA1
4ec71f7ed4c69c87b2c9614f0e1b0ba3eadd493f
-
SHA256
4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669
-
SHA512
e7ca1981b33aa645fe7d2abe308ef21bc0fe3ba954b9d2cb148afd3cc9d0554b78b235a208af979f24c5f1532cfbca73bffed185a09dddac04aa34ebe4ec055e
-
SSDEEP
6144:Pnl7w3YXj5OqQhi01bPaf1wNT5Ab6+Qd4YA11azRAZYk0IKDMK6Uv:Pn+3GcJ1bSqdw67A11cRAZnqwh8
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
resource yara_rule behavioral2/memory/1340-133-0x00000000023C0000-0x000000000344E000-memory.dmp upx behavioral2/memory/1340-134-0x00000000023C0000-0x000000000344E000-memory.dmp upx behavioral2/memory/1340-136-0x00000000023C0000-0x000000000344E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\G: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\H: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\K: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\M: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\N: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\Q: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\R: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\F: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\W: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\Y: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\E: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\I: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\O: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\S: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\X: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\J: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\L: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\P: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\T: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\U: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened (read-only) \??\V: 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe Token: SeDebugPrivilege 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1340 wrote to memory of 796 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 8 PID 1340 wrote to memory of 804 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 81 PID 1340 wrote to memory of 416 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 9 PID 1340 wrote to memory of 2360 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 30 PID 1340 wrote to memory of 2388 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 69 PID 1340 wrote to memory of 2472 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 67 PID 1340 wrote to memory of 760 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 60 PID 1340 wrote to memory of 3084 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 59 PID 1340 wrote to memory of 3292 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 58 PID 1340 wrote to memory of 3380 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 34 PID 1340 wrote to memory of 3444 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 57 PID 1340 wrote to memory of 3524 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 56 PID 1340 wrote to memory of 3704 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 55 PID 1340 wrote to memory of 4860 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 53 PID 1340 wrote to memory of 4304 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 38 PID 1340 wrote to memory of 4344 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 82 PID 1340 wrote to memory of 796 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 8 PID 1340 wrote to memory of 804 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 81 PID 1340 wrote to memory of 416 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 9 PID 1340 wrote to memory of 2360 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 30 PID 1340 wrote to memory of 2388 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 69 PID 1340 wrote to memory of 2472 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 67 PID 1340 wrote to memory of 760 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 60 PID 1340 wrote to memory of 3084 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 59 PID 1340 wrote to memory of 3292 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 58 PID 1340 wrote to memory of 3380 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 34 PID 1340 wrote to memory of 3444 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 57 PID 1340 wrote to memory of 3524 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 56 PID 1340 wrote to memory of 3704 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 55 PID 1340 wrote to memory of 4860 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 53 PID 1340 wrote to memory of 4344 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 82 PID 1340 wrote to memory of 796 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 8 PID 1340 wrote to memory of 804 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 81 PID 1340 wrote to memory of 416 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 9 PID 1340 wrote to memory of 2360 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 30 PID 1340 wrote to memory of 2388 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 69 PID 1340 wrote to memory of 2472 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 67 PID 1340 wrote to memory of 760 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 60 PID 1340 wrote to memory of 3084 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 59 PID 1340 wrote to memory of 3292 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 58 PID 1340 wrote to memory of 3380 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 34 PID 1340 wrote to memory of 3444 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 57 PID 1340 wrote to memory of 3524 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 56 PID 1340 wrote to memory of 3704 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 55 PID 1340 wrote to memory of 4860 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 53 PID 1340 wrote to memory of 4344 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 82 PID 1340 wrote to memory of 796 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 8 PID 1340 wrote to memory of 804 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 81 PID 1340 wrote to memory of 416 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 9 PID 1340 wrote to memory of 2360 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 30 PID 1340 wrote to memory of 2388 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 69 PID 1340 wrote to memory of 2472 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 67 PID 1340 wrote to memory of 760 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 60 PID 1340 wrote to memory of 3084 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 59 PID 1340 wrote to memory of 3292 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 58 PID 1340 wrote to memory of 3380 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 34 PID 1340 wrote to memory of 3444 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 57 PID 1340 wrote to memory of 3524 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 56 PID 1340 wrote to memory of 3704 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 55 PID 1340 wrote to memory of 4860 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 53 PID 1340 wrote to memory of 4344 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 82 PID 1340 wrote to memory of 796 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 8 PID 1340 wrote to memory of 804 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 81 PID 1340 wrote to memory of 416 1340 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe 9 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:416
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2360
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3380
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4304
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3704
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3524
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3444
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3084
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe"C:\Users\Admin\AppData\Local\Temp\4b88d171a18f5c8156eea1a1ec3ea8391aa5270a3b622ec2125b42c4e60b0669.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1340
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2388
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4344