metasploit | 0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2022, 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Size

110KB
MD5

7bffef60b33c169ac328c60c2f6737dd
SHA1

704336b8ed363d4fd23eada2ad33af7d0e76bc7c
SHA256

0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388
SHA512

5877f5c6a818b38b54516f0445276f4afddf774a2257f07c48b457656313d4648a24a6ed520c3789aa5fc0c0647c69d9a00cacafa6df6b353e6b6fb0ee1fc8a1
SSDEEP

3072:AOTaDTUUJ511F6lmed2iFRtWP5DWRsfSh4RMW:fT8oUvWmedVRuqRTW

Score

10^/10

metasploit backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csdrive32.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\csdrive32.exe"	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe

Executes dropped EXE 1 IoCs

pid	Process
4240	csdrive32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1120-133-0x0000000000B50000-0x0000000001B7A000-memory.dmp	upx
behavioral2/memory/1120-134-0x0000000000B50000-0x0000000001B7A000-memory.dmp	upx
behavioral2/memory/1120-143-0x0000000000B50000-0x0000000001B7A000-memory.dmp	upx
behavioral2/memory/4240-145-0x0000000002F00000-0x0000000003F2A000-memory.dmp	upx
behavioral2/memory/4240-147-0x0000000002F00000-0x0000000003F2A000-memory.dmp	upx
behavioral2/memory/4240-158-0x0000000002F00000-0x0000000003F2A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\csdrive32.exe"	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csdrive32.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	csdrive32.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	csdrive32.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\CSDRIVE32.EXE	csdrive32.exe
File created	C:\Windows\MICROSOFT TERMINAL SERVICES\e57d8cc	csdrive32.exe
File created	C:\Windows\MICROSOFT WINDOWS NETWORK\e57fd2c	csdrive32.exe
File created	C:\Windows\WEB CLIENT NETWORK\e5851d4	csdrive32.exe
File opened for modification	C:\Windows\SYSTEM.INI	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
File created	C:\Windows\csdrive32.exe	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
File opened for modification	C:\Windows\csdrive32.exe	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
File created	C:\Windows\%windir%\lfffile32.log	csdrive32.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe
4240	csdrive32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Token: SeDebugPrivilege	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 764	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	8
PID 1120 wrote to memory of 768	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	9
PID 1120 wrote to memory of 1008	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	11
PID 1120 wrote to memory of 2348	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	22
PID 1120 wrote to memory of 2388	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	23
PID 1120 wrote to memory of 2492	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	61
PID 1120 wrote to memory of 2520	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	57
PID 1120 wrote to memory of 3080	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	29
PID 1120 wrote to memory of 3280	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	56
PID 1120 wrote to memory of 3376	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	55
PID 1120 wrote to memory of 3516	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	30
PID 1120 wrote to memory of 3596	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	53
PID 1120 wrote to memory of 3808	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	52
PID 1120 wrote to memory of 4736	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	31
PID 1120 wrote to memory of 1816	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	33
PID 1120 wrote to memory of 456	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	42
PID 1120 wrote to memory of 2192	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	36
PID 1120 wrote to memory of 4240	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	84
PID 1120 wrote to memory of 4240	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	84
PID 1120 wrote to memory of 4240	1120	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe	84
PID 4240 wrote to memory of 764	4240	csdrive32.exe	8
PID 4240 wrote to memory of 768	4240	csdrive32.exe	9
PID 4240 wrote to memory of 1008	4240	csdrive32.exe	11
PID 4240 wrote to memory of 2348	4240	csdrive32.exe	22
PID 4240 wrote to memory of 2388	4240	csdrive32.exe	23
PID 4240 wrote to memory of 2492	4240	csdrive32.exe	61
PID 4240 wrote to memory of 2520	4240	csdrive32.exe	57
PID 4240 wrote to memory of 3080	4240	csdrive32.exe	29
PID 4240 wrote to memory of 3280	4240	csdrive32.exe	56
PID 4240 wrote to memory of 3376	4240	csdrive32.exe	55
PID 4240 wrote to memory of 3516	4240	csdrive32.exe	30
PID 4240 wrote to memory of 3596	4240	csdrive32.exe	53
PID 4240 wrote to memory of 3808	4240	csdrive32.exe	52
PID 4240 wrote to memory of 4736	4240	csdrive32.exe	31
PID 4240 wrote to memory of 1816	4240	csdrive32.exe	33
PID 4240 wrote to memory of 456	4240	csdrive32.exe	42
PID 4240 wrote to memory of 3480	4240	csdrive32.exe	85
PID 4240 wrote to memory of 3480	4240	csdrive32.exe	85
PID 4240 wrote to memory of 3480	4240	csdrive32.exe	85
PID 4240 wrote to memory of 3480	4240	csdrive32.exe	85
PID 4240 wrote to memory of 3732	4240	csdrive32.exe	86
PID 4240 wrote to memory of 3732	4240	csdrive32.exe	86
PID 4240 wrote to memory of 3732	4240	csdrive32.exe	86
PID 4240 wrote to memory of 3732	4240	csdrive32.exe	86
PID 4240 wrote to memory of 3492	4240	csdrive32.exe	87
PID 4240 wrote to memory of 3492	4240	csdrive32.exe	87
PID 4240 wrote to memory of 3492	4240	csdrive32.exe	87
PID 4240 wrote to memory of 3492	4240	csdrive32.exe	87
PID 4240 wrote to memory of 1648	4240	csdrive32.exe	88
PID 4240 wrote to memory of 1648	4240	csdrive32.exe	88
PID 4240 wrote to memory of 1648	4240	csdrive32.exe	88
PID 4240 wrote to memory of 1648	4240	csdrive32.exe	88
PID 4240 wrote to memory of 1416	4240	csdrive32.exe	89
PID 4240 wrote to memory of 1416	4240	csdrive32.exe	89
PID 4240 wrote to memory of 1416	4240	csdrive32.exe	89
PID 4240 wrote to memory of 1416	4240	csdrive32.exe	89
PID 4240 wrote to memory of 764	4240	csdrive32.exe	8
PID 4240 wrote to memory of 768	4240	csdrive32.exe	9
PID 4240 wrote to memory of 1008	4240	csdrive32.exe	11
PID 4240 wrote to memory of 2348	4240	csdrive32.exe	22
PID 4240 wrote to memory of 2388	4240	csdrive32.exe	23
PID 4240 wrote to memory of 2492	4240	csdrive32.exe	61
PID 4240 wrote to memory of 2520	4240	csdrive32.exe	57
PID 4240 wrote to memory of 3080	4240	csdrive32.exe	29

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csdrive32.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1008

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1816

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2192

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3596

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2520
- C:\Users\Admin\AppData\Local\Temp\0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe
  "C:\Users\Admin\AppData\Local\Temp\0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388.exe"
  2⤵
  - UAC bypass
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1120
- - C:\Windows\csdrive32.exe
    "C:\Windows\csdrive32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4240
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:3480
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:3492
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:916
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:4556

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI

Filesize
258B

MD5
7a085a304f6480baa32ce2ec6bedecac

SHA1
d43c84e97e8ff905d94de300108a112670ef226e

SHA256
e5ab036e13c45ca62b286de14fe3a50fe2b6473443716d50b514414c774e2842

SHA512
9a6cccb9b307728981933960f15ef251ef056d9b5d3dc71b30d422bcca75c77f0159c9aca208668cbcdfa56be22893f202d60ded13b77cac4fd5e65cfca0f2d6

Download Submit
C:\Windows\csdrive32.exe

Filesize
110KB

MD5
7bffef60b33c169ac328c60c2f6737dd

SHA1
704336b8ed363d4fd23eada2ad33af7d0e76bc7c

SHA256
0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388

SHA512
5877f5c6a818b38b54516f0445276f4afddf774a2257f07c48b457656313d4648a24a6ed520c3789aa5fc0c0647c69d9a00cacafa6df6b353e6b6fb0ee1fc8a1

Download Submit
C:\Windows\csdrive32.exe

Filesize
110KB

MD5
7bffef60b33c169ac328c60c2f6737dd

SHA1
704336b8ed363d4fd23eada2ad33af7d0e76bc7c

SHA256
0d0bb4cd3080ed4a39743d57010f04213f45413e13c7133549114383b47a7388

SHA512
5877f5c6a818b38b54516f0445276f4afddf774a2257f07c48b457656313d4648a24a6ed520c3789aa5fc0c0647c69d9a00cacafa6df6b353e6b6fb0ee1fc8a1

Download Submit
memory/916-172-0x00000000009D0000-0x00000000009E4000-memory.dmp

Filesize
80KB

Download
memory/1120-133-0x0000000000B50000-0x0000000001B7A000-memory.dmp

Filesize
16.2MB

Download
memory/1120-134-0x0000000000B50000-0x0000000001B7A000-memory.dmp

Filesize
16.2MB

Download
memory/1120-135-0x0000000004360000-0x00000000043BD000-memory.dmp

Filesize
372KB

Download
memory/1120-136-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/1120-132-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/1120-142-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/1120-143-0x0000000000B50000-0x0000000001B7A000-memory.dmp

Filesize
16.2MB

Download
memory/1352-166-0x0000000000920000-0x0000000000934000-memory.dmp

Filesize
80KB

Download
memory/1400-160-0x0000000000CC0000-0x0000000000CD4000-memory.dmp

Filesize
80KB

Download
memory/1416-157-0x0000000000C20000-0x0000000000C34000-memory.dmp

Filesize
80KB

Download
memory/1444-168-0x0000000000C30000-0x0000000000C44000-memory.dmp

Filesize
80KB

Download
memory/1648-155-0x0000000000940000-0x0000000000954000-memory.dmp

Filesize
80KB

Download
memory/1772-170-0x0000000000CE0000-0x0000000000CF4000-memory.dmp

Filesize
80KB

Download
memory/3480-149-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/3492-153-0x0000000000540000-0x0000000000554000-memory.dmp

Filesize
80KB

Download
memory/3644-162-0x00000000004C0000-0x00000000004D4000-memory.dmp

Filesize
80KB

Download
memory/3732-151-0x0000000000940000-0x0000000000954000-memory.dmp

Filesize
80KB

Download
memory/4240-158-0x0000000002F00000-0x0000000003F2A000-memory.dmp

Filesize
16.2MB

Download
memory/4240-141-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4240-145-0x0000000002F00000-0x0000000003F2A000-memory.dmp

Filesize
16.2MB

Download
memory/4240-147-0x0000000002F00000-0x0000000003F2A000-memory.dmp

Filesize
16.2MB

Download
memory/4240-144-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4240-140-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/4300-176-0x0000000000690000-0x00000000006A4000-memory.dmp

Filesize
80KB

Download
memory/4452-164-0x0000000000660000-0x0000000000674000-memory.dmp

Filesize
80KB

Download
memory/4556-178-0x00000000010A0000-0x00000000010B4000-memory.dmp

Filesize
80KB

Download
memory/5108-174-0x0000000000900000-0x0000000000914000-memory.dmp

Filesize
80KB

Download