Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 22:09
Static task
static1
Behavioral task
behavioral1
Sample
4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe
Resource
win7-20220812-en
windows7-x64
16 signatures
150 seconds
General
-
Target
4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe
-
Size
352KB
-
MD5
6863017406ac522af436c3086aefef91
-
SHA1
ed9c77b4b5e72d999da88726f19716996006d229
-
SHA256
4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c
-
SHA512
936be4fb769ec52b86b92c00b6b21e8513675d07b1b263e6806c7fcfb4eaf63ffaaecbcbc3f5ad03fd1b7c37f449a5ab91832e5958ce53c52eef8fe6289e40ee
-
SSDEEP
6144:H9hcHifIOD3i78xZXIVEB8SE8c1W4rSWP8Sce4:H3hD3i7skkc1W4rSE
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/4416-132-0x0000000002540000-0x00000000035CE000-memory.dmp upx behavioral2/memory/4416-134-0x0000000002540000-0x00000000035CE000-memory.dmp upx behavioral2/memory/4416-135-0x0000000002540000-0x00000000035CE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE16\LICLUA.EXE 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe Token: SeDebugPrivilege 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4416 wrote to memory of 776 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 3 PID 4416 wrote to memory of 784 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 76 PID 4416 wrote to memory of 492 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 5 PID 4416 wrote to memory of 2344 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 12 PID 4416 wrote to memory of 2368 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 14 PID 4416 wrote to memory of 2476 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 50 PID 4416 wrote to memory of 3068 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 43 PID 4416 wrote to memory of 2768 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 16 PID 4416 wrote to memory of 3244 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 42 PID 4416 wrote to memory of 3344 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 41 PID 4416 wrote to memory of 3456 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 17 PID 4416 wrote to memory of 3580 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 39 PID 4416 wrote to memory of 3764 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 38 PID 4416 wrote to memory of 4820 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 36 PID 4416 wrote to memory of 2332 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 25 PID 4416 wrote to memory of 2548 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 19 PID 4416 wrote to memory of 2044 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 18 PID 4416 wrote to memory of 3360 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 83 PID 4416 wrote to memory of 776 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 3 PID 4416 wrote to memory of 784 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 76 PID 4416 wrote to memory of 492 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 5 PID 4416 wrote to memory of 2344 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 12 PID 4416 wrote to memory of 2368 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 14 PID 4416 wrote to memory of 2476 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 50 PID 4416 wrote to memory of 3068 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 43 PID 4416 wrote to memory of 2768 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 16 PID 4416 wrote to memory of 3244 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 42 PID 4416 wrote to memory of 3344 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 41 PID 4416 wrote to memory of 3456 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 17 PID 4416 wrote to memory of 3580 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 39 PID 4416 wrote to memory of 3764 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 38 PID 4416 wrote to memory of 4820 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 36 PID 4416 wrote to memory of 2332 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 25 PID 4416 wrote to memory of 3360 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 83 PID 4416 wrote to memory of 776 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 3 PID 4416 wrote to memory of 784 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 76 PID 4416 wrote to memory of 492 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 5 PID 4416 wrote to memory of 2344 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 12 PID 4416 wrote to memory of 2368 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 14 PID 4416 wrote to memory of 2476 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 50 PID 4416 wrote to memory of 3068 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 43 PID 4416 wrote to memory of 2768 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 16 PID 4416 wrote to memory of 3244 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 42 PID 4416 wrote to memory of 3344 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 41 PID 4416 wrote to memory of 3456 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 17 PID 4416 wrote to memory of 3580 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 39 PID 4416 wrote to memory of 3764 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 38 PID 4416 wrote to memory of 4820 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 36 PID 4416 wrote to memory of 2332 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 25 PID 4416 wrote to memory of 3360 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 83 PID 4416 wrote to memory of 776 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 3 PID 4416 wrote to memory of 784 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 76 PID 4416 wrote to memory of 492 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 5 PID 4416 wrote to memory of 2344 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 12 PID 4416 wrote to memory of 2368 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 14 PID 4416 wrote to memory of 2476 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 50 PID 4416 wrote to memory of 3068 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 43 PID 4416 wrote to memory of 2768 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 16 PID 4416 wrote to memory of 3244 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 42 PID 4416 wrote to memory of 3344 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 41 PID 4416 wrote to memory of 3456 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 17 PID 4416 wrote to memory of 3580 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 39 PID 4416 wrote to memory of 3764 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 38 PID 4416 wrote to memory of 4820 4416 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe 36 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:492
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2768
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3456
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵PID:2044
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2548
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:2332
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3580
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3344
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3244
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe"C:\Users\Admin\AppData\Local\Temp\4071c8031998245623439c345006e7ade8f03153d8d4f844560002c2cd01c44c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4416
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2476
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3360