Analysis
-
max time kernel
151s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 02:20
Behavioral task
behavioral1
Sample
e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe
Resource
win7-20220812-en
General
-
Target
e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe
-
Size
1.1MB
-
MD5
6a13bb213fda4f15b7e4cc48a83dd368
-
SHA1
eea95805b5c0fef042c8fc59efe5aa30598db37d
-
SHA256
e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755
-
SHA512
262d590269985b9f2f0cda5228c308e04ea10d2d5b8d6f7b448879b32c6fc4f3130187512c2986a736917e10c7f4f4b569cd9147c0490e5f5128c80b6bb2565a
-
SSDEEP
24576:zAQ6Zx9cxTmOrucTIEFSpOGAM4DSs9FvzAIpgkTzbZU:zAQ/TD5EO3JgAf
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe -
Modifies firewall policy service 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" notepad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" SVCHOST.EXE Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" notepad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" notepad.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" notepad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" notepad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" notepad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" notepad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" notepad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" notepad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" notepad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SVCHOST.EXE -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" notepad.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1488 SVCHOST.EXE -
resource yara_rule behavioral1/memory/1488-64-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/1488-67-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/1488-84-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/1488-88-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/1744-89-0x0000000002F70000-0x0000000003FFE000-memory.dmp upx behavioral1/memory/1744-91-0x0000000002F70000-0x0000000003FFE000-memory.dmp upx behavioral1/memory/1744-92-0x0000000002F70000-0x0000000003FFE000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Deletes itself 1 IoCs
pid Process 1488 SVCHOST.EXE -
Loads dropped DLL 2 IoCs
pid Process 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" SVCHOST.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SVCHOST.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SVCHOST.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SVCHOST.EXE -
Enumerates connected drives 3 TTPs 32 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: notepad.exe File opened (read-only) \??\N: notepad.exe File opened (read-only) \??\T: notepad.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\K: notepad.exe File opened (read-only) \??\R: notepad.exe File opened (read-only) \??\W: notepad.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\E: notepad.exe File opened (read-only) \??\H: notepad.exe File opened (read-only) \??\I: notepad.exe File opened (read-only) \??\S: notepad.exe File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\L: notepad.exe File opened (read-only) \??\M: notepad.exe File opened (read-only) \??\P: notepad.exe File opened (read-only) \??\Q: notepad.exe File opened (read-only) \??\U: notepad.exe File opened (read-only) \??\Z: notepad.exe File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\O: notepad.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\F: notepad.exe File opened (read-only) \??\J: notepad.exe File opened (read-only) \??\X: notepad.exe File opened (read-only) \??\Y: notepad.exe File opened (read-only) \??\F: SVCHOST.EXE File opened (read-only) \??\V: notepad.exe File opened (read-only) \??\J: SVCHOST.EXE -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1988 set thread context of 1020 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 31 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe notepad.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI SVCHOST.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1488 SVCHOST.EXE 1488 SVCHOST.EXE 1488 SVCHOST.EXE 1744 notepad.exe 1744 notepad.exe 1744 notepad.exe 1744 notepad.exe 1744 notepad.exe 1744 notepad.exe 1744 notepad.exe 1744 notepad.exe 1744 notepad.exe 1744 notepad.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeSecurityPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeTakeOwnershipPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeLoadDriverPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeSystemProfilePrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeSystemtimePrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeProfSingleProcessPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeIncBasePriorityPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeCreatePagefilePrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeBackupPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeRestorePrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeShutdownPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeDebugPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeSystemEnvironmentPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeChangeNotifyPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeRemoteShutdownPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeUndockPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeManageVolumePrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeImpersonatePrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeCreateGlobalPrivilege 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: 33 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: 34 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: 35 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeIncreaseQuotaPrivilege 1020 explorer.exe Token: SeSecurityPrivilege 1020 explorer.exe Token: SeTakeOwnershipPrivilege 1020 explorer.exe Token: SeLoadDriverPrivilege 1020 explorer.exe Token: SeSystemProfilePrivilege 1020 explorer.exe Token: SeSystemtimePrivilege 1020 explorer.exe Token: SeProfSingleProcessPrivilege 1020 explorer.exe Token: SeIncBasePriorityPrivilege 1020 explorer.exe Token: SeCreatePagefilePrivilege 1020 explorer.exe Token: SeBackupPrivilege 1020 explorer.exe Token: SeRestorePrivilege 1020 explorer.exe Token: SeShutdownPrivilege 1020 explorer.exe Token: SeDebugPrivilege 1020 explorer.exe Token: SeSystemEnvironmentPrivilege 1020 explorer.exe Token: SeChangeNotifyPrivilege 1020 explorer.exe Token: SeRemoteShutdownPrivilege 1020 explorer.exe Token: SeUndockPrivilege 1020 explorer.exe Token: SeManageVolumePrivilege 1020 explorer.exe Token: SeImpersonatePrivilege 1020 explorer.exe Token: SeCreateGlobalPrivilege 1020 explorer.exe Token: 33 1020 explorer.exe Token: 34 1020 explorer.exe Token: 35 1020 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1020 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1744 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 28 PID 1988 wrote to memory of 1488 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 29 PID 1988 wrote to memory of 1488 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 29 PID 1988 wrote to memory of 1488 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 29 PID 1988 wrote to memory of 1488 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 29 PID 1488 wrote to memory of 1120 1488 SVCHOST.EXE 4 PID 1488 wrote to memory of 1176 1488 SVCHOST.EXE 13 PID 1488 wrote to memory of 1208 1488 SVCHOST.EXE 12 PID 1488 wrote to memory of 1988 1488 SVCHOST.EXE 10 PID 1488 wrote to memory of 1988 1488 SVCHOST.EXE 10 PID 1488 wrote to memory of 1744 1488 SVCHOST.EXE 28 PID 1488 wrote to memory of 1744 1488 SVCHOST.EXE 28 PID 1988 wrote to memory of 1020 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 31 PID 1988 wrote to memory of 1020 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 31 PID 1988 wrote to memory of 1020 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 31 PID 1988 wrote to memory of 1020 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 31 PID 1988 wrote to memory of 1020 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 31 PID 1988 wrote to memory of 1020 1988 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 31 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 PID 1020 wrote to memory of 1704 1020 explorer.exe 32 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SVCHOST.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe"C:\Users\Admin\AppData\Local\Temp\e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1488
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:1704
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:824
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
MD5e6e858b315cc3cad4f6772c3ce7799c9
SHA12e3ded63d9c8259b0df043892b7a8003d4dc00ee
SHA256761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168
SHA51200f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae
-
Filesize
412KB
MD5e6e858b315cc3cad4f6772c3ce7799c9
SHA12e3ded63d9c8259b0df043892b7a8003d4dc00ee
SHA256761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168
SHA51200f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae
-
Filesize
255B
MD516ef19c01dc6c22d9b4d9e5dc2378689
SHA1bf089e76a2d6713c8b4997ae3c22639ec41395f1
SHA256ae182f2ae9b4a6da3aea14e0a856eeccd586d5da61c524357204c05055e5ad01
SHA5128d5f25643b56a3840001479114edf82ffc9fb8409d7692c05f916e2186dc83d718599ea22ca7df8c296f2ece3ae11d4d54b8fa0038a556717fbd572edbe89b09
-
Filesize
1.1MB
MD52914671203fb9f6cd43c3a1890e62199
SHA1206b053743f43a8be9db38af1400ffa8b517af77
SHA256ef9340ae3695ac3cb6baacfce55c11a267f65a5d942b0de15e2bf211ff89759f
SHA512d3b15fbf34ff5e8a3cf06276f8e75c9fa95e025510328c848f2746bcbc3c604e3ab3fdd4655c475067d6ab8cfeb7d8c9f0947829ce56c5b5ad449ce59e50b0d2
-
Filesize
1.1MB
MD56a13bb213fda4f15b7e4cc48a83dd368
SHA1eea95805b5c0fef042c8fc59efe5aa30598db37d
SHA256e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755
SHA512262d590269985b9f2f0cda5228c308e04ea10d2d5b8d6f7b448879b32c6fc4f3130187512c2986a736917e10c7f4f4b569cd9147c0490e5f5128c80b6bb2565a
-
Filesize
412KB
MD5e6e858b315cc3cad4f6772c3ce7799c9
SHA12e3ded63d9c8259b0df043892b7a8003d4dc00ee
SHA256761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168
SHA51200f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae
-
Filesize
412KB
MD5e6e858b315cc3cad4f6772c3ce7799c9
SHA12e3ded63d9c8259b0df043892b7a8003d4dc00ee
SHA256761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168
SHA51200f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae