b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b

Analysis

max time kernel
65s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Size

113KB
MD5

6945475e30633fe7b7423876857afebd
SHA1

f3fe43844e2153d123c29f5e446da2c54d2bb9ee
SHA256

b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b
SHA512

445565c520d8253f6d9419bb2fa5ad6d721d904fd451f1a04d7a8e3958878de7bafc9f8b96e60f2d879bcc85682950e618bf29fdcbf4cab27ddcdef9cee6b6d1
SSDEEP

3072:TQIDRTXJJmGz9AVvPBVWLGLC5uQ0cJRkw2cU:T/3mGRAJepUncJa

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
4296	Au_.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-134-0x0000000002220000-0x000000000324A000-memory.dmp	upx
behavioral2/memory/3516-139-0x0000000002220000-0x000000000324A000-memory.dmp	upx
behavioral2/memory/4296-141-0x00000000049D0000-0x00000000059FA000-memory.dmp	upx
behavioral2/memory/4296-144-0x00000000049D0000-0x00000000059FA000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	Au_.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e06-136.dat	nsis_installer_1
behavioral2/files/0x0006000000022e06-136.dat	nsis_installer_2
behavioral2/files/0x0006000000022e06-137.dat	nsis_installer_1
behavioral2/files/0x0006000000022e06-137.dat	nsis_installer_2
behavioral2/files/0x0009000000022dff-143.dat	nsis_installer_1
behavioral2/files/0x0009000000022dff-143.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
4296	Au_.exe
4296	Au_.exe
4296	Au_.exe
4296	Au_.exe
4296	Au_.exe
4296	Au_.exe
4296	Au_.exe
4296	Au_.exe
4296	Au_.exe
4296	Au_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Token: SeDebugPrivilege	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 768	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	79
PID 3516 wrote to memory of 776	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	78
PID 3516 wrote to memory of 1008	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	8
PID 3516 wrote to memory of 2308	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	50
PID 3516 wrote to memory of 2328	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	49
PID 3516 wrote to memory of 2416	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	48
PID 3516 wrote to memory of 2424	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	38
PID 3516 wrote to memory of 2948	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	37
PID 3516 wrote to memory of 3244	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	36
PID 3516 wrote to memory of 3352	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	35
PID 3516 wrote to memory of 3456	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	13
PID 3516 wrote to memory of 3552	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	34
PID 3516 wrote to memory of 3744	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	33
PID 3516 wrote to memory of 4820	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	30
PID 3516 wrote to memory of 2700	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	16
PID 3516 wrote to memory of 2268	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	14
PID 3516 wrote to memory of 4296	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	81
PID 3516 wrote to memory of 4296	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	81
PID 3516 wrote to memory of 4296	3516	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe	81
PID 4296 wrote to memory of 768	4296	Au_.exe	79
PID 4296 wrote to memory of 776	4296	Au_.exe	78
PID 4296 wrote to memory of 1008	4296	Au_.exe	8
PID 4296 wrote to memory of 2308	4296	Au_.exe	50
PID 4296 wrote to memory of 2328	4296	Au_.exe	49
PID 4296 wrote to memory of 2416	4296	Au_.exe	48
PID 4296 wrote to memory of 2424	4296	Au_.exe	38
PID 4296 wrote to memory of 2948	4296	Au_.exe	37
PID 4296 wrote to memory of 3244	4296	Au_.exe	36
PID 4296 wrote to memory of 3352	4296	Au_.exe	35
PID 4296 wrote to memory of 3456	4296	Au_.exe	13
PID 4296 wrote to memory of 3552	4296	Au_.exe	34
PID 4296 wrote to memory of 3744	4296	Au_.exe	33
PID 4296 wrote to memory of 4820	4296	Au_.exe	30
PID 4296 wrote to memory of 2700	4296	Au_.exe	16
PID 4296 wrote to memory of 2268	4296	Au_.exe	14
PID 4296 wrote to memory of 1420	4296	Au_.exe	82
PID 4296 wrote to memory of 1420	4296	Au_.exe	82
PID 4296 wrote to memory of 1420	4296	Au_.exe	82
PID 4296 wrote to memory of 1420	4296	Au_.exe	82
PID 4296 wrote to memory of 2732	4296	Au_.exe	83
PID 4296 wrote to memory of 2732	4296	Au_.exe	83
PID 4296 wrote to memory of 2732	4296	Au_.exe	83
PID 4296 wrote to memory of 2732	4296	Au_.exe	83
PID 4296 wrote to memory of 768	4296	Au_.exe	79
PID 4296 wrote to memory of 776	4296	Au_.exe	78
PID 4296 wrote to memory of 1008	4296	Au_.exe	8
PID 4296 wrote to memory of 2308	4296	Au_.exe	50
PID 4296 wrote to memory of 2328	4296	Au_.exe	49
PID 4296 wrote to memory of 2416	4296	Au_.exe	48
PID 4296 wrote to memory of 2424	4296	Au_.exe	38
PID 4296 wrote to memory of 2948	4296	Au_.exe	37
PID 4296 wrote to memory of 3244	4296	Au_.exe	36
PID 4296 wrote to memory of 3352	4296	Au_.exe	35
PID 4296 wrote to memory of 3456	4296	Au_.exe	13
PID 4296 wrote to memory of 3552	4296	Au_.exe	34
PID 4296 wrote to memory of 3744	4296	Au_.exe	33
PID 4296 wrote to memory of 4820	4296	Au_.exe	30
PID 4296 wrote to memory of 2268	4296	Au_.exe	14
PID 4296 wrote to memory of 2732	4296	Au_.exe	83
PID 4296 wrote to memory of 2732	4296	Au_.exe	83
PID 4296 wrote to memory of 3484	4296	Au_.exe	84
PID 4296 wrote to memory of 3484	4296	Au_.exe	84
PID 4296 wrote to memory of 3484	4296	Au_.exe	84
PID 4296 wrote to memory of 3484	4296	Au_.exe	84

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2268

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3352

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
  "C:\Users\Admin\AppData\Local\Temp\b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4296
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:340
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:4120

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2328

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2308

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E56BD88_Rar\b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe

Filesize
53KB

MD5
273d78e14fd846c2eabe42788ea7f550

SHA1
a78c813af5237a521685e321b7d34870fe99f152

SHA256
b786ff9afd3be4b1ee992dc68e32b70d52e19cee5bca7f6779ecd211aa55a5a4

SHA512
40458559e8369c7096bf21f0975fdbde879da441c1f5026ec1877fa03ddc7f528e91ceb44a71fdc1b86ec39625d075568038a3f62417812c225c67ed6f90609b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
113KB

MD5
6945475e30633fe7b7423876857afebd

SHA1
f3fe43844e2153d123c29f5e446da2c54d2bb9ee

SHA256
b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b

SHA512
445565c520d8253f6d9419bb2fa5ad6d721d904fd451f1a04d7a8e3958878de7bafc9f8b96e60f2d879bcc85682950e618bf29fdcbf4cab27ddcdef9cee6b6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
113KB

MD5
6945475e30633fe7b7423876857afebd

SHA1
f3fe43844e2153d123c29f5e446da2c54d2bb9ee

SHA256
b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b

SHA512
445565c520d8253f6d9419bb2fa5ad6d721d904fd451f1a04d7a8e3958878de7bafc9f8b96e60f2d879bcc85682950e618bf29fdcbf4cab27ddcdef9cee6b6d1

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
bb8ef8e7dcfaeb96be2de5d81ae0fd4b

SHA1
3cd6cc1a313c6d889c76ef822bb1d4b92dc70017

SHA256
ae3bf4c85d244e531cf88e21917729d39e22c391ea51aad5cc3374596c4c1a5d

SHA512
e8e1c849ab3fe3a77314c26811e3c0d4daf0828e4318a444de5dea3e27e68d5b38d498793037959324835cda60569b1c5f711b3a4f0066ff6d97e5be0c6a93b7

Download Submit
memory/340-154-0x0000000000820000-0x0000000000834000-memory.dmp

Filesize
80KB

Download
memory/1244-158-0x0000000000740000-0x0000000000754000-memory.dmp

Filesize
80KB

Download
memory/1420-146-0x00000000005A0000-0x00000000005B4000-memory.dmp

Filesize
80KB

Download
memory/2208-156-0x0000000001240000-0x0000000001254000-memory.dmp

Filesize
80KB

Download
memory/2732-148-0x0000000000F20000-0x0000000000F34000-memory.dmp

Filesize
80KB

Download
memory/3484-150-0x0000000000E20000-0x0000000000E34000-memory.dmp

Filesize
80KB

Download
memory/3516-139-0x0000000002220000-0x000000000324A000-memory.dmp

Filesize
16.2MB

Download
memory/3516-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-138-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-134-0x0000000002220000-0x000000000324A000-memory.dmp

Filesize
16.2MB

Download
memory/3772-152-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/4296-144-0x00000000049D0000-0x00000000059FA000-memory.dmp

Filesize
16.2MB

Download
memory/4296-141-0x00000000049D0000-0x00000000059FA000-memory.dmp

Filesize
16.2MB

Download
memory/4296-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download