Analysis
-
max time kernel
151s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2022, 11:19
Static task
static1
Behavioral task
behavioral1
Sample
d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe
Resource
win7-20220901-en
windows7-x64
2 signatures
150 seconds
General
-
Target
d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe
-
Size
2.6MB
-
MD5
6838cbb902ab3e0a2d0338d6be08b0ac
-
SHA1
860cf9edaea2aa72d31be0927fdc723ed1d20358
-
SHA256
d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7
-
SHA512
42543e87d90e3fd4451e65a5b35d4d8b8597d4f16a61501a1390f3d5e04fe0cae37a77a32186240859e7a29e226537a531a81bddc7023e6d3ebc3626ace68945
-
SSDEEP
49152:Kw7cq43rhAmZLPYfnkpUJWDQ7cSwMuIdhgT/g9cRCo:jKLQfkuV7nwdWcko
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" netsh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" netsh.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 5100 netsh.exe 1584 netsh.exe -
resource yara_rule behavioral2/memory/776-133-0x00000000025A0000-0x00000000035D2000-memory.dmp upx behavioral2/memory/776-135-0x00000000025A0000-0x00000000035D2000-memory.dmp upx behavioral2/memory/776-137-0x00000000025A0000-0x00000000035D2000-memory.dmp upx behavioral2/memory/5100-138-0x0000000004D30000-0x0000000005D62000-memory.dmp upx behavioral2/memory/5100-141-0x0000000004D30000-0x0000000005D62000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\caps.db d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe File created C:\Program Files (x86)\Common Files\Adobe\caps\caps.db-journal d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe File created C:\Program Files (x86)\Common Files\Adobe\backup\caps.db d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\backup\caps.db d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 5100 netsh.exe 5100 netsh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe Token: SeDebugPrivilege 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 776 wrote to memory of 5100 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 82 PID 776 wrote to memory of 5100 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 82 PID 776 wrote to memory of 5100 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 82 PID 776 wrote to memory of 792 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 9 PID 776 wrote to memory of 800 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 80 PID 776 wrote to memory of 64 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 11 PID 776 wrote to memory of 2484 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 49 PID 776 wrote to memory of 2504 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 48 PID 776 wrote to memory of 2708 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 41 PID 776 wrote to memory of 2592 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 40 PID 776 wrote to memory of 3148 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 39 PID 776 wrote to memory of 3344 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 38 PID 776 wrote to memory of 3448 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 37 PID 776 wrote to memory of 3516 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 36 PID 776 wrote to memory of 3600 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 35 PID 776 wrote to memory of 3788 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 34 PID 776 wrote to memory of 4664 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 31 PID 776 wrote to memory of 3776 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 16 PID 776 wrote to memory of 4956 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 14 PID 776 wrote to memory of 5100 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 82 PID 776 wrote to memory of 5100 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 82 PID 776 wrote to memory of 888 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 83 PID 776 wrote to memory of 792 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 9 PID 776 wrote to memory of 800 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 80 PID 776 wrote to memory of 64 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 11 PID 776 wrote to memory of 2484 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 49 PID 776 wrote to memory of 2504 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 48 PID 776 wrote to memory of 2708 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 41 PID 776 wrote to memory of 2592 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 40 PID 776 wrote to memory of 3148 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 39 PID 776 wrote to memory of 3344 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 38 PID 776 wrote to memory of 3448 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 37 PID 776 wrote to memory of 3516 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 36 PID 776 wrote to memory of 3600 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 35 PID 776 wrote to memory of 3788 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 34 PID 776 wrote to memory of 4664 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 31 PID 776 wrote to memory of 4956 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 14 PID 776 wrote to memory of 888 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 83 PID 776 wrote to memory of 792 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 9 PID 776 wrote to memory of 800 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 80 PID 776 wrote to memory of 64 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 11 PID 776 wrote to memory of 2484 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 49 PID 776 wrote to memory of 2504 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 48 PID 776 wrote to memory of 2708 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 41 PID 776 wrote to memory of 2592 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 40 PID 776 wrote to memory of 3148 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 39 PID 776 wrote to memory of 3344 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 38 PID 776 wrote to memory of 3448 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 37 PID 776 wrote to memory of 3516 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 36 PID 776 wrote to memory of 3600 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 35 PID 776 wrote to memory of 3788 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 34 PID 776 wrote to memory of 4664 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 31 PID 776 wrote to memory of 888 776 d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe 83 PID 5100 wrote to memory of 1584 5100 netsh.exe 86 PID 5100 wrote to memory of 1584 5100 netsh.exe 86 PID 5100 wrote to memory of 1584 5100 netsh.exe 86 PID 5100 wrote to memory of 792 5100 netsh.exe 9 PID 5100 wrote to memory of 800 5100 netsh.exe 80 PID 5100 wrote to memory of 64 5100 netsh.exe 11 PID 5100 wrote to memory of 2484 5100 netsh.exe 49 PID 5100 wrote to memory of 2504 5100 netsh.exe 48 PID 5100 wrote to memory of 2708 5100 netsh.exe 41 PID 5100 wrote to memory of 2592 5100 netsh.exe 40 PID 5100 wrote to memory of 3148 5100 netsh.exe 39 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4956
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3776
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4664
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3788
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3600
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3516
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3448
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3148
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe"C:\Users\Admin\AppData\Local\Temp\d4319c52a4886bd00e5151d2916b6684e5b7d3723f94137dcd672f15fecdc6f7.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:776 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Modifies Windows Firewall
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:888
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
PID:1584
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2504
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2484
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258B
MD542c23da2c20c69fe922d8c0215b8bd5d
SHA1f5cca984fb35b7e8aa6b9d8ccbf28020da46b64e
SHA256fc3bca68559d5b421e78a3e4914c7b692cae6407607668397960ab0db787c622
SHA512324608c6d7e63d7c5011336b8cb8e2d731addfbf766ece31c47e9392778fe02efde0e3354772a8ef2e7c1634c52df0dd3ef504a6de7b5daea53cec44b65d6c6e