Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 22:09
Static task
static1
Behavioral task
behavioral1
Sample
e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
General
-
Target
e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe
-
Size
211KB
-
MD5
5afd092116be71db537b71b7a5d8f7e0
-
SHA1
6c05f318377302278cda2639559bcc3ce3c91db6
-
SHA256
e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e
-
SHA512
a9062f733e3cc2603ef09f2354231402ff6d248d0b25591001747417e3693a6ed70af70d257686798fab56131dca1b47f5f27ea597cffcb69eb3718acabc3ba2
-
SSDEEP
3072:dm3K+WkUPb1WpXVxAaGBvbNvNbNJkvmhyPQbaDTUXGIDbwKDqCtrwdAxaVTtVHLa:cxWjoIDbByGPMsMP74Akb6tSBk0
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" weoxii.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" weoxii.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" weoxii.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" weoxii.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 5068 weoxii.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 4220 netsh.exe 1540 netsh.exe -
resource yara_rule behavioral2/memory/2316-133-0x0000000002B80000-0x0000000003BB2000-memory.dmp upx behavioral2/memory/2316-137-0x0000000002B80000-0x0000000003BB2000-memory.dmp upx behavioral2/memory/2316-144-0x0000000002B80000-0x0000000003BB2000-memory.dmp upx behavioral2/memory/2316-147-0x0000000002B80000-0x0000000003BB2000-memory.dmp upx behavioral2/memory/5068-148-0x0000000003250000-0x0000000004282000-memory.dmp upx behavioral2/memory/5068-151-0x0000000003250000-0x0000000004282000-memory.dmp upx behavioral2/memory/5068-152-0x0000000003250000-0x0000000004282000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" weoxii.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" weoxii.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" weoxii.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ weoxii.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weoxii = "C:\\Users\\Admin\\weoxii.exe" weoxii.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" weoxii.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe weoxii.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe weoxii.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe weoxii.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe weoxii.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe weoxii.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe weoxii.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe weoxii.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe weoxii.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe weoxii.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe weoxii.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe weoxii.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 388 2316 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe 5068 weoxii.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Token: SeDebugPrivilege 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 5068 weoxii.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 4220 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 78 PID 2316 wrote to memory of 4220 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 78 PID 2316 wrote to memory of 4220 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 78 PID 2316 wrote to memory of 776 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 3 PID 2316 wrote to memory of 784 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 71 PID 2316 wrote to memory of 64 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 4 PID 2316 wrote to memory of 2268 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 13 PID 2316 wrote to memory of 2300 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 14 PID 2316 wrote to memory of 2440 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 47 PID 2316 wrote to memory of 3056 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 41 PID 2316 wrote to memory of 2796 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 40 PID 2316 wrote to memory of 3276 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 39 PID 2316 wrote to memory of 3376 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 38 PID 2316 wrote to memory of 3436 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 37 PID 2316 wrote to memory of 3580 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 36 PID 2316 wrote to memory of 3840 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 35 PID 2316 wrote to memory of 4776 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 33 PID 2316 wrote to memory of 4952 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 21 PID 2316 wrote to memory of 1208 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 20 PID 2316 wrote to memory of 4220 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 78 PID 2316 wrote to memory of 4220 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 78 PID 2316 wrote to memory of 2388 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 79 PID 2316 wrote to memory of 5068 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 81 PID 2316 wrote to memory of 5068 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 81 PID 2316 wrote to memory of 5068 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 81 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 2316 wrote to memory of 776 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 3 PID 2316 wrote to memory of 784 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 71 PID 2316 wrote to memory of 64 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 4 PID 2316 wrote to memory of 2268 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 13 PID 2316 wrote to memory of 2300 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 14 PID 2316 wrote to memory of 2440 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 47 PID 2316 wrote to memory of 3056 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 41 PID 2316 wrote to memory of 2796 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 40 PID 2316 wrote to memory of 3276 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 39 PID 2316 wrote to memory of 3376 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 38 PID 2316 wrote to memory of 3436 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 37 PID 2316 wrote to memory of 3580 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 36 PID 2316 wrote to memory of 3840 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 35 PID 2316 wrote to memory of 4776 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 33 PID 2316 wrote to memory of 1208 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 20 PID 2316 wrote to memory of 5068 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 81 PID 2316 wrote to memory of 5068 2316 e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe 81 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 PID 5068 wrote to memory of 2316 5068 weoxii.exe 73 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" weoxii.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2300
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1208
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4776
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3580
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3436
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3376
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2796
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe"C:\Users\Admin\AppData\Local\Temp\e651613dae47442f22c83e35c1ff73d9c84762c9e1b995f598c243ca632ac55e.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
PID:4220 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2388
-
-
-
C:\Users\Admin\weoxii.exe"C:\Users\Admin\weoxii.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5068 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
PID:1540
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 20923⤵
- Program crash
PID:388
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2440
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2316 -ip 23161⤵PID:376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5e4441895acf00144d9ed7c649a062264
SHA11921978c3223d7dde4b300bba630a5b00cd82a69
SHA25623b50b9f103ac37e6652a434ca7e099a575bc3724e790ccdee506219d7f7732c
SHA512ef27a4723ef69b49049ad1a02b8fa194cb9cf2668392d96ef614c6a62ee52069976a05288215d036fbf91a3d0241f39ae54e306237c35bb4a0a6f8bae76fdb24
-
Filesize
211KB
MD5e4441895acf00144d9ed7c649a062264
SHA11921978c3223d7dde4b300bba630a5b00cd82a69
SHA25623b50b9f103ac37e6652a434ca7e099a575bc3724e790ccdee506219d7f7732c
SHA512ef27a4723ef69b49049ad1a02b8fa194cb9cf2668392d96ef614c6a62ee52069976a05288215d036fbf91a3d0241f39ae54e306237c35bb4a0a6f8bae76fdb24
-
Filesize
258B
MD527898c2b0583d046752dda2e674c3c8b
SHA1b1dfdde483b3cbed921e88b619259667c13a63a9
SHA256f7f0b13c798f67c9a8cccae4bc30ea2bf959b277b998c80e08780f1a1a801271
SHA512f45c6323c42b9aad2b8add96c64e79534f553d5c951fc7cb3dca24612b5e9e2aef1493cd6f7b1e647af2be0a3802db86bd54bfa990bf108fbbb49cfab3ad3383