sality | f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Jfjhjq.exe

Windows security bypass 2 TTPs 12 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	Jfjhjq.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
4780	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
2276	Jfjhjq.exe
116	Jfjhjq.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3908	netsh.exe
444	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4268-134-0x0000000002360000-0x0000000003393000-memory.dmp	upx
behavioral2/memory/4268-136-0x0000000002360000-0x0000000003393000-memory.dmp	upx
behavioral2/memory/4268-144-0x0000000002360000-0x0000000003393000-memory.dmp	upx
behavioral2/memory/2276-149-0x0000000002310000-0x0000000003343000-memory.dmp	upx
behavioral2/memory/2276-152-0x0000000002310000-0x0000000003343000-memory.dmp	upx
behavioral2/memory/2276-159-0x0000000002310000-0x0000000003343000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Jfjhjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Jfjhjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Jfjhjq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jfjhjq = "C:\\Users\\Admin\\AppData\\Roaming\\Jfjhjq.exe"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Jfjhjq.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4268 set thread context of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 2276 set thread context of 116	2276	Jfjhjq.exe	93

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "846581886"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991634"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991634"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373096877"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{513217BC-5105-11ED-B696-72E07057041D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "846581886"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
4780	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
4780	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
2276	Jfjhjq.exe
2276	Jfjhjq.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Token: SeDebugPrivilege	2276	Jfjhjq.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1840	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
4368	IEXPLORE.EXE
4368	IEXPLORE.EXE
4368	IEXPLORE.EXE
4368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 784	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	69
PID 4268 wrote to memory of 792	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	68
PID 4268 wrote to memory of 312	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	65
PID 4268 wrote to memory of 3908	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	79
PID 4268 wrote to memory of 3908	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	79
PID 4268 wrote to memory of 3908	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	79
PID 4268 wrote to memory of 2320	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	36
PID 4268 wrote to memory of 2336	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	35
PID 4268 wrote to memory of 2448	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	34
PID 4268 wrote to memory of 2984	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	24
PID 4268 wrote to memory of 2840	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	23
PID 4268 wrote to memory of 3264	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	22
PID 4268 wrote to memory of 3356	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	21
PID 4268 wrote to memory of 3424	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	20
PID 4268 wrote to memory of 3516	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	19
PID 4268 wrote to memory of 3692	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	18
PID 4268 wrote to memory of 4596	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	15
PID 4268 wrote to memory of 4420	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	4
PID 4268 wrote to memory of 1048	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	1
PID 4268 wrote to memory of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 4268 wrote to memory of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 4268 wrote to memory of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 4268 wrote to memory of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 4268 wrote to memory of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 4268 wrote to memory of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 4268 wrote to memory of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 4268 wrote to memory of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 4268 wrote to memory of 4780	4268	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	86
PID 4780 wrote to memory of 2276	4780	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	90
PID 4780 wrote to memory of 2276	4780	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	90
PID 4780 wrote to memory of 2276	4780	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe	90
PID 2276 wrote to memory of 784	2276	Jfjhjq.exe	69
PID 2276 wrote to memory of 444	2276	Jfjhjq.exe	91
PID 2276 wrote to memory of 792	2276	Jfjhjq.exe	68
PID 2276 wrote to memory of 444	2276	Jfjhjq.exe	91
PID 2276 wrote to memory of 444	2276	Jfjhjq.exe	91
PID 2276 wrote to memory of 312	2276	Jfjhjq.exe	65
PID 2276 wrote to memory of 2320	2276	Jfjhjq.exe	36
PID 2276 wrote to memory of 2336	2276	Jfjhjq.exe	35
PID 2276 wrote to memory of 2448	2276	Jfjhjq.exe	34
PID 2276 wrote to memory of 2984	2276	Jfjhjq.exe	24
PID 2276 wrote to memory of 2840	2276	Jfjhjq.exe	23
PID 2276 wrote to memory of 3264	2276	Jfjhjq.exe	22
PID 2276 wrote to memory of 3356	2276	Jfjhjq.exe	21
PID 2276 wrote to memory of 3424	2276	Jfjhjq.exe	20
PID 2276 wrote to memory of 3516	2276	Jfjhjq.exe	19
PID 2276 wrote to memory of 3692	2276	Jfjhjq.exe	18
PID 2276 wrote to memory of 4596	2276	Jfjhjq.exe	15
PID 2276 wrote to memory of 1048	2276	Jfjhjq.exe	1
PID 2276 wrote to memory of 444	2276	Jfjhjq.exe	91
PID 2276 wrote to memory of 444	2276	Jfjhjq.exe	91
PID 2276 wrote to memory of 116	2276	Jfjhjq.exe	93
PID 2276 wrote to memory of 116	2276	Jfjhjq.exe	93
PID 2276 wrote to memory of 116	2276	Jfjhjq.exe	93
PID 2276 wrote to memory of 116	2276	Jfjhjq.exe	93
PID 2276 wrote to memory of 116	2276	Jfjhjq.exe	93
PID 2276 wrote to memory of 116	2276	Jfjhjq.exe	93
PID 2276 wrote to memory of 116	2276	Jfjhjq.exe	93
PID 2276 wrote to memory of 116	2276	Jfjhjq.exe	93
PID 2276 wrote to memory of 116	2276	Jfjhjq.exe	93
PID 116 wrote to memory of 4004	116	Jfjhjq.exe	94
PID 116 wrote to memory of 4004	116	Jfjhjq.exe	94
PID 116 wrote to memory of 4004	116	Jfjhjq.exe	94
PID 116 wrote to memory of 4004	116	Jfjhjq.exe	94

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Jfjhjq.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1048

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4420

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4596

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2840

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
  "C:\Users\Admin\AppData\Local\Temp\f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4268
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    PID:3908
- - C:\Users\Admin\AppData\Local\Temp\f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe
    "C:\Users\Admin\AppData\Local\Temp\f46055f4579a7a80c03419eb069bf086b96d8ad72693d0faaae701893a966179.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Users\Admin\AppData\Roaming\Jfjhjq.exe
      "C:\Users\Admin\AppData\Roaming\Jfjhjq.exe"
      4⤵
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2276
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        5⤵
        Modifies Windows Firewall
        
        PID:444
    - - C:\Users\Admin\AppData\Roaming\Jfjhjq.exe
        
        "C:\Users\Admin\AppData\Roaming\Jfjhjq.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
      - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4004
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:17410 /prefetch:2
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4368

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2320

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:312

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry