Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 01:59
Static task
static1
Behavioral task
behavioral1
Sample
37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
General
-
Target
37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe
-
Size
206KB
-
MD5
93dfc059eca953f965daffbd5bfdcc20
-
SHA1
6c65353faf17815857e0bb474681eb42c5291978
-
SHA256
37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced
-
SHA512
2c18b9600ebd9fec54cd2f774cb2ebcec11a1c0030f233ddbe555e4378ee39c9025b9448bb2f550203abbc9d28e5513637409a3b7ce65cb33e38ce128bdb6cee
-
SSDEEP
3072:rkqoCl/YgjxEufVU0TbTyDDalbyCH99X5tpX2vz4eAILUr:rjLqdufVUNDar9JHX2vEI0
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 4 IoCs
pid Process 4548 explorer.exe 4588 spoolsv.exe 3488 svchost.exe 3208 spoolsv.exe -
resource yara_rule behavioral2/memory/4396-133-0x0000000002CF0000-0x0000000003D7D000-memory.dmp upx behavioral2/memory/4396-146-0x0000000002CF0000-0x0000000003D7D000-memory.dmp upx behavioral2/memory/4396-167-0x0000000002CF0000-0x0000000003D7D000-memory.dmp upx behavioral2/memory/4548-168-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/4548-170-0x0000000003270000-0x00000000042FD000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe explorer.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe explorer.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe explorer.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe explorer.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe explorer.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe explorer.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe explorer.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe explorer.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe explorer.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe explorer.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe explorer.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\SYSTEM.INI 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe 4548 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4548 explorer.exe 3488 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Token: SeDebugPrivilege 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 4548 explorer.exe 4548 explorer.exe 4588 spoolsv.exe 4588 spoolsv.exe 3488 svchost.exe 3488 svchost.exe 3208 spoolsv.exe 3208 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4396 wrote to memory of 764 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 8 PID 4396 wrote to memory of 772 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 15 PID 4396 wrote to memory of 1016 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 9 PID 4396 wrote to memory of 2288 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 21 PID 4396 wrote to memory of 2296 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 64 PID 4396 wrote to memory of 2436 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 63 PID 4396 wrote to memory of 3048 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 54 PID 4396 wrote to memory of 2832 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 53 PID 4396 wrote to memory of 3248 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 52 PID 4396 wrote to memory of 3356 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 31 PID 4396 wrote to memory of 3416 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 30 PID 4396 wrote to memory of 3568 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 51 PID 4396 wrote to memory of 3688 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 50 PID 4396 wrote to memory of 4652 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 48 PID 4396 wrote to memory of 4420 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 32 PID 4396 wrote to memory of 384 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 81 PID 4396 wrote to memory of 4548 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 82 PID 4396 wrote to memory of 4548 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 82 PID 4396 wrote to memory of 4548 4396 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe 82 PID 4548 wrote to memory of 4588 4548 explorer.exe 83 PID 4548 wrote to memory of 4588 4548 explorer.exe 83 PID 4548 wrote to memory of 4588 4548 explorer.exe 83 PID 4588 wrote to memory of 3488 4588 spoolsv.exe 84 PID 4588 wrote to memory of 3488 4588 spoolsv.exe 84 PID 4588 wrote to memory of 3488 4588 spoolsv.exe 84 PID 3488 wrote to memory of 3208 3488 svchost.exe 85 PID 3488 wrote to memory of 3208 3488 svchost.exe 85 PID 3488 wrote to memory of 3208 3488 svchost.exe 85 PID 4548 wrote to memory of 764 4548 explorer.exe 8 PID 4548 wrote to memory of 772 4548 explorer.exe 15 PID 4548 wrote to memory of 1016 4548 explorer.exe 9 PID 4548 wrote to memory of 2288 4548 explorer.exe 21 PID 4548 wrote to memory of 2296 4548 explorer.exe 64 PID 4548 wrote to memory of 2436 4548 explorer.exe 63 PID 4548 wrote to memory of 3048 4548 explorer.exe 54 PID 4548 wrote to memory of 2832 4548 explorer.exe 53 PID 4548 wrote to memory of 3248 4548 explorer.exe 52 PID 4548 wrote to memory of 3356 4548 explorer.exe 31 PID 4548 wrote to memory of 3416 4548 explorer.exe 30 PID 4548 wrote to memory of 3568 4548 explorer.exe 51 PID 4548 wrote to memory of 3688 4548 explorer.exe 50 PID 4548 wrote to memory of 4652 4548 explorer.exe 48 PID 4548 wrote to memory of 384 4548 explorer.exe 81 PID 4548 wrote to memory of 3488 4548 explorer.exe 84 PID 4548 wrote to memory of 3488 4548 explorer.exe 84 PID 4548 wrote to memory of 764 4548 explorer.exe 8 PID 4548 wrote to memory of 772 4548 explorer.exe 15 PID 4548 wrote to memory of 1016 4548 explorer.exe 9 PID 4548 wrote to memory of 2288 4548 explorer.exe 21 PID 4548 wrote to memory of 2296 4548 explorer.exe 64 PID 4548 wrote to memory of 2436 4548 explorer.exe 63 PID 4548 wrote to memory of 3048 4548 explorer.exe 54 PID 4548 wrote to memory of 2832 4548 explorer.exe 53 PID 4548 wrote to memory of 3248 4548 explorer.exe 52 PID 4548 wrote to memory of 3356 4548 explorer.exe 31 PID 4548 wrote to memory of 3416 4548 explorer.exe 30 PID 4548 wrote to memory of 3568 4548 explorer.exe 51 PID 4548 wrote to memory of 3688 4548 explorer.exe 50 PID 4548 wrote to memory of 4652 4548 explorer.exe 48 PID 4548 wrote to memory of 384 4548 explorer.exe 81 PID 4548 wrote to memory of 764 4548 explorer.exe 8 PID 4548 wrote to memory of 772 4548 explorer.exe 15 PID 4548 wrote to memory of 1016 4548 explorer.exe 9 PID 4548 wrote to memory of 2288 4548 explorer.exe 21 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2288
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3416
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3356
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4420
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4652
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3688
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2832
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe"C:\Users\Admin\AppData\Local\Temp\37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4396 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4548 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3208
-
-
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2296
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD54e1084dfe288d50bebd2da26ca9fd877
SHA17f1fcb2105bfe115937e2484985c68a77e08d834
SHA256250e9a1e191ddf1302fefb8e47eef8d0950e07d7d1e56e436645c433576c2d34
SHA5123ab9af77d08cdf80491e7e9f8e5e2b2a5b7302ca5823b894d1782d698cbcd655441f7d172db428f3078daf9854004aa65bcf22fc25d0d2fb66cc43195d34f65c
-
Filesize
206KB
MD55a465167942299d2b460f17192ee2369
SHA16e6442e481bf06701286419374e26d4ae7efe6a7
SHA256ff4f256b47811e50410fc5cfb3d57dd7fbb3fe18d19fc297a414571e70fa1e79
SHA512833c7f915c80928aefffc822bb51c5a828f9d224f6964e8cec325390c521cdb7f23a307be517f94ab88cac48a6603b4e88ef28b6fa6633762eb9f8b8f1fcdab6
-
Filesize
206KB
MD55a465167942299d2b460f17192ee2369
SHA16e6442e481bf06701286419374e26d4ae7efe6a7
SHA256ff4f256b47811e50410fc5cfb3d57dd7fbb3fe18d19fc297a414571e70fa1e79
SHA512833c7f915c80928aefffc822bb51c5a828f9d224f6964e8cec325390c521cdb7f23a307be517f94ab88cac48a6603b4e88ef28b6fa6633762eb9f8b8f1fcdab6
-
Filesize
206KB
MD543e574fe8c7c78247c4f771da616d92d
SHA1121c52280c896cbf631392877ee8f6eb5c5d868b
SHA25640ebda506827976ba2aab133148cf3278943d66bd5d7a7ed6229acb8ef9b150b
SHA51245f9b4f2f0dd765f9dc3b16e9b1c28bdf1567231f74e7dba812dee34fe5cdb7243d09694641b43c525e4195baf9c0b0c31cea987d67dcc511a75200c71b2327b
-
Filesize
257B
MD5d53e9fb3ea70f34265ae3861759cae99
SHA1c94471d8e66e17d0fa0ccfd2b3403c4412c34518
SHA256c96b01925973f668367424f32e129827f5dcc8113871db811b95a76e567bf356
SHA51250f3722879c11db9f54a1a37bf9fdc71d0e8b1d97ed6eaed19348688ee9bb60785b00b22e5a01750c35a00a6573cd7a29b30757d5bfd97d4a49ec0818e0c26a0
-
Filesize
206KB
MD55a465167942299d2b460f17192ee2369
SHA16e6442e481bf06701286419374e26d4ae7efe6a7
SHA256ff4f256b47811e50410fc5cfb3d57dd7fbb3fe18d19fc297a414571e70fa1e79
SHA512833c7f915c80928aefffc822bb51c5a828f9d224f6964e8cec325390c521cdb7f23a307be517f94ab88cac48a6603b4e88ef28b6fa6633762eb9f8b8f1fcdab6
-
Filesize
206KB
MD543e574fe8c7c78247c4f771da616d92d
SHA1121c52280c896cbf631392877ee8f6eb5c5d868b
SHA25640ebda506827976ba2aab133148cf3278943d66bd5d7a7ed6229acb8ef9b150b
SHA51245f9b4f2f0dd765f9dc3b16e9b1c28bdf1567231f74e7dba812dee34fe5cdb7243d09694641b43c525e4195baf9c0b0c31cea987d67dcc511a75200c71b2327b
-
Filesize
206KB
MD54e1084dfe288d50bebd2da26ca9fd877
SHA17f1fcb2105bfe115937e2484985c68a77e08d834
SHA256250e9a1e191ddf1302fefb8e47eef8d0950e07d7d1e56e436645c433576c2d34
SHA5123ab9af77d08cdf80491e7e9f8e5e2b2a5b7302ca5823b894d1782d698cbcd655441f7d172db428f3078daf9854004aa65bcf22fc25d0d2fb66cc43195d34f65c