Analysis
-
max time kernel
91s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 11:54
Static task
static1
Behavioral task
behavioral1
Sample
5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe
Resource
win7-20220901-en
windows7-x64
15 signatures
150 seconds
General
-
Target
5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe
-
Size
828KB
-
MD5
0d8c30ae194954c069922e4a45ff9a37
-
SHA1
3614b374a8c9b308870b3752f2ceb88a8c996020
-
SHA256
5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7
-
SHA512
865c518ba0b24072f7340214d0503627aea78b31ac49300a64c15b289c0423dce5c86fe528670603f54dda12a203d18010ee3d0470677e4221d1595c42130f1d
-
SSDEEP
12288:VysxWptwlMYHUVmkzTkOclORhf9F8YqJDchVExnj9rxQgGzfhpnzdB3BxQDvkq:VJEpmmY0Vm+0efFDYN9raDpnfxxd
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe -
Executes dropped EXE 1 IoCs
pid Process 4908 update.exe -
resource yara_rule behavioral2/memory/2484-133-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/2484-134-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/2484-144-0x0000000002500000-0x000000000358E000-memory.dmp upx behavioral2/memory/2484-146-0x0000000002500000-0x000000000358E000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 4908 update.exe 4908 update.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\J: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\K: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\N: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\P: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\Q: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\E: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\F: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\G: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\H: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\L: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\M: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened (read-only) \??\O: 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification \??\c:\windows\KB888111.log update.exe File opened for modification C:\Windows\SYSTEM.INI 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe File opened for modification C:\Windows\setupapi.log update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe Token: SeDebugPrivilege 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2484 wrote to memory of 768 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 9 PID 2484 wrote to memory of 776 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 76 PID 2484 wrote to memory of 992 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 10 PID 2484 wrote to memory of 2368 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 20 PID 2484 wrote to memory of 2388 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 59 PID 2484 wrote to memory of 2476 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 58 PID 2484 wrote to memory of 3060 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 52 PID 2484 wrote to memory of 3080 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 30 PID 2484 wrote to memory of 3284 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 51 PID 2484 wrote to memory of 3368 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 32 PID 2484 wrote to memory of 3444 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 31 PID 2484 wrote to memory of 3528 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 33 PID 2484 wrote to memory of 3728 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 50 PID 2484 wrote to memory of 4712 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 35 PID 2484 wrote to memory of 4908 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 78 PID 2484 wrote to memory of 4908 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 78 PID 2484 wrote to memory of 4908 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 78 PID 2484 wrote to memory of 768 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 9 PID 2484 wrote to memory of 776 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 76 PID 2484 wrote to memory of 992 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 10 PID 2484 wrote to memory of 2368 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 20 PID 2484 wrote to memory of 2388 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 59 PID 2484 wrote to memory of 2476 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 58 PID 2484 wrote to memory of 3060 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 52 PID 2484 wrote to memory of 3080 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 30 PID 2484 wrote to memory of 3284 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 51 PID 2484 wrote to memory of 3368 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 32 PID 2484 wrote to memory of 3444 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 31 PID 2484 wrote to memory of 3528 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 33 PID 2484 wrote to memory of 3728 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 50 PID 2484 wrote to memory of 4712 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 35 PID 2484 wrote to memory of 4908 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 78 PID 2484 wrote to memory of 4908 2484 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe 78 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:992
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3444
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3368
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3528
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4712
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3728
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3284
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe"C:\Users\Admin\AppData\Local\Temp\5d9268441546c10c89b7ad94d7d0b5f7f81777430c403b82e1d936648ad477b7.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484 -
\??\c:\ecfa16fb511a21f0d5f692dbcf\update\update.exec:\ecfa16fb511a21f0d5f692dbcf\update\update.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4908
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2388
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
700KB
MD513f40799bd1bf4b7e3e8c77194121342
SHA12d723e5d9abc98f1432c939cd7626d102469c12d
SHA2562a12d2bcb26e96babbc82737ffe30d76afe7db8daf40c7c3594d9665d5dfdb17
SHA512237d7fb124a7b577598e1f2191afc80513992c0af9e290956b82aae18d8c6daeb3dfab457deb3378e2b17d69c17d757faf98a8b5ea0cee7d3c50b18367312aed
-
Filesize
363KB
MD594b3ff0f65e277bdbbc5e39747ea034d
SHA14bfb51f6d77f5123728c0bf360f4396617c1cd5e
SHA2565e4f341be4c0627d02282aad5f1df9a73cf9600f41325c0fd3783f119f421b81
SHA5128643b0b7c38e9fa18d1537bb783a6674e37600d2e882d7ea66c26ffb761eaeeb87a69d04513525c34b2dea964b8a90cd11c4a2e863ac58766c4d5b06ddf47d24
-
Filesize
363KB
MD594b3ff0f65e277bdbbc5e39747ea034d
SHA14bfb51f6d77f5123728c0bf360f4396617c1cd5e
SHA2565e4f341be4c0627d02282aad5f1df9a73cf9600f41325c0fd3783f119f421b81
SHA5128643b0b7c38e9fa18d1537bb783a6674e37600d2e882d7ea66c26ffb761eaeeb87a69d04513525c34b2dea964b8a90cd11c4a2e863ac58766c4d5b06ddf47d24
-
Filesize
363KB
MD594b3ff0f65e277bdbbc5e39747ea034d
SHA14bfb51f6d77f5123728c0bf360f4396617c1cd5e
SHA2565e4f341be4c0627d02282aad5f1df9a73cf9600f41325c0fd3783f119f421b81
SHA5128643b0b7c38e9fa18d1537bb783a6674e37600d2e882d7ea66c26ffb761eaeeb87a69d04513525c34b2dea964b8a90cd11c4a2e863ac58766c4d5b06ddf47d24
-
Filesize
700KB
MD513f40799bd1bf4b7e3e8c77194121342
SHA12d723e5d9abc98f1432c939cd7626d102469c12d
SHA2562a12d2bcb26e96babbc82737ffe30d76afe7db8daf40c7c3594d9665d5dfdb17
SHA512237d7fb124a7b577598e1f2191afc80513992c0af9e290956b82aae18d8c6daeb3dfab457deb3378e2b17d69c17d757faf98a8b5ea0cee7d3c50b18367312aed
-
Filesize
8KB
MD59bc5236a02f2c6f23b8726d0f85c49e2
SHA13ad7f6be88420bf2ce2bf3e007ecc20335b7097b
SHA256af56e147b22e99a96c6cbc68284f67cb48fac19b27d137dbea77819f6874b7c5
SHA512c89ed99fdfd5015cd977530b37279ea408b22b2bb2cf1da9c61ba9c0bdfe54fe0d900b082f865c8be4fcc057cf464589e117b364bde2990ddb5a71f432d89e7c