34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd

Analysis

max time kernel
169s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
Size

1008KB
MD5

2070b69a9cda563b21f779f6a0fa1330
SHA1

0a6efa5cc99b5b9b8cd4d623e43671d035e910f4
SHA256

34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd
SHA512

c73a118eb3d332aac480e8bb13538a24251adedac664c248b540c1ba26cce0420a122440fc5fbbe2ad04a523bba1565c4caef6a9bc9be9312d5276531fa10846
SSDEEP

24576:aM5ZXrFPTjft7CNJ8xmvQ9811eHu8vJSx38VtS:3BK8Io97y3itS

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
216	elevation_service.exe
2024	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2971393436-602173351-1645505021-1000	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2971393436-602173351-1645505021-1000\EnableNotifications = "0"	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\F:	elevation_service.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\T:	elevation_service.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\klcechhp.tmp	elevation_service.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	elevation_service.exe
File created	\??\c:\windows\system32\egqlkmfq.tmp	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\system32\alg.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File created	\??\c:\windows\system32\pcjkjckl.tmp	elevation_service.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\alg.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File created	\??\c:\windows\system32\ccigekli.tmp	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	elevation_service.exe
File created	\??\c:\windows\system32\klfacfkb.tmp	elevation_service.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	elevation_service.exe
File created	\??\c:\windows\system32\openssh\ahpkakei.tmp	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	elevation_service.exe
File created	\??\c:\windows\system32\aflplieb.tmp	elevation_service.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	elevation_service.exe
File created	\??\c:\windows\system32\bapalbfo.tmp	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	elevation_service.exe
File created	C:\Program Files\7-Zip\amhadgcp.tmp	elevation_service.exe
File created	C:\Program Files\7-Zip\nklemblo.tmp	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\klonohhl.tmp	elevation_service.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\fgmenjdl.tmp	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\cikoknkn.tmp	elevation_service.exe
File created	C:\Program Files\7-Zip\pijiegfa.tmp	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File created	\??\c:\program files\windows media player\flbnohnb.tmp	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\hfhdeipb.tmp	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\jiianoje.tmp	elevation_service.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\dklkkafp.tmp	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ighnagcm.tmp	elevation_service.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	elevation_service.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\fppldjkl.tmp	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	elevation_service.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	elevation_service.exe
File created	C:\Program Files\7-Zip\afaqkaok.tmp	elevation_service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	elevation_service.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	elevation_service.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2368	34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
Token: SeTakeOwnershipPrivilege	216	elevation_service.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe
"C:\Users\Admin\AppData\Local\Temp\34485b218ee047d83a2e19741ae9e44d235e2928c2fdd6bf204d0a6869a825bd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:216

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
ac237bdfae2ef6790ab175fb28f86897

SHA1
e776c90a7f46e16f52d528de874f2c18cd3cd758

SHA256
6cc7f56637fcd10785e23f80c3fa6051b1854ba832a753e1845e4ff6002f3c42

SHA512
687da715462a55e4f4fff5dcf495688480871eb1db87ce59a81e2ed76e8b15fda5f2bc77f108f22978362000eed307d39842f72555d3d3cade48109b0ee6d475

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.3MB

MD5
c02ff5d91b985f9a4a9e3673048a661e

SHA1
a6699b2238cb335a8f6ab4082837506667379cb4

SHA256
7e0631220236de19d02edd13212957d69beca279ffff09b11c7a1a6d6c03f831

SHA512
774dbd5b2a2308a9bd91f2a618d92cb439d9a26088e0f9bc1959fd1d0ceaeaad79944130db946dac9b452f2e696a404ac0925678becd81fb03ddbba0c4dba12b

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
babe7ba1358ad447ae99b86e02e3df41

SHA1
e3b3cdd3e7342ed12a8349bcdd88490e8c0d4857

SHA256
b25fc8bacd08d1bc47bbf4f29630e050d11671002c6cc6d47c00c749f9e5c781

SHA512
0fbce6116f0c5324538cf39c8bcc85a8cfd1cd17ba0c87ab2c38ef36486e22a3e9aa0bb5156029082bffe59de7a90c4b1e81ca6e7766191b0a52b18e347d3195

Download Submit
memory/216-136-0x0000000140000000-0x00000001403FF000-memory.dmp

Filesize
4.0MB

Download
memory/216-139-0x0000000140000000-0x00000001403FF000-memory.dmp

Filesize
4.0MB

Download
memory/2368-132-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-133-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2368-135-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download