sality | e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exeSVIQ.EXEdc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	dc.exe

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

Fun.exee02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

Windows security bypass 2 TTPs 12 IoCs

Disabling Security Tools

Modify Registry

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

Executes dropped EXE 3 IoCs

Processes:

Fun.exeSVIQ.EXEdc.exe

pid process

5040 Fun.exe
2292 SVIQ.EXE
1844 dc.exe

pid	process
5040	Fun.exe
2292	SVIQ.EXE
1844	dc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4216-133-0x0000000002C30000-0x0000000003CBE000-memory.dmp	upx
behavioral2/memory/4216-137-0x0000000002C30000-0x0000000003CBE000-memory.dmp	upx
behavioral2/memory/4216-182-0x0000000002C30000-0x0000000003CBE000-memory.dmp	upx
behavioral2/memory/5040-183-0x00000000036E0000-0x000000000476E000-memory.dmp	upx
behavioral2/memory/5040-185-0x00000000036E0000-0x000000000476E000-memory.dmp	upx
behavioral2/memory/5040-186-0x00000000036E0000-0x000000000476E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disabling Security Tools

Modify Registry

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Fun.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

dc.exee02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exeSVIQ.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	dc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	SVIQ.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	SVIQ.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Fun.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Fun.exee02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

description	ioc	process
File opened (read-only)	\??\G:	Fun.exe
File opened (read-only)	\??\I:	Fun.exe
File opened (read-only)	\??\J:	Fun.exe
File opened (read-only)	\??\E:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\F:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\G:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\E:	Fun.exe
File opened (read-only)	\??\L:	Fun.exe
File opened (read-only)	\??\P:	Fun.exe
File opened (read-only)	\??\S:	Fun.exe
File opened (read-only)	\??\T:	Fun.exe
File opened (read-only)	\??\U:	Fun.exe
File opened (read-only)	\??\W:	Fun.exe
File opened (read-only)	\??\Y:	Fun.exe
File opened (read-only)	\??\Z:	Fun.exe
File opened (read-only)	\??\H:	Fun.exe
File opened (read-only)	\??\K:	Fun.exe
File opened (read-only)	\??\M:	Fun.exe
File opened (read-only)	\??\O:	Fun.exe
File opened (read-only)	\??\V:	Fun.exe
File opened (read-only)	\??\X:	Fun.exe
File opened (read-only)	\??\F:	Fun.exe
File opened (read-only)	\??\N:	Fun.exe
File opened (read-only)	\??\Q:	Fun.exe
File opened (read-only)	\??\R:	Fun.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

Fun.exe

description ioc process

File opened for modification C:\autorun.inf Fun.exe

description	ioc	process
File opened for modification	C:\autorun.inf	Fun.exe

Drops file in System32 directory 10 IoCs

Processes:

dc.exee02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exeSVIQ.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	dc.exe
File created	C:\Windows\SysWOW64\WinSit.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\SysWOW64\config\Win.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	dc.exe

Drops file in Program Files directory 11 IoCs

Processes:

Fun.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	Fun.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	Fun.exe

Drops file in Windows directory 37 IoCs

Processes:

Fun.exeSVIQ.EXEe02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exedc.exe

description	ioc	process
File opened for modification	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\dc.exe	SVIQ.EXE
File opened for modification	C:\Windows\SVIQ.EXE	SVIQ.EXE
File opened for modification	C:\Windows\system\Fun.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\SVIQ.EXE	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\inf\Other.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\SVIQ.EXE	dc.exe
File opened for modification	C:\Windows\inf\Other.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	dc.exe
File opened for modification	C:\Windows\Help\Other.exe	SVIQ.EXE
File created	C:\Windows\dc.exe	dc.exe
File opened for modification	C:\Windows\inf\Other.exe	dc.exe
File opened for modification	C:\Windows\Help\Other.exe	dc.exe
File created	C:\Windows\SVIQ.EXE	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\Help\Other.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\SYSTEM.INI	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\dc.exe	dc.exe
File opened for modification	C:\Windows\Help\Other.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\system\Fun.exe	SVIQ.EXE
File created	C:\Windows\system\Fun.exe	dc.exe
File created	C:\Windows\SVIQ.EXE	dc.exe
File opened for modification	C:\Windows\SVIQ.exe	SVIQ.EXE
File opened for modification	C:\Windows\system\Fun.exe	SVIQ.EXE
File opened for modification	C:\Windows\dc.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\wininit.ini	SVIQ.EXE
File opened for modification	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	SVIQ.EXE
File opened for modification	C:\Windows\inf\Other.exe	SVIQ.EXE
File opened for modification	C:\Windows\system\Fun.exe	dc.exe
File opened for modification	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\dc.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\wininit.ini	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exeSVIQ.EXEdc.exe

pid	process
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
5040	Fun.exe
5040	Fun.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
1844	dc.exe
1844	dc.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
5040	Fun.exe
5040	Fun.exe
1844	dc.exe
1844	dc.exe
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
1844	dc.exe
5040	Fun.exe
1844	dc.exe
5040	Fun.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
5040	Fun.exe
5040	Fun.exe
1844	dc.exe
1844	dc.exe
5040	Fun.exe
5040	Fun.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
5040	Fun.exe
5040	Fun.exe
1844	dc.exe
1844	dc.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
5040	Fun.exe
5040	Fun.exe
1844	dc.exe
1844	dc.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
5040	Fun.exe
5040	Fun.exe
1844	dc.exe
1844	dc.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
5040	Fun.exe
5040	Fun.exe
1844	dc.exe
1844	dc.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
5040	Fun.exe
5040	Fun.exe
1844	dc.exe
1844	dc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

description	pid	process
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exeSVIQ.EXEdc.exe

pid	process
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
5040	Fun.exe
5040	Fun.exe
2292	SVIQ.EXE
2292	SVIQ.EXE
1844	dc.exe
1844	dc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exe

description	pid	process	target process
PID 4216 wrote to memory of 780	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	fontdrvhost.exe
PID 4216 wrote to memory of 788	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	fontdrvhost.exe
PID 4216 wrote to memory of 1016	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dwm.exe
PID 4216 wrote to memory of 2336	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	sihost.exe
PID 4216 wrote to memory of 2376	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	svchost.exe
PID 4216 wrote to memory of 2608	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	taskhostw.exe
PID 4216 wrote to memory of 2724	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Explorer.EXE
PID 4216 wrote to memory of 3096	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	svchost.exe
PID 4216 wrote to memory of 3292	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	DllHost.exe
PID 4216 wrote to memory of 3444	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	StartMenuExperienceHost.exe
PID 4216 wrote to memory of 3524	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	RuntimeBroker.exe
PID 4216 wrote to memory of 3608	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	SearchApp.exe
PID 4216 wrote to memory of 3888	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	RuntimeBroker.exe
PID 4216 wrote to memory of 4852	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	RuntimeBroker.exe
PID 4216 wrote to memory of 5040	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Fun.exe
PID 4216 wrote to memory of 5040	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Fun.exe
PID 4216 wrote to memory of 5040	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Fun.exe
PID 5040 wrote to memory of 2292	5040	Fun.exe	SVIQ.EXE
PID 5040 wrote to memory of 2292	5040	Fun.exe	SVIQ.EXE
PID 5040 wrote to memory of 2292	5040	Fun.exe	SVIQ.EXE
PID 4216 wrote to memory of 1844	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dc.exe
PID 4216 wrote to memory of 1844	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dc.exe
PID 4216 wrote to memory of 1844	4216	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dc.exe
PID 5040 wrote to memory of 780	5040	Fun.exe	fontdrvhost.exe
PID 5040 wrote to memory of 788	5040	Fun.exe	fontdrvhost.exe
PID 5040 wrote to memory of 1016	5040	Fun.exe	dwm.exe
PID 5040 wrote to memory of 2336	5040	Fun.exe	sihost.exe
PID 5040 wrote to memory of 2376	5040	Fun.exe	svchost.exe
PID 5040 wrote to memory of 2608	5040	Fun.exe	taskhostw.exe
PID 5040 wrote to memory of 2724	5040	Fun.exe	Explorer.EXE
PID 5040 wrote to memory of 3096	5040	Fun.exe	svchost.exe
PID 5040 wrote to memory of 3292	5040	Fun.exe	DllHost.exe
PID 5040 wrote to memory of 3444	5040	Fun.exe	StartMenuExperienceHost.exe
PID 5040 wrote to memory of 3524	5040	Fun.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3608	5040	Fun.exe	SearchApp.exe
PID 5040 wrote to memory of 3888	5040	Fun.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 4852	5040	Fun.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 2292	5040	Fun.exe	SVIQ.EXE
PID 5040 wrote to memory of 2292	5040	Fun.exe	SVIQ.EXE
PID 5040 wrote to memory of 1844	5040	Fun.exe	dc.exe
PID 5040 wrote to memory of 1844	5040	Fun.exe	dc.exe
PID 5040 wrote to memory of 780	5040	Fun.exe	fontdrvhost.exe
PID 5040 wrote to memory of 788	5040	Fun.exe	fontdrvhost.exe
PID 5040 wrote to memory of 1016	5040	Fun.exe	dwm.exe
PID 5040 wrote to memory of 2336	5040	Fun.exe	sihost.exe
PID 5040 wrote to memory of 2376	5040	Fun.exe	svchost.exe
PID 5040 wrote to memory of 2608	5040	Fun.exe	taskhostw.exe
PID 5040 wrote to memory of 2724	5040	Fun.exe	Explorer.EXE
PID 5040 wrote to memory of 3096	5040	Fun.exe	svchost.exe
PID 5040 wrote to memory of 3292	5040	Fun.exe	DllHost.exe
PID 5040 wrote to memory of 3444	5040	Fun.exe	StartMenuExperienceHost.exe
PID 5040 wrote to memory of 3524	5040	Fun.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 3608	5040	Fun.exe	SearchApp.exe
PID 5040 wrote to memory of 3888	5040	Fun.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 4852	5040	Fun.exe	RuntimeBroker.exe
PID 5040 wrote to memory of 780	5040	Fun.exe	fontdrvhost.exe
PID 5040 wrote to memory of 788	5040	Fun.exe	fontdrvhost.exe
PID 5040 wrote to memory of 1016	5040	Fun.exe	dwm.exe
PID 5040 wrote to memory of 2336	5040	Fun.exe	sihost.exe
PID 5040 wrote to memory of 2376	5040	Fun.exe	svchost.exe
PID 5040 wrote to memory of 2608	5040	Fun.exe	taskhostw.exe
PID 5040 wrote to memory of 2724	5040	Fun.exe	Explorer.EXE
PID 5040 wrote to memory of 3096	5040	Fun.exe	svchost.exe
PID 5040 wrote to memory of 3292	5040	Fun.exe	DllHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

Fun.exee02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Fun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3292

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3524

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
"C:\Users\Admin\AppData\Local\Temp\e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4216

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5040

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\dc.exe
C:\Windows\dc.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

Bypass User Account Control

T1088

Disabling Security Tools