Analysis
-
max time kernel
185s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:18
Static task
static1
Behavioral task
behavioral1
Sample
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe
Resource
win7-20221111-en
General
-
Target
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe
-
Size
356KB
-
MD5
168048d4468475733d83da3ebd2de086
-
SHA1
1a6b91f3eaf8a81a5a4a97a45110c77f1d90cadf
-
SHA256
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc
-
SHA512
44113b8518ef4c59acc1f690a6dcd5ae8dad4e9878f1f3d7cbaea5952a0bba9b1acc703d9a3f3fa111594fe9aec6054e136efd4e224aba006a6ec3ff278104b5
-
SSDEEP
6144:5Ec0f7XP+g3AGJpWVzunhYrgns+XuCKnvmb7/D263VAPL8R8FUjcWMHu9tmuE79m:R27/XvLWpuhogns+XuCKnvmb7/D263Qq
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
pbruif.exe476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pbruif.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
pbruif.exepid process 4944 pbruif.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral2/memory/2512-133-0x0000000002C20000-0x0000000003C53000-memory.dmp upx behavioral2/memory/2512-137-0x0000000002C20000-0x0000000003C53000-memory.dmp upx behavioral2/memory/2512-144-0x0000000002C20000-0x0000000003C53000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Adds Run key to start application 2 TTPs 54 IoCs
Processes:
pbruif.exe476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /k" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /v" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /B" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /i" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /S" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /R" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /G" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /s" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /j" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /w" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /t" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /X" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /H" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /l" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /U" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /o" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /b" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /c" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /m" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /x" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /L" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /p" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /C" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /a" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /n" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /f" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /I" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /q" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /M" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /z" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /Z" pbruif.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /J" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /A" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /e" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /K" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /L" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /r" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /g" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /T" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /u" pbruif.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /P" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /Q" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /D" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /d" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /N" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /V" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /E" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /Y" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /y" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /F" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /h" pbruif.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbruif = "C:\\Users\\Admin\\pbruif.exe /O" pbruif.exe -
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Drops file in Program Files directory 11 IoCs
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Drops file in Windows directory 1 IoCs
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exepbruif.exepid process 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe 4944 pbruif.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription pid process Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Token: SeDebugPrivilege 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exepbruif.exepid process 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe 4944 pbruif.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription pid process target process PID 2512 wrote to memory of 2500 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe netsh.exe PID 2512 wrote to memory of 2500 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe netsh.exe PID 2512 wrote to memory of 2500 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe netsh.exe PID 2512 wrote to memory of 760 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe fontdrvhost.exe PID 2512 wrote to memory of 768 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe fontdrvhost.exe PID 2512 wrote to memory of 1020 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe dwm.exe PID 2512 wrote to memory of 2820 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe sihost.exe PID 2512 wrote to memory of 2856 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe svchost.exe PID 2512 wrote to memory of 2896 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe taskhostw.exe PID 2512 wrote to memory of 380 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Explorer.EXE PID 2512 wrote to memory of 2880 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe svchost.exe PID 2512 wrote to memory of 3240 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe DllHost.exe PID 2512 wrote to memory of 3340 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe StartMenuExperienceHost.exe PID 2512 wrote to memory of 3408 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 3504 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe SearchApp.exe PID 2512 wrote to memory of 3704 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 4752 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 4944 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe pbruif.exe PID 2512 wrote to memory of 4944 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe pbruif.exe PID 2512 wrote to memory of 4944 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe pbruif.exe PID 2512 wrote to memory of 760 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe fontdrvhost.exe PID 2512 wrote to memory of 768 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe fontdrvhost.exe PID 2512 wrote to memory of 1020 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe dwm.exe PID 2512 wrote to memory of 2820 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe sihost.exe PID 2512 wrote to memory of 2856 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe svchost.exe PID 2512 wrote to memory of 2896 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe taskhostw.exe PID 2512 wrote to memory of 380 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Explorer.EXE PID 2512 wrote to memory of 2880 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe svchost.exe PID 2512 wrote to memory of 3240 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe DllHost.exe PID 2512 wrote to memory of 3340 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe StartMenuExperienceHost.exe PID 2512 wrote to memory of 3408 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 3504 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe SearchApp.exe PID 2512 wrote to memory of 3704 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 4752 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 4944 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe pbruif.exe PID 2512 wrote to memory of 4944 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe pbruif.exe PID 2512 wrote to memory of 760 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe fontdrvhost.exe PID 2512 wrote to memory of 768 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe fontdrvhost.exe PID 2512 wrote to memory of 1020 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe dwm.exe PID 2512 wrote to memory of 2820 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe sihost.exe PID 2512 wrote to memory of 2856 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe svchost.exe PID 2512 wrote to memory of 2896 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe taskhostw.exe PID 2512 wrote to memory of 380 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Explorer.EXE PID 2512 wrote to memory of 2880 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe svchost.exe PID 2512 wrote to memory of 3240 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe DllHost.exe PID 2512 wrote to memory of 3340 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe StartMenuExperienceHost.exe PID 2512 wrote to memory of 3408 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 3504 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe SearchApp.exe PID 2512 wrote to memory of 3704 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 4752 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 760 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe fontdrvhost.exe PID 2512 wrote to memory of 768 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe fontdrvhost.exe PID 2512 wrote to memory of 1020 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe dwm.exe PID 2512 wrote to memory of 2820 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe sihost.exe PID 2512 wrote to memory of 2856 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe svchost.exe PID 2512 wrote to memory of 2896 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe taskhostw.exe PID 2512 wrote to memory of 380 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe Explorer.EXE PID 2512 wrote to memory of 2880 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe svchost.exe PID 2512 wrote to memory of 3240 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe DllHost.exe PID 2512 wrote to memory of 3340 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe StartMenuExperienceHost.exe PID 2512 wrote to memory of 3408 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 3504 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe SearchApp.exe PID 2512 wrote to memory of 3704 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe PID 2512 wrote to memory of 4752 2512 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe RuntimeBroker.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe"C:\Users\Admin\AppData\Local\Temp\476ae9f56ae458a9feec9a5f59133aee194a5855e4e71b2617355aec225d20cc.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\pbruif.exe"C:\Users\Admin\pbruif.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\pbruif.exeFilesize
356KB
MD5b108d641d8fb7a9b725412ed89fc9f28
SHA14d6600486408c045fb01e32a4f6a42b9e130416c
SHA25663d8f2ba96055a40c93db325fa059510ce7725ee4a7b4d7a658a6f6f1ca2a9ca
SHA512ddec8e34bb3ed1b641df96a2c32ccb14b1df93d7f8a546d1a295aadb7e534a1e5ae292158d27ae3a4a6e351e48e92cc6d670acf003f9e4158a420472d862a523
-
C:\Users\Admin\pbruif.exeFilesize
356KB
MD5b108d641d8fb7a9b725412ed89fc9f28
SHA14d6600486408c045fb01e32a4f6a42b9e130416c
SHA25663d8f2ba96055a40c93db325fa059510ce7725ee4a7b4d7a658a6f6f1ca2a9ca
SHA512ddec8e34bb3ed1b641df96a2c32ccb14b1df93d7f8a546d1a295aadb7e534a1e5ae292158d27ae3a4a6e351e48e92cc6d670acf003f9e4158a420472d862a523
-
memory/616-145-0x0000000000000000-mapping.dmp
-
memory/616-146-0x0000000000CC0000-0x0000000000CD7000-memory.dmpFilesize
92KB
-
memory/2500-136-0x0000000000000000-mapping.dmp
-
memory/2512-137-0x0000000002C20000-0x0000000003C53000-memory.dmpFilesize
16.2MB
-
memory/2512-133-0x0000000002C20000-0x0000000003C53000-memory.dmpFilesize
16.2MB
-
memory/2512-144-0x0000000002C20000-0x0000000003C53000-memory.dmpFilesize
16.2MB
-
memory/2512-132-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2512-149-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/4584-147-0x0000000000000000-mapping.dmp
-
memory/4584-148-0x00000000006D0000-0x00000000006E7000-memory.dmpFilesize
92KB
-
memory/4944-138-0x0000000000000000-mapping.dmp
-
memory/4944-143-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/4944-150-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB