Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 06:58
Static task
static1
Behavioral task
behavioral1
Sample
f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe
Resource
win7-20220901-en
windows7-x64
16 signatures
150 seconds
General
-
Target
f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe
-
Size
163KB
-
MD5
d08d52bdf02d0713ea0e6a214e2dc3bd
-
SHA1
b768f860a79d043201d4972ec7a1252f2a0cf5cb
-
SHA256
f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa
-
SHA512
5fbb0f1a1ad82d1e425063510450eb841d18a532919f21c2859666ce3d4cd37d5b226c4d2ba06bbd01004e2fe061123350e381675fc633838f029c65521a58a2
-
SSDEEP
1536:gUrXj+NCKzCkn+gCOeAfE79QFhK6LyyDihhdhyJEsbc0I1zhU:1T+RR+gVC79QFg6LjOhno80V
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe -
resource yara_rule behavioral1/memory/2016-55-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2016-57-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/2016-59-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000070ea5c28cf5bacb0cae019b1e351db67c6f090b779356f161741710b8a6e7350000000000e8000000002000020000000a7e20e6b6892a71796e29312d7614317cdf4473c4d99d64411623db305f4aba520000000739a2fc9efcab747d5401bef868a7af6f7820fa9f1c189863ad9e96f1da15e604000000068a258d318c6b8c5fe8da1367664909476e7818dac03c4a7b138bff4c309b2d55117cb9277fe8c8b992a567da2361e78a4e899aeb0769d46550fdb4b0efabdc0 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.linkzb.net\ = "22" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\doubleclick.net IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkzb.net\Total = "1614" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1666" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkzb.net\Total = "3189" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.linkzb.net\ = "1527" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1556" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.linkzb.net\ = "3182" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\doubleclick.net\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkzb.net\Total = "22" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkzb.net\Total = "3150" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkzb.net\Total = "3182" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3150" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1582" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E667ACB1-709A-11ED-AD72-5E7A81A7298C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d04ac3a704d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "786" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1527" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.linkzb.net\ = "1666" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3189" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkzb.net IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376569587" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.linkzb.net\ = "3150" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000005854519e4577f0171811940153b123d8313a1ec354fbfc240cac932045185eb5000000000e800000000200002000000057826318c8af387a04167623c919c1fb9fcbc941647aa628d6e363cb9e8403e79000000028d624794b17d86dd323825919908e8a374787c98dc3d269f31d7b08f99232af8c437e315c19d07b3dc597012eaced58dde39c772b582f2b2524d2d0aae8aa84ae36db5eaf06d7b1cdb5c4f836b0aa3de2407063db7397e49f0799ac84f7e5cced685c037a765b977245de4a1ecba02d64ed282e5a7bf1d428ecf580ee953a2cd0332cb16a8f14b322f16e448f5ff73340000000103ef653a90bb4258227a775217724b96c55ae1853d1751fcbd80c7e971f401855d9f1ccd4cbf7ee89ef0deb8652013eb401a21bb1e62913183b5a1b6e06fa65 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.linkzb.net IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkzb.net\Total = "1582" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.linkzb.net\ = "3189" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkzb.net\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkzb.net\Total = "786" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.linkzb.net\ = "1614" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe Token: SeDebugPrivilege 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 764 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 764 iexplore.exe 764 iexplore.exe 1108 IEXPLORE.EXE 1108 IEXPLORE.EXE 1108 IEXPLORE.EXE 1108 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1244 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe 7 PID 2016 wrote to memory of 1332 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe 6 PID 2016 wrote to memory of 1368 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe 5 PID 2016 wrote to memory of 764 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe 26 PID 2016 wrote to memory of 764 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe 26 PID 2016 wrote to memory of 764 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe 26 PID 2016 wrote to memory of 764 2016 f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe 26 PID 764 wrote to memory of 1108 764 iexplore.exe 28 PID 764 wrote to memory of 1108 764 iexplore.exe 28 PID 764 wrote to memory of 1108 764 iexplore.exe 28 PID 764 wrote to memory of 1108 764 iexplore.exe 28 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe"C:\Users\Admin\AppData\Local\Temp\f7d9684727bcca55acb2d5d46031da3c7c891f4f0a4d1672bdd09fa228fc59fa.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2016 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.linkzb.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1108
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1332
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d100a42f1c2eb8a9294f9572e1687165
SHA10d06a7dd004022d4385cfe25447cf5bd5c7d6ded
SHA25683483ad0ee96464107b3dc04b5759b79e21fedb15c7c0e81be9a4d5f710e996d
SHA512ce34377d87c31788b93983daccb41a65f2d16a3d0da1dca23fcecf7e734561bd152059421f6a2485ad76e01a90cdc3de6b9261aec63ffc2096e661e8845688f4
-
Filesize
608B
MD5682b63dff2625db0dfb47cadfb29e2b3
SHA1d920f85b03b269b4a1dfa317cf1bd183d68fc713
SHA256406c3543cd542fdb14676a2856a06dc79bef0b43755cd50aef46d43a2df0dd0d
SHA5129cd375d0e032f937b57175532561b452f6f6c53f5a3da6aeeaa0ec6e6ab6987a8a91ee3cec80d8221fca6e2f5cdbf8f1cfde0a15821904c12a71725b8901c79a