Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe
Resource
win7-20221111-en
windows7-x64
18 signatures
150 seconds
General
-
Target
d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe
-
Size
100KB
-
MD5
9f2e443e678fc29b82249dcbe47e3383
-
SHA1
e20ba679de307f537aba52c4a05e257e62be0850
-
SHA256
d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf
-
SHA512
a4ffa9c189f3d53ffa8b15c99b3d980ebda2fb10c1e84b467b6008b9d71423941ae0ef31ea96965b6d8fd16eda9a7de72bba7cfa5df4b1da24da22f4e6d3c80b
-
SSDEEP
3072:caVpAgy+0N+nL2A99HT8vf7bXpRDFjIE:OG08nSA99HT8LbZp
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/4224-133-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/4224-134-0x0000000002340000-0x00000000033CE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\F: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\H: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\J: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\T: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\W: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\G: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\K: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\O: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\R: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\E: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\I: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\P: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\Z: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\S: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\U: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\V: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\L: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\M: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\N: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened (read-only) \??\Q: d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\CheckpointSwitch.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe Token: SeDebugPrivilege 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4224 wrote to memory of 764 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 8 PID 4224 wrote to memory of 768 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 14 PID 4224 wrote to memory of 1004 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 9 PID 4224 wrote to memory of 2444 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 20 PID 4224 wrote to memory of 2460 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 56 PID 4224 wrote to memory of 2548 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 53 PID 4224 wrote to memory of 2176 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 48 PID 4224 wrote to memory of 2620 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 47 PID 4224 wrote to memory of 3216 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 46 PID 4224 wrote to memory of 3312 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 45 PID 4224 wrote to memory of 3372 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 44 PID 4224 wrote to memory of 3452 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 43 PID 4224 wrote to memory of 3708 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 42 PID 4224 wrote to memory of 4692 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 39 PID 4224 wrote to memory of 3044 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 25 PID 4224 wrote to memory of 4196 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 24 PID 4224 wrote to memory of 4856 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 23 PID 4224 wrote to memory of 764 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 8 PID 4224 wrote to memory of 768 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 14 PID 4224 wrote to memory of 1004 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 9 PID 4224 wrote to memory of 2444 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 20 PID 4224 wrote to memory of 2460 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 56 PID 4224 wrote to memory of 2548 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 53 PID 4224 wrote to memory of 2176 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 48 PID 4224 wrote to memory of 2620 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 47 PID 4224 wrote to memory of 3216 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 46 PID 4224 wrote to memory of 3312 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 45 PID 4224 wrote to memory of 3372 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 44 PID 4224 wrote to memory of 3452 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 43 PID 4224 wrote to memory of 3708 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 42 PID 4224 wrote to memory of 4692 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 39 PID 4224 wrote to memory of 4196 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 24 PID 4224 wrote to memory of 4856 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 23 PID 4224 wrote to memory of 2020 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 82 PID 4224 wrote to memory of 764 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 8 PID 4224 wrote to memory of 768 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 14 PID 4224 wrote to memory of 1004 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 9 PID 4224 wrote to memory of 2444 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 20 PID 4224 wrote to memory of 2460 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 56 PID 4224 wrote to memory of 2548 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 53 PID 4224 wrote to memory of 2176 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 48 PID 4224 wrote to memory of 2620 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 47 PID 4224 wrote to memory of 3216 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 46 PID 4224 wrote to memory of 3312 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 45 PID 4224 wrote to memory of 3372 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 44 PID 4224 wrote to memory of 3452 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 43 PID 4224 wrote to memory of 3708 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 42 PID 4224 wrote to memory of 4692 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 39 PID 4224 wrote to memory of 4196 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 24 PID 4224 wrote to memory of 4856 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 23 PID 4224 wrote to memory of 2020 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 82 PID 4224 wrote to memory of 764 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 8 PID 4224 wrote to memory of 768 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 14 PID 4224 wrote to memory of 1004 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 9 PID 4224 wrote to memory of 2444 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 20 PID 4224 wrote to memory of 2460 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 56 PID 4224 wrote to memory of 2548 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 53 PID 4224 wrote to memory of 2176 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 48 PID 4224 wrote to memory of 2620 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 47 PID 4224 wrote to memory of 3216 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 46 PID 4224 wrote to memory of 3312 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 45 PID 4224 wrote to memory of 3372 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 44 PID 4224 wrote to memory of 3452 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 43 PID 4224 wrote to memory of 3708 4224 d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe 42 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1004
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2444
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4856
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4196
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4692
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3708
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3372
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3312
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2620
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe"C:\Users\Admin\AppData\Local\Temp\d1c52604fd51810956b6086ee4fd4cdbf43f5809eb150cc1818f45d0cbc9aeaf.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4224
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2460
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2020
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1572
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1280
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3320