bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

Windows security bypass 2 TTPs 5 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Security Center\svc	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\svc	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2F51B710BCCEC47700002F5187C3C90B = "C:\\ProgramData\\2F51B710BCCEC47700002F5187C3C90B\\2F51B710BCCEC47700002F5187C3C90B.exe"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4844	4988	WerFault.exe	78
1416	4988	WerFault.exe	78
3576	4988	WerFault.exe	78
3484	4988	WerFault.exe	78
1772	4988	WerFault.exe	78
852	4988	WerFault.exe	78
3928	4988	WerFault.exe	78
904	4988	WerFault.exe	78
4808	4988	WerFault.exe	78
1424	4988	WerFault.exe	78
3188	4988	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
4988	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe

C:\Users\Admin\AppData\Local\Temp\bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe
"C:\Users\Admin\AppData\Local\Temp\bfe75fdc9fe6b5de80cc18bd11f943b4d18172e37ddb6fc7170c8e9f126e2aab.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 536
  2⤵
  - Program crash
  PID:4844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 548
  2⤵
  - Program crash
  PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 680
  2⤵
  - Program crash
  PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 548
  2⤵
  - Program crash
  PID:3484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 768
  2⤵
  - Program crash
  PID:1772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 776
  2⤵
  - Program crash
  PID:852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 548
  2⤵
  - Program crash
  PID:3928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 548
  2⤵
  - Program crash
  PID:904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 852
  2⤵
  - Program crash
  PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1096
  2⤵
  - Program crash
  PID:1424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1116
  2⤵
  - Program crash
  PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4988 -ip 4988
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4988 -ip 4988
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4988 -ip 4988
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4988 -ip 4988
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4988 -ip 4988
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4988 -ip 4988
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4988 -ip 4988
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4988 -ip 4988
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4988 -ip 4988
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4988 -ip 4988
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4988 -ip 4988
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4988 -ip 4988
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry