sality | b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57

Analysis

max time kernel
129s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 11:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Size

677KB
MD5

d76f879d4297e83d3c5728470e260d7a
SHA1

b212494b33bf993769ff0c32a47caa706ae6285d
SHA256

b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57
SHA512

6141f651bc32bb342f2b05e4ecad310f975297b0911adf069d802cb09a11a184ee850e210efa6964f421929c797e5eb8aa1115cbd4c5cede6205ec65f0127867
SSDEEP

12288:23TdtLW5WIj1YSSdFxDBSXYMzBUWb9lx/9AgHLo8OW+rBQeh8RVG:gDsj1dEzBc/9nPx/igrp+18RE

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe regsvr.exe"	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Disables Task Manager via registry modification
evasion

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3444-133-0x0000000003500000-0x0000000004530000-memory.dmp	upx
behavioral2/memory/3444-134-0x0000000003500000-0x0000000004530000-memory.dmp	upx
behavioral2/memory/3444-137-0x0000000003500000-0x0000000004530000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Msn Messsenger = "C:\\Windows\\system32\\regsvr.exe"	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\i:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\j:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\l:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\n:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\t:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\x:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\b:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\g:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\q:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\u:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\y:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\e:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\k:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\p:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\w:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\z:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\a:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\f:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\m:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\o:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\r:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\s:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened (read-only)	\??\v:	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3444-140-0x0000000000400000-0x0000000000519000-memory.dmp	autoit_exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\svchost.001	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\Windows\SysWOW64\28463\svchost.001	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File created	C:\Windows\SysWOW64\svchost .exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\Windows\SysWOW64\setup.ini	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\Windows\SysWOW64\28463	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File created	C:\Windows\SysWOW64\regsvr.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\Windows\SysWOW64\regsvr.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\Windows\SysWOW64\svchost .exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\WINDOWS\SysWOW64\REGSVR.EXE	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File created	C:\Windows\SysWOW64\setting.ini	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\Windows\SysWOW64\setting.ini	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\regsvr.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File opened for modification	C:\Windows\SYSTEM.INI	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
File created	C:\Windows\regsvr.exe	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
Token: SeDebugPrivilege	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 780	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	8
PID 3444 wrote to memory of 784	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	9
PID 3444 wrote to memory of 312	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	12
PID 3444 wrote to memory of 2500	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	77
PID 3444 wrote to memory of 2648	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	47
PID 3444 wrote to memory of 2868	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	48
PID 3444 wrote to memory of 2220	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	49
PID 3444 wrote to memory of 2668	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	74
PID 3444 wrote to memory of 3252	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	50
PID 3444 wrote to memory of 3356	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	73
PID 3444 wrote to memory of 3420	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	51
PID 3444 wrote to memory of 3500	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	52
PID 3444 wrote to memory of 3712	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	53
PID 3444 wrote to memory of 4708	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	55
PID 3444 wrote to memory of 4828	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	81
PID 3444 wrote to memory of 4828	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	81
PID 3444 wrote to memory of 4828	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	81
PID 4828 wrote to memory of 4472	4828	cmd.exe	83
PID 4828 wrote to memory of 4472	4828	cmd.exe	83
PID 4828 wrote to memory of 4472	4828	cmd.exe	83
PID 3444 wrote to memory of 780	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	8
PID 3444 wrote to memory of 784	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	9
PID 3444 wrote to memory of 312	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	12
PID 3444 wrote to memory of 2500	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	77
PID 3444 wrote to memory of 2648	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	47
PID 3444 wrote to memory of 2868	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	48
PID 3444 wrote to memory of 2220	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	49
PID 3444 wrote to memory of 2668	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	74
PID 3444 wrote to memory of 3252	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	50
PID 3444 wrote to memory of 3356	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	73
PID 3444 wrote to memory of 3420	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	51
PID 3444 wrote to memory of 3500	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	52
PID 3444 wrote to memory of 3712	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	53
PID 3444 wrote to memory of 4708	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	55
PID 3444 wrote to memory of 4828	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	81
PID 3444 wrote to memory of 4828	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	81
PID 3444 wrote to memory of 4892	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	82
PID 3444 wrote to memory of 4472	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	83
PID 3444 wrote to memory of 4472	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	83
PID 3444 wrote to memory of 1504	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	84
PID 3444 wrote to memory of 1504	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	84
PID 3444 wrote to memory of 1504	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	84
PID 1504 wrote to memory of 1264	1504	cmd.exe	86
PID 1504 wrote to memory of 1264	1504	cmd.exe	86
PID 1504 wrote to memory of 1264	1504	cmd.exe	86
PID 3444 wrote to memory of 780	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	8
PID 3444 wrote to memory of 784	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	9
PID 3444 wrote to memory of 312	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	12
PID 3444 wrote to memory of 2500	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	77
PID 3444 wrote to memory of 2648	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	47
PID 3444 wrote to memory of 2868	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	48
PID 3444 wrote to memory of 2220	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	49
PID 3444 wrote to memory of 2668	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	74
PID 3444 wrote to memory of 3252	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	50
PID 3444 wrote to memory of 3356	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	73
PID 3444 wrote to memory of 3420	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	51
PID 3444 wrote to memory of 3500	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	52
PID 3444 wrote to memory of 3712	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	53
PID 3444 wrote to memory of 4708	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	55
PID 3444 wrote to memory of 780	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	8
PID 3444 wrote to memory of 784	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	9
PID 3444 wrote to memory of 312	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	12
PID 3444 wrote to memory of 2500	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	77
PID 3444 wrote to memory of 2648	3444	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe	47

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2648

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2868

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe
  "C:\Users\Admin\AppData\Local\Temp\b6054c17ab42bb979459e1e0c59402de0c741b4f8356708f1da59aa51df7fe57.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Disables RegEdit via registry modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe
      4⤵
      PID:1264

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3420

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2668

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3444-132-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3444-133-0x0000000003500000-0x0000000004530000-memory.dmp

Filesize
16.2MB

Download
memory/3444-134-0x0000000003500000-0x0000000004530000-memory.dmp

Filesize
16.2MB

Download
memory/3444-137-0x0000000003500000-0x0000000004530000-memory.dmp

Filesize
16.2MB

Download
memory/3444-140-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download