Analysis
-
max time kernel
324s -
max time network
338s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe
Resource
win7-20220812-en
windows7-x64
18 signatures
150 seconds
General
-
Target
ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe
-
Size
100KB
-
MD5
690b0c9dea7093ef855807d69cb8ea84
-
SHA1
c7f104740e62a16cec6739144929fca596e29f7e
-
SHA256
ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9
-
SHA512
af8454c095b73d193ac2219d404b2945f2bd66c715556c5cb74152f69172832b4c728e926f53e6089ee0dccef6694e6c5bc2142380b5808bb321441dc9e66631
-
SSDEEP
3072:PYLUlID+7VvUbc9sPPzm/H0/7non+s7BX:PYolIDEVsbc9CsH0/7mr
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/1064-133-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/1064-134-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/1064-135-0x00000000022B0000-0x000000000333E000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\L: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\S: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\U: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\V: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\E: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\H: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\M: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\N: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\P: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\Q: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\R: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\T: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\F: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\K: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\X: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\Z: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\O: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\W: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\G: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\J: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened (read-only) \??\Y: ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe Token: SeDebugPrivilege 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 780 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 79 PID 1064 wrote to memory of 788 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 78 PID 1064 wrote to memory of 60 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 8 PID 1064 wrote to memory of 2748 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 38 PID 1064 wrote to memory of 2772 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 37 PID 1064 wrote to memory of 2832 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 36 PID 1064 wrote to memory of 2420 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 34 PID 1064 wrote to memory of 2816 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 33 PID 1064 wrote to memory of 3240 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 32 PID 1064 wrote to memory of 3340 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 31 PID 1064 wrote to memory of 3404 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 30 PID 1064 wrote to memory of 3496 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 29 PID 1064 wrote to memory of 3688 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 28 PID 1064 wrote to memory of 4652 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 13 PID 1064 wrote to memory of 2148 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 9 PID 1064 wrote to memory of 780 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 79 PID 1064 wrote to memory of 788 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 78 PID 1064 wrote to memory of 60 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 8 PID 1064 wrote to memory of 2748 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 38 PID 1064 wrote to memory of 2772 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 37 PID 1064 wrote to memory of 2832 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 36 PID 1064 wrote to memory of 2420 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 34 PID 1064 wrote to memory of 2816 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 33 PID 1064 wrote to memory of 3240 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 32 PID 1064 wrote to memory of 3340 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 31 PID 1064 wrote to memory of 3404 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 30 PID 1064 wrote to memory of 3496 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 29 PID 1064 wrote to memory of 3688 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 28 PID 1064 wrote to memory of 4652 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 13 PID 1064 wrote to memory of 2148 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 9 PID 1064 wrote to memory of 780 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 79 PID 1064 wrote to memory of 788 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 78 PID 1064 wrote to memory of 60 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 8 PID 1064 wrote to memory of 2748 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 38 PID 1064 wrote to memory of 2772 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 37 PID 1064 wrote to memory of 2832 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 36 PID 1064 wrote to memory of 2420 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 34 PID 1064 wrote to memory of 2816 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 33 PID 1064 wrote to memory of 3240 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 32 PID 1064 wrote to memory of 3340 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 31 PID 1064 wrote to memory of 3404 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 30 PID 1064 wrote to memory of 3496 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 29 PID 1064 wrote to memory of 3688 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 28 PID 1064 wrote to memory of 4652 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 13 PID 1064 wrote to memory of 2148 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 9 PID 1064 wrote to memory of 780 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 79 PID 1064 wrote to memory of 788 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 78 PID 1064 wrote to memory of 60 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 8 PID 1064 wrote to memory of 2748 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 38 PID 1064 wrote to memory of 2772 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 37 PID 1064 wrote to memory of 2832 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 36 PID 1064 wrote to memory of 2420 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 34 PID 1064 wrote to memory of 2816 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 33 PID 1064 wrote to memory of 3240 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 32 PID 1064 wrote to memory of 3340 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 31 PID 1064 wrote to memory of 3404 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 30 PID 1064 wrote to memory of 3496 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 29 PID 1064 wrote to memory of 3688 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 28 PID 1064 wrote to memory of 4264 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 82 PID 1064 wrote to memory of 780 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 79 PID 1064 wrote to memory of 788 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 78 PID 1064 wrote to memory of 60 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 8 PID 1064 wrote to memory of 2748 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 38 PID 1064 wrote to memory of 2772 1064 ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe 37 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2148
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4652
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3688
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3496
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3404
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3340
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2816
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe"C:\Users\Admin\AppData\Local\Temp\ced3da74164136f7c0954c650a0c99e7eb34f361afa491464c4b0fadc3f87ae9.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1064
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2772
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2748
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4264
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4204