6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

Windows security bypass 2 TTPs 5 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Security Center\svc	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\svc	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\B9C0F28B42A1C2150000B9C038CFC6D2 = "C:\\ProgramData\\B9C0F28B42A1C2150000B9C038CFC6D2\\B9C0F28B42A1C2150000B9C038CFC6D2.exe"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

Program crash 13 IoCs

pid	pid_target	Process	procid_target
4940	2200	WerFault.exe	79
2576	2200	WerFault.exe	79
2664	2200	WerFault.exe	79
1728	2200	WerFault.exe	79
2044	2200	WerFault.exe	79
4444	2200	WerFault.exe	79
2040	2200	WerFault.exe	79
740	2200	WerFault.exe	79
800	2200	WerFault.exe	79
260	2200	WerFault.exe	79
3316	2200	WerFault.exe	79
4276	2200	WerFault.exe	79
1580	2200	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
2200	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe

C:\Users\Admin\AppData\Local\Temp\6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe
"C:\Users\Admin\AppData\Local\Temp\6f48aaebb4a87f1736a4cc312a4373a4f2615f5cdf74fe25c83cbe9c5002f893.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 540
  2⤵
  - Program crash
  PID:4940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 672
  2⤵
  - Program crash
  PID:2576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 728
  2⤵
  - Program crash
  PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 736
  2⤵
  - Program crash
  PID:1728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 740
  2⤵
  - Program crash
  PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 732
  2⤵
  - Program crash
  PID:4444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 700
  2⤵
  - Program crash
  PID:2040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 844
  2⤵
  - Program crash
  PID:740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1020
  2⤵
  - Program crash
  PID:800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1020
  2⤵
  - Program crash
  PID:260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1376
  2⤵
  - Program crash
  PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 876
  2⤵
  - Program crash
  PID:4276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 824
  2⤵
  - Program crash
  PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2200 -ip 2200
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2200 -ip 2200
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2200 -ip 2200
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2200 -ip 2200
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2200 -ip 2200
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2200 -ip 2200
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2200 -ip 2200
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2200 -ip 2200
1⤵
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2200 -ip 2200
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2200 -ip 2200
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2200 -ip 2200
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2200 -ip 2200
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2200 -ip 2200
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry