Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2023, 18:51
Static task
static1
1 signatures
General
-
Target
b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe
-
Size
12.1MB
-
MD5
9f84cf13bf08eb24ece2f9d241b2c653
-
SHA1
b609811f96c4cdd989b07dde352c0112de129dca
-
SHA256
b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce
-
SHA512
693299ec0c4bc514dcc42ae674de32c9a5be1ccde8ed41e91dda6f015046abb47472042c09ce0d4cf7982bff382e1a14a28942ce0079c125a35363a00356f020
-
SSDEEP
393216:xZyUH+5MD1W5uKLIg56cMTVZ8b6InE842w:xZyUH+5MD1W5uKLIg56cMTVZ8b6IE84T
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe -
resource yara_rule behavioral1/memory/4780-136-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral1/memory/4780-138-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral1/memory/4780-140-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral1/memory/4780-145-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral1/memory/4780-146-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral1/memory/4780-147-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral1/memory/4780-148-0x00000000036E0000-0x000000000476E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1904 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe Token: SeDebugPrivilege 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe 1904 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4780 wrote to memory of 784 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 5 PID 4780 wrote to memory of 792 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 77 PID 4780 wrote to memory of 1012 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 74 PID 4780 wrote to memory of 2416 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 45 PID 4780 wrote to memory of 2452 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 44 PID 4780 wrote to memory of 2676 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 37 PID 4780 wrote to memory of 3216 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 34 PID 4780 wrote to memory of 3360 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 33 PID 4780 wrote to memory of 3556 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 32 PID 4780 wrote to memory of 3704 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 31 PID 4780 wrote to memory of 3824 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 7 PID 4780 wrote to memory of 3912 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 30 PID 4780 wrote to memory of 4016 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 29 PID 4780 wrote to memory of 4872 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 16 PID 4780 wrote to memory of 4960 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 15 PID 4780 wrote to memory of 764 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 9 PID 4780 wrote to memory of 3856 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 8 PID 4780 wrote to memory of 3068 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 82 PID 4780 wrote to memory of 3804 4780 b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe 84 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3824
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3856
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:764
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4960
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3704
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3360
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe"C:\Users\Admin\AppData\Local\Temp\b3772d8e8eb2a4032704616f5c0ea09623ffa7a67e921851a10f6fcb73ad70ce.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4780
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2452
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2416
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3068
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵PID:3804
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5