db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe = "0"	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe = "0"	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2296	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe
2296	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe
2192	powershell.exe
2192	powershell.exe
2192	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe
Token: SeDebugPrivilege	2192	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2192	2296	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe	70
PID 2296 wrote to memory of 2192	2296	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe	70
PID 2296 wrote to memory of 2192	2296	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe	70
PID 2296 wrote to memory of 2636	2296	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe	72
PID 2296 wrote to memory of 2636	2296	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe	72
PID 2296 wrote to memory of 2636	2296	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe	72

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe

C:\Users\Admin\AppData\Local\Temp\db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe
"C:\Users\Admin\AppData\Local\Temp\db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control