Analysis
-
max time kernel
163s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe
Resource
win7-20230831-en
windows7-x64
16 signatures
150 seconds
General
-
Target
NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe
-
Size
97KB
-
MD5
a6485b363a4a8ebbdbcaeb5c98a6f1b0
-
SHA1
2000953815a7c1dd63a127b28a49f22498ede722
-
SHA256
1c9985f4be65c90fc2481ea33700e56a69e7e437d5fe6f402ffd07976ccac703
-
SHA512
0e32779bdd53eeede1f0d4853d99205ff4ac5a27a5d314b4c939234a310731170f6e8cbaaad64b06e9300b18d2f96d90ec84943caf5368c1cf78c8ed7ee875ae
-
SSDEEP
1536:R9URRrA6nOgJLndR4jOc5w5NPnqfedhZEseDsffRnvylU+5f1+PTwgQiHb:6q6nVdZ+KnqGdhZE9IfpKlxN18TwgQ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
resource yara_rule behavioral2/memory/4632-1-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-3-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-4-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-5-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-7-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-14-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-21-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-22-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-23-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-24-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-25-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-26-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-28-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-29-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-30-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-32-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-41-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-44-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-50-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-52-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-54-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-56-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-57-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-58-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-59-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-62-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-64-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-67-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-68-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-70-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-72-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-74-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4632-76-0x00000000007E0000-0x000000000189A000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\S: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\U: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\W: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\Z: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\K: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\N: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\L: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\M: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\X: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\H: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\I: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\T: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\G: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\O: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\P: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\R: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\V: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\Y: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\E: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened (read-only) \??\J: NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\autorun.inf NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\7-Zip\7zG.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\7-Zip\7z.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e58c3b8 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe File opened for modification C:\Windows\SYSTEM.INI NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe Token: SeDebugPrivilege 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4632 wrote to memory of 804 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 8 PID 4632 wrote to memory of 812 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 14 PID 4632 wrote to memory of 384 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 11 PID 4632 wrote to memory of 2300 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 39 PID 4632 wrote to memory of 2312 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 38 PID 4632 wrote to memory of 2440 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 35 PID 4632 wrote to memory of 3164 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 52 PID 4632 wrote to memory of 3336 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 53 PID 4632 wrote to memory of 3532 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 56 PID 4632 wrote to memory of 3748 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 57 PID 4632 wrote to memory of 3812 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 58 PID 4632 wrote to memory of 3896 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 84 PID 4632 wrote to memory of 3404 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 59 PID 4632 wrote to memory of 4748 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 82 PID 4632 wrote to memory of 3864 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 77 PID 4632 wrote to memory of 1464 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 73 PID 4632 wrote to memory of 1320 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 68 PID 4632 wrote to memory of 4140 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 69 PID 4632 wrote to memory of 804 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 8 PID 4632 wrote to memory of 812 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 14 PID 4632 wrote to memory of 384 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 11 PID 4632 wrote to memory of 2300 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 39 PID 4632 wrote to memory of 2312 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 38 PID 4632 wrote to memory of 2440 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 35 PID 4632 wrote to memory of 3164 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 52 PID 4632 wrote to memory of 3336 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 53 PID 4632 wrote to memory of 3532 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 56 PID 4632 wrote to memory of 3748 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 57 PID 4632 wrote to memory of 3812 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 58 PID 4632 wrote to memory of 3896 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 84 PID 4632 wrote to memory of 3404 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 59 PID 4632 wrote to memory of 4748 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 82 PID 4632 wrote to memory of 3864 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 77 PID 4632 wrote to memory of 1464 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 73 PID 4632 wrote to memory of 1320 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 68 PID 4632 wrote to memory of 4140 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 69 PID 4632 wrote to memory of 804 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 8 PID 4632 wrote to memory of 812 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 14 PID 4632 wrote to memory of 384 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 11 PID 4632 wrote to memory of 2300 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 39 PID 4632 wrote to memory of 2312 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 38 PID 4632 wrote to memory of 2440 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 35 PID 4632 wrote to memory of 3164 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 52 PID 4632 wrote to memory of 3336 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 53 PID 4632 wrote to memory of 3532 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 56 PID 4632 wrote to memory of 3748 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 57 PID 4632 wrote to memory of 3812 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 58 PID 4632 wrote to memory of 3896 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 84 PID 4632 wrote to memory of 3404 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 59 PID 4632 wrote to memory of 4748 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 82 PID 4632 wrote to memory of 3864 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 77 PID 4632 wrote to memory of 1464 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 73 PID 4632 wrote to memory of 1320 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 68 PID 4632 wrote to memory of 4140 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 69 PID 4632 wrote to memory of 2260 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 90 PID 4632 wrote to memory of 804 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 8 PID 4632 wrote to memory of 812 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 14 PID 4632 wrote to memory of 384 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 11 PID 4632 wrote to memory of 2300 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 39 PID 4632 wrote to memory of 2312 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 38 PID 4632 wrote to memory of 2440 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 35 PID 4632 wrote to memory of 3164 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 52 PID 4632 wrote to memory of 3336 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 53 PID 4632 wrote to memory of 3532 4632 NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe 56 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:812
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2312
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2300
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a6485b363a4a8ebbdbcaeb5c98a6f1b0.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4632
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3336
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3532
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3404
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1320
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4140
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:1464
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4748
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3896
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2260
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1244
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3248
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2392
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2244
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD543ca35a7dd8193b942a7261ef584c1a7
SHA1580fc5a49b8be0cd1e88a00f1b976a3081ba7630
SHA2560594b4ab76a783cbb901a13675cb702d9d4e18eece4c0ad8adc2c9d21a9da729
SHA512507266fd999f69f32f6e27b1cad604461a214ec254fafc04801cac06b3a2ba7686c55f31e2242339d03a49a50265bc1be6a4d38fd4181b8d36f858bde0fdb5e7