Analysis
-
max time kernel
125s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 08:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.042751ae71561dd29acecde1ca341ca0.exe
Resource
win7-20231023-en
windows7-x64
18 signatures
150 seconds
General
-
Target
NEAS.042751ae71561dd29acecde1ca341ca0.exe
-
Size
339KB
-
MD5
042751ae71561dd29acecde1ca341ca0
-
SHA1
cb22ea843006889a1f70f3782827758dd47b7a7d
-
SHA256
1d93c5424957b6caa5f4d731f6130eb63b0b5952f72ad0d6af6c947b12ceb194
-
SHA512
cc129e94b2678c39bb0ce97c515dbf817448523c05e266bbe8b639391b734d4ba8e7acdef92b04642215415dcfc5cb7825d585c41411c29a37473c391b1bf46d
-
SSDEEP
6144:uVHv4NVHC8j8AVhDf6ne8TN3As7+yQlyUuTO1t7:uVHv+izAVhDf6nRTNDOSTet7
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.042751ae71561dd29acecde1ca341ca0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe -
resource yara_rule behavioral2/memory/3396-4-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-3-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-5-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-10-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-11-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-12-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-13-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-14-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-15-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-16-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-17-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-18-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-19-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-20-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-22-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-23-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-25-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-27-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-28-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-30-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-31-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-35-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-37-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-40-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-41-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-46-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-48-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-50-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-51-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-52-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-53-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-54-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-56-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-58-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-60-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-62-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-64-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-66-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3396-68-0x0000000002360000-0x00000000033EE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.042751ae71561dd29acecde1ca341ca0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc NEAS.042751ae71561dd29acecde1ca341ca0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\G: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\K: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\M: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\O: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\P: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\U: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\W: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\X: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\I: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\N: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\Z: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\H: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\L: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\T: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\J: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\Q: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\S: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\V: NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened (read-only) \??\Y: NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification F:\autorun.inf NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe Token: SeDebugPrivilege 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3396 wrote to memory of 788 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 8 PID 3396 wrote to memory of 796 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 13 PID 3396 wrote to memory of 60 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 9 PID 3396 wrote to memory of 2328 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 67 PID 3396 wrote to memory of 2344 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 66 PID 3396 wrote to memory of 2436 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 64 PID 3396 wrote to memory of 3228 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 52 PID 3396 wrote to memory of 3388 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 51 PID 3396 wrote to memory of 3628 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 50 PID 3396 wrote to memory of 3732 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 49 PID 3396 wrote to memory of 3832 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 22 PID 3396 wrote to memory of 3940 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 48 PID 3396 wrote to memory of 4080 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 47 PID 3396 wrote to memory of 5052 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 45 PID 3396 wrote to memory of 532 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 36 PID 3396 wrote to memory of 1996 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 33 PID 3396 wrote to memory of 736 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 32 PID 3396 wrote to memory of 3048 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 29 PID 3396 wrote to memory of 1268 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 28 PID 3396 wrote to memory of 2836 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 27 PID 3396 wrote to memory of 788 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 8 PID 3396 wrote to memory of 796 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 13 PID 3396 wrote to memory of 60 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 9 PID 3396 wrote to memory of 2328 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 67 PID 3396 wrote to memory of 2344 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 66 PID 3396 wrote to memory of 2436 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 64 PID 3396 wrote to memory of 3228 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 52 PID 3396 wrote to memory of 3388 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 51 PID 3396 wrote to memory of 3628 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 50 PID 3396 wrote to memory of 3732 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 49 PID 3396 wrote to memory of 3832 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 22 PID 3396 wrote to memory of 3940 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 48 PID 3396 wrote to memory of 4080 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 47 PID 3396 wrote to memory of 5052 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 45 PID 3396 wrote to memory of 532 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 36 PID 3396 wrote to memory of 1996 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 33 PID 3396 wrote to memory of 736 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 32 PID 3396 wrote to memory of 3048 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 29 PID 3396 wrote to memory of 1268 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 28 PID 3396 wrote to memory of 2836 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 27 PID 3396 wrote to memory of 3208 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 88 PID 3396 wrote to memory of 788 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 8 PID 3396 wrote to memory of 796 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 13 PID 3396 wrote to memory of 60 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 9 PID 3396 wrote to memory of 2328 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 67 PID 3396 wrote to memory of 2344 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 66 PID 3396 wrote to memory of 2436 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 64 PID 3396 wrote to memory of 3228 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 52 PID 3396 wrote to memory of 3388 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 51 PID 3396 wrote to memory of 3628 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 50 PID 3396 wrote to memory of 3732 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 49 PID 3396 wrote to memory of 3832 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 22 PID 3396 wrote to memory of 3940 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 48 PID 3396 wrote to memory of 4080 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 47 PID 3396 wrote to memory of 5052 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 45 PID 3396 wrote to memory of 532 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 36 PID 3396 wrote to memory of 1996 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 33 PID 3396 wrote to memory of 736 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 32 PID 3396 wrote to memory of 3048 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 29 PID 3396 wrote to memory of 1268 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 28 PID 3396 wrote to memory of 2836 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 27 PID 3396 wrote to memory of 788 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 8 PID 3396 wrote to memory of 796 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 13 PID 3396 wrote to memory of 60 3396 NEAS.042751ae71561dd29acecde1ca341ca0.exe 9 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.042751ae71561dd29acecde1ca341ca0.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3832
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2836
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1268
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3048
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:736
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1996
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:532
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4080
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3732
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3388
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\NEAS.042751ae71561dd29acecde1ca341ca0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.042751ae71561dd29acecde1ca341ca0.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3396
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2344
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2328
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3208
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1448
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3860
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:1472
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5069195d04c43dcda7b3b032cf496639f
SHA153128a8063509cf00d8d79ce3a64e7ba1d8978e2
SHA2561a33b374a6cf28290e684e922b6e424395724ee82e3db856f3b016e66507062c
SHA512c542a454031ee694b2ebfa7919f7dab35753b5a135068881aac4840d339304802c036c58eadd10a0c7d91185114d45c286233d4c20403a405ab253cbfed053c7