Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2023 07:53
Behavioral task
behavioral1
Sample
d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe
Resource
win7-20231020-en
windows7-x64
3 signatures
150 seconds
General
-
Target
d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe
-
Size
3.4MB
-
MD5
2e279d8065a6439d0888f95d4bce7823
-
SHA1
2a9cca07338df19a2ddc03b60a646aa09feb22aa
-
SHA256
d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e
-
SHA512
ffe840b279c1b14dda668c5e96677f4c3f626b7c65ec0372d3f7645d039e0509f41df9c731ef6d3553e1a843a8372b2dabff2722a4ff29cb33e87fe8b1507a64
-
SSDEEP
98304:1Tu5HMvw5LCe9YqjQ2kvV3zwjCeB0RbAZwNt2On:YMvxeq4Q2kvV38jCt8mLb
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
resource yara_rule behavioral2/memory/380-0-0x0000000000400000-0x0000000000AF1000-memory.dmp upx behavioral2/memory/380-1-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-3-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-4-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-8-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-9-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-10-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-11-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-13-0x0000000000400000-0x0000000000AF1000-memory.dmp upx behavioral2/memory/380-12-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-19-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-21-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-22-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-23-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-24-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-25-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-26-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-28-0x0000000000400000-0x0000000000AF1000-memory.dmp upx behavioral2/memory/380-29-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-30-0x0000000000400000-0x0000000000AF1000-memory.dmp upx behavioral2/memory/380-31-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-32-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-37-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-41-0x0000000000400000-0x0000000000AF1000-memory.dmp upx behavioral2/memory/380-40-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-47-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-48-0x0000000000400000-0x0000000000AF1000-memory.dmp upx behavioral2/memory/380-49-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-50-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-52-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-54-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-56-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-59-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-63-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-65-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-67-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-69-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-71-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-81-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-83-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-86-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-88-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx behavioral2/memory/380-90-0x0000000003C80000-0x0000000004D3A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\Y: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\Z: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\H: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\M: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\V: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\W: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\J: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\R: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\L: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\O: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\U: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\E: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\G: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\I: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\K: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\T: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\N: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\P: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\Q: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened (read-only) \??\S: d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/380-13-0x0000000000400000-0x0000000000AF1000-memory.dmp autoit_exe behavioral2/memory/380-28-0x0000000000400000-0x0000000000AF1000-memory.dmp autoit_exe behavioral2/memory/380-30-0x0000000000400000-0x0000000000AF1000-memory.dmp autoit_exe behavioral2/memory/380-41-0x0000000000400000-0x0000000000AF1000-memory.dmp autoit_exe behavioral2/memory/380-48-0x0000000000400000-0x0000000000AF1000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification F:\autorun.inf d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\7-Zip\7zG.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\7-Zip\7z.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\CloseLock.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e580422 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe File opened for modification C:\Windows\SYSTEM.INI d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe Token: SeDebugPrivilege 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 380 wrote to memory of 780 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 13 PID 380 wrote to memory of 784 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 12 PID 380 wrote to memory of 344 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 8 PID 380 wrote to memory of 2364 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 40 PID 380 wrote to memory of 2376 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 39 PID 380 wrote to memory of 2472 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 38 PID 380 wrote to memory of 3168 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 69 PID 380 wrote to memory of 3472 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 68 PID 380 wrote to memory of 3696 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 67 PID 380 wrote to memory of 3788 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 66 PID 380 wrote to memory of 3916 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 43 PID 380 wrote to memory of 4016 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 65 PID 380 wrote to memory of 4104 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 64 PID 380 wrote to memory of 4848 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 62 PID 380 wrote to memory of 4876 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 52 PID 380 wrote to memory of 1428 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 46 PID 380 wrote to memory of 4260 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 45 PID 380 wrote to memory of 780 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 13 PID 380 wrote to memory of 784 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 12 PID 380 wrote to memory of 344 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 8 PID 380 wrote to memory of 2364 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 40 PID 380 wrote to memory of 2376 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 39 PID 380 wrote to memory of 2472 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 38 PID 380 wrote to memory of 3168 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 69 PID 380 wrote to memory of 3472 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 68 PID 380 wrote to memory of 3696 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 67 PID 380 wrote to memory of 3788 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 66 PID 380 wrote to memory of 3916 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 43 PID 380 wrote to memory of 4016 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 65 PID 380 wrote to memory of 4104 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 64 PID 380 wrote to memory of 4848 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 62 PID 380 wrote to memory of 4876 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 52 PID 380 wrote to memory of 1428 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 46 PID 380 wrote to memory of 4260 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 45 PID 380 wrote to memory of 3992 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 85 PID 380 wrote to memory of 4896 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 86 PID 380 wrote to memory of 780 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 13 PID 380 wrote to memory of 784 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 12 PID 380 wrote to memory of 344 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 8 PID 380 wrote to memory of 2364 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 40 PID 380 wrote to memory of 2376 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 39 PID 380 wrote to memory of 2472 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 38 PID 380 wrote to memory of 3168 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 69 PID 380 wrote to memory of 3472 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 68 PID 380 wrote to memory of 3696 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 67 PID 380 wrote to memory of 3788 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 66 PID 380 wrote to memory of 3916 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 43 PID 380 wrote to memory of 4016 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 65 PID 380 wrote to memory of 4104 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 64 PID 380 wrote to memory of 4848 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 62 PID 380 wrote to memory of 4876 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 52 PID 380 wrote to memory of 1428 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 46 PID 380 wrote to memory of 4260 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 45 PID 380 wrote to memory of 3992 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 85 PID 380 wrote to memory of 4896 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 86 PID 380 wrote to memory of 780 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 13 PID 380 wrote to memory of 784 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 12 PID 380 wrote to memory of 344 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 8 PID 380 wrote to memory of 2364 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 40 PID 380 wrote to memory of 2376 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 39 PID 380 wrote to memory of 2472 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 38 PID 380 wrote to memory of 3168 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 69 PID 380 wrote to memory of 3472 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 68 PID 380 wrote to memory of 3696 380 d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe 67 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:344
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4260
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1428
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3788
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3472
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe"C:\Users\Admin\AppData\Local\Temp\d55262e2fdec8014c394d5e6686ad94b029243c96390d40f9404c7f2c82f0f9e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:380
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4896
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1132
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3208
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD505139aaafa8795f2be2c7a5279a2997f
SHA1dc5b94b2fe06c3f14e0479ab082954615a4a79df
SHA25651bdaf56a9af5c8194e91ded2e2a4e90ac6b15221110f0c3a64b12afff099f76
SHA512ab7505b5aba13c1ef8e0c67f1596302d99250adef7db4aa2e004bd0f903617691ac7df9b82545ad7d3705d5f658a33e52b0456b3a49a42c60f3c5787db770ab6