57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe = "0"	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WyA9Xo3cAhz8YAZ9gPKn8Klu.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6B1m7gbRFpA3Pke657ScEkkd.bat	AddInProcess32.exe

Executes dropped EXE 2 IoCs

pid	Process
4460	zr5sRGhrwh1tdWOqycn3RnRi.exe
1224	Broom.exe

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe = "0"	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 980	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe
4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe
1296	powershell.exe
1296	powershell.exe
1296	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe
Token: SeDebugPrivilege	980	AddInProcess32.exe
Token: SeDebugPrivilege	1296	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1224	Broom.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 1296	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	71
PID 4224 wrote to memory of 1296	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	71
PID 4224 wrote to memory of 1296	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	71
PID 4224 wrote to memory of 2084	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	73
PID 4224 wrote to memory of 2084	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	73
PID 4224 wrote to memory of 2084	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	73
PID 4224 wrote to memory of 980	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	74
PID 4224 wrote to memory of 980	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	74
PID 4224 wrote to memory of 980	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	74
PID 4224 wrote to memory of 980	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	74
PID 4224 wrote to memory of 980	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	74
PID 4224 wrote to memory of 980	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	74
PID 4224 wrote to memory of 980	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	74
PID 4224 wrote to memory of 980	4224	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe	74
PID 980 wrote to memory of 4460	980	AddInProcess32.exe	75
PID 980 wrote to memory of 4460	980	AddInProcess32.exe	75
PID 980 wrote to memory of 4460	980	AddInProcess32.exe	75
PID 4460 wrote to memory of 1224	4460	zr5sRGhrwh1tdWOqycn3RnRi.exe	76
PID 4460 wrote to memory of 1224	4460	zr5sRGhrwh1tdWOqycn3RnRi.exe	76
PID 4460 wrote to memory of 1224	4460	zr5sRGhrwh1tdWOqycn3RnRi.exe	76

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe

C:\Users\Admin\AppData\Local\Temp\57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe
"C:\Users\Admin\AppData\Local\Temp\57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\57a7963f89e7bc17d95510a7e6932bc8bd519a29cf5b249442d58c72c385ab51.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\Pictures\zr5sRGhrwh1tdWOqycn3RnRi.exe
    "C:\Users\Admin\Pictures\zr5sRGhrwh1tdWOqycn3RnRi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry