Analysis
-
max time kernel
117s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 10:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
16b76886a277b914372d8ad3da50f511.exe
Resource
win7-20231215-en
windows7-x64
22 signatures
150 seconds
General
-
Target
16b76886a277b914372d8ad3da50f511.exe
-
Size
520KB
-
MD5
16b76886a277b914372d8ad3da50f511
-
SHA1
375fd05f0ecfb36884ebf80aa951738e44b9481f
-
SHA256
33001f3175b74bd653f9e2cd2aafeb280820b8778d71f4f859058548f12f4c2f
-
SHA512
43e355dbabd6abef06fe6bf00c140552be70f21f43977b6973730c865c597abd61ce7032eab004ef38fc6e42d0de9a988380e5dbf049583914c3c8d433b151d7
-
SSDEEP
12288:Gy7GJaXTC4IsjkvK1gtvkUTWFnH//ZNm45eO:tXcLKGtsfx1v
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 16b76886a277b914372d8ad3da50f511.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16b76886a277b914372d8ad3da50f511.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 16b76886a277b914372d8ad3da50f511.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Java(TM) Platform SE Auto Updater 2.0 = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe" 16b76886a277b914372d8ad3da50f511.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 16b76886a277b914372d8ad3da50f511.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 16b76886a277b914372d8ad3da50f511.exe -
Disables Task Manager via registry modification
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components\{4B5DFDC0-26AA-ECA5-430C-EF0DFFEBCBEF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe" 16b76886a277b914372d8ad3da50f511.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5DFDC0-26AA-ECA5-430C-EF0DFFEBCBEF} 16b76886a277b914372d8ad3da50f511.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5DFDC0-26AA-ECA5-430C-EF0DFFEBCBEF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe" 16b76886a277b914372d8ad3da50f511.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{4B5DFDC0-26AA-ECA5-430C-EF0DFFEBCBEF} 16b76886a277b914372d8ad3da50f511.exe -
resource yara_rule behavioral1/memory/3056-3-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-6-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-7-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-10-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-14-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-18-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-25-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-26-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-27-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-28-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-29-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-30-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-31-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-32-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-36-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-37-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-38-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-40-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-42-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-48-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-50-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-52-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-54-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-56-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-58-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-60-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-65-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-67-0x0000000002950000-0x00000000039DE000-memory.dmp upx behavioral1/memory/3056-73-0x0000000002950000-0x00000000039DE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 16b76886a277b914372d8ad3da50f511.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 16b76886a277b914372d8ad3da50f511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 16b76886a277b914372d8ad3da50f511.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java(TM) Platform SE Auto Updater 2.0 = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe" 16b76886a277b914372d8ad3da50f511.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java(TM) Platform SE Auto Updater 2.0 = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe" 16b76886a277b914372d8ad3da50f511.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16b76886a277b914372d8ad3da50f511.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\O: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\P: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\Q: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\U: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\Y: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\G: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\H: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\I: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\R: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\S: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\L: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\N: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\X: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\E: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\J: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\M: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\T: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\V: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\W: 16b76886a277b914372d8ad3da50f511.exe File opened (read-only) \??\Z: 16b76886a277b914372d8ad3da50f511.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 16b76886a277b914372d8ad3da50f511.exe File opened for modification F:\autorun.inf 16b76886a277b914372d8ad3da50f511.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 16b76886a277b914372d8ad3da50f511.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 16b76886a277b914372d8ad3da50f511.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2244 reg.exe 1532 reg.exe 1336 reg.exe 1596 reg.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: 1 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeCreateTokenPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeAssignPrimaryTokenPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeLockMemoryPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeIncreaseQuotaPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeMachineAccountPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeTcbPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeSecurityPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeTakeOwnershipPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeLoadDriverPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeSystemProfilePrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeSystemtimePrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeProfSingleProcessPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeIncBasePriorityPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeCreatePagefilePrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeCreatePermanentPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeBackupPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeRestorePrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeShutdownPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeAuditPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeSystemEnvironmentPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeChangeNotifyPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeRemoteShutdownPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeUndockPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeSyncAgentPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeEnableDelegationPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeManageVolumePrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeImpersonatePrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeCreateGlobalPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: 31 3056 16b76886a277b914372d8ad3da50f511.exe Token: 32 3056 16b76886a277b914372d8ad3da50f511.exe Token: 33 3056 16b76886a277b914372d8ad3da50f511.exe Token: 34 3056 16b76886a277b914372d8ad3da50f511.exe Token: 35 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe Token: SeDebugPrivilege 3056 16b76886a277b914372d8ad3da50f511.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe 3056 16b76886a277b914372d8ad3da50f511.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 2164 3056 16b76886a277b914372d8ad3da50f511.exe 14 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 2588 3056 16b76886a277b914372d8ad3da50f511.exe 28 PID 3056 wrote to memory of 2588 3056 16b76886a277b914372d8ad3da50f511.exe 28 PID 3056 wrote to memory of 2588 3056 16b76886a277b914372d8ad3da50f511.exe 28 PID 3056 wrote to memory of 2588 3056 16b76886a277b914372d8ad3da50f511.exe 28 PID 3056 wrote to memory of 1468 3056 16b76886a277b914372d8ad3da50f511.exe 34 PID 3056 wrote to memory of 1468 3056 16b76886a277b914372d8ad3da50f511.exe 34 PID 3056 wrote to memory of 1468 3056 16b76886a277b914372d8ad3da50f511.exe 34 PID 3056 wrote to memory of 1468 3056 16b76886a277b914372d8ad3da50f511.exe 34 PID 3056 wrote to memory of 2056 3056 16b76886a277b914372d8ad3da50f511.exe 32 PID 3056 wrote to memory of 2056 3056 16b76886a277b914372d8ad3da50f511.exe 32 PID 3056 wrote to memory of 2056 3056 16b76886a277b914372d8ad3da50f511.exe 32 PID 3056 wrote to memory of 2056 3056 16b76886a277b914372d8ad3da50f511.exe 32 PID 3056 wrote to memory of 1644 3056 16b76886a277b914372d8ad3da50f511.exe 35 PID 3056 wrote to memory of 1644 3056 16b76886a277b914372d8ad3da50f511.exe 35 PID 3056 wrote to memory of 1644 3056 16b76886a277b914372d8ad3da50f511.exe 35 PID 3056 wrote to memory of 1644 3056 16b76886a277b914372d8ad3da50f511.exe 35 PID 1644 wrote to memory of 1532 1644 cmd.exe 37 PID 1644 wrote to memory of 1532 1644 cmd.exe 37 PID 1644 wrote to memory of 1532 1644 cmd.exe 37 PID 1644 wrote to memory of 1532 1644 cmd.exe 37 PID 2588 wrote to memory of 1596 2588 cmd.exe 39 PID 2588 wrote to memory of 1596 2588 cmd.exe 39 PID 2588 wrote to memory of 1596 2588 cmd.exe 39 PID 2588 wrote to memory of 1596 2588 cmd.exe 39 PID 1468 wrote to memory of 2244 1468 cmd.exe 36 PID 1468 wrote to memory of 2244 1468 cmd.exe 36 PID 1468 wrote to memory of 2244 1468 cmd.exe 36 PID 1468 wrote to memory of 2244 1468 cmd.exe 36 PID 2056 wrote to memory of 1336 2056 cmd.exe 38 PID 2056 wrote to memory of 1336 2056 cmd.exe 38 PID 2056 wrote to memory of 1336 2056 cmd.exe 38 PID 2056 wrote to memory of 1336 2056 cmd.exe 38 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 PID 3056 wrote to memory of 1172 3056 16b76886a277b914372d8ad3da50f511.exe 17 PID 3056 wrote to memory of 1196 3056 16b76886a277b914372d8ad3da50f511.exe 13 PID 3056 wrote to memory of 1108 3056 16b76886a277b914372d8ad3da50f511.exe 12 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 16b76886a277b914372d8ad3da50f511.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe"C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Modifies Installed Components in the registry
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3056 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies registry key
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies registry key
PID:1336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies registry key
PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\microsoft\tasthost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\microsoft\tasthost.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\microsoft\tasthost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\microsoft\tasthost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies registry key
PID:1532
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2164
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD506803a3d9681c0848cc8fec6808dad83
SHA1954d4ea632c6c47e2b761ebf6a4804262e7da623
SHA256cd0615c2d68438155fe0420aeb7e124d2d272e06c72099c34e85d911897627b6
SHA51203c0df51cc91760924f2e29d73196a3d5c693ad3c519ce06803577df38e8be2300e32331bd8accaa8f9c821a53079aa858a2095065ac706a6e656833f9ac87ad
-
Filesize
18KB
MD5d7f26b113c66627efa01803ef4dfae39
SHA17a1387d6207f72362df2d7d16cd65aee7f8bf7d7
SHA2566ec87d910d47b113e134bdd7eb103b8d50da93bf24027536678ba0ff519e2b1f
SHA5121e4f74634cce29d2a4914c76a1f9d7cd172b1f0816c5eb56ccc0d18aba7346c4b66f3952aa54f6e5c474891fa7f25fd012a91b0187ea3523376ff3e9d4926ecb