sality | 33001f3175b74bd653f9e2cd2aafeb280820b8778d71f4f859058548f12f4c2f

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	16b76886a277b914372d8ad3da50f511.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16b76886a277b914372d8ad3da50f511.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	16b76886a277b914372d8ad3da50f511.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	16b76886a277b914372d8ad3da50f511.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Java(TM) Platform SE Auto Updater 2.0 = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe"	16b76886a277b914372d8ad3da50f511.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	16b76886a277b914372d8ad3da50f511.exe

Disables Task Manager via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{4B5DFDC0-26AA-ECA5-430C-EF0DFFEBCBEF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe"	16b76886a277b914372d8ad3da50f511.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B5DFDC0-26AA-ECA5-430C-EF0DFFEBCBEF}	16b76886a277b914372d8ad3da50f511.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B5DFDC0-26AA-ECA5-430C-EF0DFFEBCBEF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe"	16b76886a277b914372d8ad3da50f511.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{4B5DFDC0-26AA-ECA5-430C-EF0DFFEBCBEF}	16b76886a277b914372d8ad3da50f511.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3368-1-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-4-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-7-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-12-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-13-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-14-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-15-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-16-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-17-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-18-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-19-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-20-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-23-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-24-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-26-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-27-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-28-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-30-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-37-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-52-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-57-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-60-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-63-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-65-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-70-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-72-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-78-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-80-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-82-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-84-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-85-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/3368-86-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	16b76886a277b914372d8ad3da50f511.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	16b76886a277b914372d8ad3da50f511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	16b76886a277b914372d8ad3da50f511.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Java(TM) Platform SE Auto Updater 2.0 = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe"	16b76886a277b914372d8ad3da50f511.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java(TM) Platform SE Auto Updater 2.0 = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\tasthost.exe"	16b76886a277b914372d8ad3da50f511.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16b76886a277b914372d8ad3da50f511.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\K:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\L:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\O:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\S:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\H:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\I:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\M:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\N:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\R:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\J:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\Q:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\E:	16b76886a277b914372d8ad3da50f511.exe
File opened (read-only)	\??\P:	16b76886a277b914372d8ad3da50f511.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	16b76886a277b914372d8ad3da50f511.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

pid	Process
900	reg.exe
4112	reg.exe
3740	reg.exe
3152	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3368	16b76886a277b914372d8ad3da50f511.exe
3368	16b76886a277b914372d8ad3da50f511.exe
3368	16b76886a277b914372d8ad3da50f511.exe
3368	16b76886a277b914372d8ad3da50f511.exe
3368	16b76886a277b914372d8ad3da50f511.exe
3368	16b76886a277b914372d8ad3da50f511.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: 1	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeCreateTokenPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeAssignPrimaryTokenPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeLockMemoryPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeIncreaseQuotaPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeMachineAccountPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeTcbPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeSecurityPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeTakeOwnershipPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeLoadDriverPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeSystemProfilePrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeSystemtimePrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeProfSingleProcessPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeIncBasePriorityPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeCreatePagefilePrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeCreatePermanentPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeBackupPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeRestorePrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeShutdownPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeAuditPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeSystemEnvironmentPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeChangeNotifyPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeRemoteShutdownPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeUndockPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeSyncAgentPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeEnableDelegationPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeManageVolumePrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeImpersonatePrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeCreateGlobalPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: 31	3368	16b76886a277b914372d8ad3da50f511.exe
Token: 32	3368	16b76886a277b914372d8ad3da50f511.exe
Token: 33	3368	16b76886a277b914372d8ad3da50f511.exe
Token: 34	3368	16b76886a277b914372d8ad3da50f511.exe
Token: 35	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe
Token: SeDebugPrivilege	3368	16b76886a277b914372d8ad3da50f511.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3368	16b76886a277b914372d8ad3da50f511.exe
3368	16b76886a277b914372d8ad3da50f511.exe
3368	16b76886a277b914372d8ad3da50f511.exe
3368	16b76886a277b914372d8ad3da50f511.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 804	3368	16b76886a277b914372d8ad3da50f511.exe	82
PID 3368 wrote to memory of 812	3368	16b76886a277b914372d8ad3da50f511.exe	81
PID 3368 wrote to memory of 336	3368	16b76886a277b914372d8ad3da50f511.exe	78
PID 3368 wrote to memory of 2572	3368	16b76886a277b914372d8ad3da50f511.exe	50
PID 3368 wrote to memory of 2584	3368	16b76886a277b914372d8ad3da50f511.exe	49
PID 3368 wrote to memory of 2820	3368	16b76886a277b914372d8ad3da50f511.exe	45
PID 3368 wrote to memory of 3520	3368	16b76886a277b914372d8ad3da50f511.exe	39
PID 3368 wrote to memory of 3676	3368	16b76886a277b914372d8ad3da50f511.exe	36
PID 3368 wrote to memory of 3852	3368	16b76886a277b914372d8ad3da50f511.exe	35
PID 3368 wrote to memory of 3944	3368	16b76886a277b914372d8ad3da50f511.exe	34
PID 3368 wrote to memory of 4048	3368	16b76886a277b914372d8ad3da50f511.exe	8
PID 3368 wrote to memory of 1436	3368	16b76886a277b914372d8ad3da50f511.exe	33
PID 3368 wrote to memory of 3540	3368	16b76886a277b914372d8ad3da50f511.exe	32
PID 3368 wrote to memory of 388	3368	16b76886a277b914372d8ad3da50f511.exe	30
PID 3368 wrote to memory of 1412	3368	16b76886a277b914372d8ad3da50f511.exe	20
PID 3368 wrote to memory of 1116	3368	16b76886a277b914372d8ad3da50f511.exe	14
PID 3368 wrote to memory of 2964	3368	16b76886a277b914372d8ad3da50f511.exe	13
PID 3368 wrote to memory of 2740	3368	16b76886a277b914372d8ad3da50f511.exe	12
PID 3368 wrote to memory of 2936	3368	16b76886a277b914372d8ad3da50f511.exe	38
PID 3368 wrote to memory of 1536	3368	16b76886a277b914372d8ad3da50f511.exe	90
PID 3368 wrote to memory of 3004	3368	16b76886a277b914372d8ad3da50f511.exe	109
PID 3368 wrote to memory of 3004	3368	16b76886a277b914372d8ad3da50f511.exe	109
PID 3368 wrote to memory of 3004	3368	16b76886a277b914372d8ad3da50f511.exe	109
PID 3368 wrote to memory of 3648	3368	16b76886a277b914372d8ad3da50f511.exe	98
PID 3368 wrote to memory of 3648	3368	16b76886a277b914372d8ad3da50f511.exe	98
PID 3368 wrote to memory of 3648	3368	16b76886a277b914372d8ad3da50f511.exe	98
PID 3368 wrote to memory of 1952	3368	16b76886a277b914372d8ad3da50f511.exe	108
PID 3368 wrote to memory of 1952	3368	16b76886a277b914372d8ad3da50f511.exe	108
PID 3368 wrote to memory of 1952	3368	16b76886a277b914372d8ad3da50f511.exe	108
PID 3368 wrote to memory of 4076	3368	16b76886a277b914372d8ad3da50f511.exe	106
PID 3368 wrote to memory of 4076	3368	16b76886a277b914372d8ad3da50f511.exe	106
PID 3368 wrote to memory of 4076	3368	16b76886a277b914372d8ad3da50f511.exe	106
PID 3004 wrote to memory of 900	3004	cmd.exe	102
PID 3004 wrote to memory of 900	3004	cmd.exe	102
PID 3004 wrote to memory of 900	3004	cmd.exe	102
PID 4076 wrote to memory of 3740	4076	cmd.exe	104
PID 4076 wrote to memory of 3740	4076	cmd.exe	104
PID 4076 wrote to memory of 3740	4076	cmd.exe	104
PID 3648 wrote to memory of 4112	3648	cmd.exe	103
PID 3648 wrote to memory of 4112	3648	cmd.exe	103
PID 3648 wrote to memory of 4112	3648	cmd.exe	103
PID 3368 wrote to memory of 804	3368	16b76886a277b914372d8ad3da50f511.exe	82
PID 3368 wrote to memory of 812	3368	16b76886a277b914372d8ad3da50f511.exe	81
PID 3368 wrote to memory of 336	3368	16b76886a277b914372d8ad3da50f511.exe	78
PID 3368 wrote to memory of 2572	3368	16b76886a277b914372d8ad3da50f511.exe	50
PID 3368 wrote to memory of 2584	3368	16b76886a277b914372d8ad3da50f511.exe	49
PID 3368 wrote to memory of 2820	3368	16b76886a277b914372d8ad3da50f511.exe	45
PID 3368 wrote to memory of 3520	3368	16b76886a277b914372d8ad3da50f511.exe	39
PID 3368 wrote to memory of 3676	3368	16b76886a277b914372d8ad3da50f511.exe	36
PID 3368 wrote to memory of 3852	3368	16b76886a277b914372d8ad3da50f511.exe	35
PID 3368 wrote to memory of 3944	3368	16b76886a277b914372d8ad3da50f511.exe	34
PID 3368 wrote to memory of 4048	3368	16b76886a277b914372d8ad3da50f511.exe	8
PID 3368 wrote to memory of 1436	3368	16b76886a277b914372d8ad3da50f511.exe	33
PID 3368 wrote to memory of 3540	3368	16b76886a277b914372d8ad3da50f511.exe	32
PID 3368 wrote to memory of 388	3368	16b76886a277b914372d8ad3da50f511.exe	30
PID 3368 wrote to memory of 1412	3368	16b76886a277b914372d8ad3da50f511.exe	20
PID 3368 wrote to memory of 1116	3368	16b76886a277b914372d8ad3da50f511.exe	14
PID 3368 wrote to memory of 2964	3368	16b76886a277b914372d8ad3da50f511.exe	13
PID 3368 wrote to memory of 2740	3368	16b76886a277b914372d8ad3da50f511.exe	12
PID 3368 wrote to memory of 1536	3368	16b76886a277b914372d8ad3da50f511.exe	90
PID 3368 wrote to memory of 3256	3368	16b76886a277b914372d8ad3da50f511.exe	96
PID 3368 wrote to memory of 3004	3368	16b76886a277b914372d8ad3da50f511.exe	109
PID 1952 wrote to memory of 3152	1952	cmd.exe	105
PID 1952 wrote to memory of 3152	1952	cmd.exe	105

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16b76886a277b914372d8ad3da50f511.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4048

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2740

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:2964

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1116

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:388

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe
"C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Modifies Installed Components in the registry
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\16b76886a277b914372d8ad3da50f511.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Modifies registry key
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\microsoft\tasthost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\microsoft\tasthost.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2936

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2584

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2572

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:812

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1536

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies registry key
PID:900

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\microsoft\tasthost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\microsoft\tasthost.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies registry key
PID:3740

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies registry key
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry