Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 16:06
Behavioral task
behavioral1
Sample
2bbb76dfa85550ef8f69f58006efb410.exe
Resource
win7-20231215-en
windows7-x64
3 signatures
150 seconds
General
-
Target
2bbb76dfa85550ef8f69f58006efb410.exe
-
Size
416KB
-
MD5
2bbb76dfa85550ef8f69f58006efb410
-
SHA1
6811ec43e5216065ef28f4c88ad7717057cc1b07
-
SHA256
5d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a
-
SHA512
20b9e00fa199192370772cc98bee0eb9e152f1650d8e15f91fdd5e79b24d516e2f9428de3d6bb7939cd857a9dd20896c03b58fd6750989dfa167d3e61edb5d5e
-
SSDEEP
12288:elQ8fXEBvuwjInnLEzRi1Al/P9QpNZ4PuYu7:ehEBWwMLgiU/PSrZ4PuT7
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe scvshosts.exe" 2bbb76dfa85550ef8f69f58006efb410.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2bbb76dfa85550ef8f69f58006efb410.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2bbb76dfa85550ef8f69f58006efb410.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 2bbb76dfa85550ef8f69f58006efb410.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3532 netsh.exe -
resource yara_rule behavioral2/memory/4948-0-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral2/memory/4948-1-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-2-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral2/memory/4948-5-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-6-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/files/0x0006000000023233-18.dat upx behavioral2/memory/4948-23-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral2/memory/4948-24-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-25-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-32-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-38-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-42-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral2/memory/4948-52-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-59-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-68-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-69-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-71-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-77-0x00000000032F0000-0x0000000004323000-memory.dmp upx behavioral2/memory/4948-112-0x0000000000400000-0x00000000004A7000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2bbb76dfa85550ef8f69f58006efb410.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 2bbb76dfa85550ef8f69f58006efb410.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\scvshosts.exe" 2bbb76dfa85550ef8f69f58006efb410.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2bbb76dfa85550ef8f69f58006efb410.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\v: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\r: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\w: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\a: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\e: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\j: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\m: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\n: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\o: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\z: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\b: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\h: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\p: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\s: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\t: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\u: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\g: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\i: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\k: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\l: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\x: 2bbb76dfa85550ef8f69f58006efb410.exe File opened (read-only) \??\y: 2bbb76dfa85550ef8f69f58006efb410.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4948-2-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe behavioral2/memory/4948-23-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe behavioral2/memory/4948-42-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe behavioral2/memory/4948-112-0x0000000000400000-0x00000000004A7000-memory.dmp autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\autorun.ini 2bbb76dfa85550ef8f69f58006efb410.exe File created C:\Windows\SysWOW64\setting.ini 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\Windows\SysWOW64\setting.ini 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\WINDOWS\SysWOW64\SCVSHOSTS.EXE 2bbb76dfa85550ef8f69f58006efb410.exe File created C:\Windows\SysWOW64\scvshosts.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\Windows\SysWOW64\scvshosts.exe 2bbb76dfa85550ef8f69f58006efb410.exe File created C:\Windows\SysWOW64\blastclnnn.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\Windows\SysWOW64\blastclnnn.exe 2bbb76dfa85550ef8f69f58006efb410.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 2bbb76dfa85550ef8f69f58006efb410.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 2bbb76dfa85550ef8f69f58006efb410.exe File created C:\Windows\hinhem.scr 2bbb76dfa85550ef8f69f58006efb410.exe File created C:\Windows\scvshosts.exe 2bbb76dfa85550ef8f69f58006efb410.exe File opened for modification C:\Windows\scvshosts.exe 2bbb76dfa85550ef8f69f58006efb410.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe 4948 2bbb76dfa85550ef8f69f58006efb410.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe Token: SeDebugPrivilege 4948 2bbb76dfa85550ef8f69f58006efb410.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 780 4948 2bbb76dfa85550ef8f69f58006efb410.exe 2 PID 4948 wrote to memory of 784 4948 2bbb76dfa85550ef8f69f58006efb410.exe 80 PID 4948 wrote to memory of 380 4948 2bbb76dfa85550ef8f69f58006efb410.exe 3 PID 4948 wrote to memory of 2796 4948 2bbb76dfa85550ef8f69f58006efb410.exe 46 PID 4948 wrote to memory of 2940 4948 2bbb76dfa85550ef8f69f58006efb410.exe 45 PID 4948 wrote to memory of 3044 4948 2bbb76dfa85550ef8f69f58006efb410.exe 44 PID 4948 wrote to memory of 3380 4948 2bbb76dfa85550ef8f69f58006efb410.exe 39 PID 4948 wrote to memory of 3536 4948 2bbb76dfa85550ef8f69f58006efb410.exe 38 PID 4948 wrote to memory of 3780 4948 2bbb76dfa85550ef8f69f58006efb410.exe 37 PID 4948 wrote to memory of 3872 4948 2bbb76dfa85550ef8f69f58006efb410.exe 11 PID 4948 wrote to memory of 3976 4948 2bbb76dfa85550ef8f69f58006efb410.exe 10 PID 4948 wrote to memory of 4068 4948 2bbb76dfa85550ef8f69f58006efb410.exe 36 PID 4948 wrote to memory of 4172 4948 2bbb76dfa85550ef8f69f58006efb410.exe 35 PID 4948 wrote to memory of 2332 4948 2bbb76dfa85550ef8f69f58006efb410.exe 33 PID 4948 wrote to memory of 5012 4948 2bbb76dfa85550ef8f69f58006efb410.exe 23 PID 4948 wrote to memory of 1868 4948 2bbb76dfa85550ef8f69f58006efb410.exe 12 PID 4948 wrote to memory of 3292 4948 2bbb76dfa85550ef8f69f58006efb410.exe 16 PID 4948 wrote to memory of 3316 4948 2bbb76dfa85550ef8f69f58006efb410.exe 15 PID 4948 wrote to memory of 4120 4948 2bbb76dfa85550ef8f69f58006efb410.exe 89 PID 4948 wrote to memory of 980 4948 2bbb76dfa85550ef8f69f58006efb410.exe 90 PID 4948 wrote to memory of 3532 4948 2bbb76dfa85550ef8f69f58006efb410.exe 91 PID 4948 wrote to memory of 3532 4948 2bbb76dfa85550ef8f69f58006efb410.exe 91 PID 4948 wrote to memory of 3532 4948 2bbb76dfa85550ef8f69f58006efb410.exe 91 PID 4948 wrote to memory of 1908 4948 2bbb76dfa85550ef8f69f58006efb410.exe 92 PID 4948 wrote to memory of 1908 4948 2bbb76dfa85550ef8f69f58006efb410.exe 92 PID 4948 wrote to memory of 1908 4948 2bbb76dfa85550ef8f69f58006efb410.exe 92 PID 1908 wrote to memory of 4128 1908 cmd.exe 97 PID 1908 wrote to memory of 4128 1908 cmd.exe 97 PID 1908 wrote to memory of 4128 1908 cmd.exe 97 PID 4948 wrote to memory of 3092 4948 2bbb76dfa85550ef8f69f58006efb410.exe 98 PID 4948 wrote to memory of 3092 4948 2bbb76dfa85550ef8f69f58006efb410.exe 98 PID 4948 wrote to memory of 3092 4948 2bbb76dfa85550ef8f69f58006efb410.exe 98 PID 3092 wrote to memory of 3884 3092 cmd.exe 100 PID 3092 wrote to memory of 3884 3092 cmd.exe 100 PID 3092 wrote to memory of 3884 3092 cmd.exe 100 PID 4948 wrote to memory of 780 4948 2bbb76dfa85550ef8f69f58006efb410.exe 2 PID 4948 wrote to memory of 784 4948 2bbb76dfa85550ef8f69f58006efb410.exe 80 PID 4948 wrote to memory of 380 4948 2bbb76dfa85550ef8f69f58006efb410.exe 3 PID 4948 wrote to memory of 2796 4948 2bbb76dfa85550ef8f69f58006efb410.exe 46 PID 4948 wrote to memory of 2940 4948 2bbb76dfa85550ef8f69f58006efb410.exe 45 PID 4948 wrote to memory of 3044 4948 2bbb76dfa85550ef8f69f58006efb410.exe 44 PID 4948 wrote to memory of 3380 4948 2bbb76dfa85550ef8f69f58006efb410.exe 39 PID 4948 wrote to memory of 3536 4948 2bbb76dfa85550ef8f69f58006efb410.exe 38 PID 4948 wrote to memory of 3780 4948 2bbb76dfa85550ef8f69f58006efb410.exe 37 PID 4948 wrote to memory of 3872 4948 2bbb76dfa85550ef8f69f58006efb410.exe 11 PID 4948 wrote to memory of 3976 4948 2bbb76dfa85550ef8f69f58006efb410.exe 10 PID 4948 wrote to memory of 4068 4948 2bbb76dfa85550ef8f69f58006efb410.exe 36 PID 4948 wrote to memory of 4172 4948 2bbb76dfa85550ef8f69f58006efb410.exe 35 PID 4948 wrote to memory of 2332 4948 2bbb76dfa85550ef8f69f58006efb410.exe 33 PID 4948 wrote to memory of 5012 4948 2bbb76dfa85550ef8f69f58006efb410.exe 23 PID 4948 wrote to memory of 1868 4948 2bbb76dfa85550ef8f69f58006efb410.exe 12 PID 4948 wrote to memory of 3292 4948 2bbb76dfa85550ef8f69f58006efb410.exe 16 PID 4948 wrote to memory of 4120 4948 2bbb76dfa85550ef8f69f58006efb410.exe 89 PID 4948 wrote to memory of 980 4948 2bbb76dfa85550ef8f69f58006efb410.exe 90 PID 4948 wrote to memory of 2928 4948 2bbb76dfa85550ef8f69f58006efb410.exe 101 PID 4948 wrote to memory of 780 4948 2bbb76dfa85550ef8f69f58006efb410.exe 2 PID 4948 wrote to memory of 784 4948 2bbb76dfa85550ef8f69f58006efb410.exe 80 PID 4948 wrote to memory of 380 4948 2bbb76dfa85550ef8f69f58006efb410.exe 3 PID 4948 wrote to memory of 2796 4948 2bbb76dfa85550ef8f69f58006efb410.exe 46 PID 4948 wrote to memory of 2940 4948 2bbb76dfa85550ef8f69f58006efb410.exe 45 PID 4948 wrote to memory of 3044 4948 2bbb76dfa85550ef8f69f58006efb410.exe 44 PID 4948 wrote to memory of 3380 4948 2bbb76dfa85550ef8f69f58006efb410.exe 39 PID 4948 wrote to memory of 3536 4948 2bbb76dfa85550ef8f69f58006efb410.exe 38 PID 4948 wrote to memory of 3780 4948 2bbb76dfa85550ef8f69f58006efb410.exe 37 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2bbb76dfa85550ef8f69f58006efb410.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:1868
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3316
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3292
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2332
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4172
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\2bbb76dfa85550ef8f69f58006efb410.exe"C:\Users\Admin\AppData\Local\Temp\2bbb76dfa85550ef8f69f58006efb410.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4948 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
PID:3532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:4128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe4⤵PID:3884
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:2104
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:2928
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2940
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4120
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:980
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵PID:2928
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4960
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:4416
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD5461844e7b27354ffb9b1f5cafc529c64
SHA1f3ee2f507999a91ad23366c65f06159d79ec5478
SHA256e7deff408c17012d4a2ed9399301e10253dfb74db882ee557b09c319b7be86ba
SHA512e2e3fe4962ee8a3bbbff1df45782ac2281ccd67cb7598c2d47fcc36ae1c5a667e1465afd138c1e491014348b381f31d75e1ccee739db81892217ada0380c0c57
-
Filesize
277KB
MD5f9a8d802def53de707dde40f77b1d060
SHA15221f77661a01f87fc3701a51bab773ab7ce92f2
SHA2560e5d2c97035129e4e75fd14454728ea8bda99173a5940a43257af910c7f80733
SHA512d72af1ad6f90fb73383fa5b4b64895ea05437f1b00d99ee32c33555127ff387ec366e9c30b59bcf0778c0411c9053f61478cb64bb4af4644897de61098e13078
-
Filesize
416KB
MD52bbb76dfa85550ef8f69f58006efb410
SHA16811ec43e5216065ef28f4c88ad7717057cc1b07
SHA2565d6b895e208226d99be411502f243df8a6cd56d536d17bbd7f4e8a89cb407d4a
SHA51220b9e00fa199192370772cc98bee0eb9e152f1650d8e15f91fdd5e79b24d516e2f9428de3d6bb7939cd857a9dd20896c03b58fd6750989dfa167d3e61edb5d5e