Analysis
-
max time kernel
29s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 00:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
210a2f88858d303bba941b263f4054a9.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
General
-
Target
210a2f88858d303bba941b263f4054a9.exe
-
Size
97KB
-
MD5
210a2f88858d303bba941b263f4054a9
-
SHA1
1cf10269c621ad727776f46a6b658890acfcca5d
-
SHA256
6e10969d57a85c9339ec5225d98e444031bd2e0474106eaa7e7d50215a014b8d
-
SHA512
384d92e95931c318be6e63b4c60cbb65e48a587dcd185851ab5c2b4d5c0f1e16244bb8b8e7d163e58129ba7af79b96a65c6e587accdab0e1a28b47e697b49ab4
-
SSDEEP
1536:eTcSVf0wlkNDV8jAf34XXtlvAnEHbrzFdA2eqPmUA9OuY2xMr3+BtTaDu:2V8uGV8jAQX9lbbrzFdD5UO8xou7a
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 210a2f88858d303bba941b263f4054a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 210a2f88858d303bba941b263f4054a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 210a2f88858d303bba941b263f4054a9.exe -
resource yara_rule behavioral2/memory/2692-1-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-3-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-4-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-5-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-6-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-16-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-17-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-18-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-19-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-20-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-21-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-22-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-23-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-24-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-25-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-27-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-28-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-29-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-31-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-32-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-36-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-38-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-41-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-43-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-45-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-47-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-49-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-51-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-53-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-55-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-57-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-59-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-61-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-62-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-65-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-71-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-74-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/2692-76-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 210a2f88858d303bba941b263f4054a9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 210a2f88858d303bba941b263f4054a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 210a2f88858d303bba941b263f4054a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 210a2f88858d303bba941b263f4054a9.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\L: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\O: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\U: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\V: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\I: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\J: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\K: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\P: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\S: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\M: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\Q: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\R: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\T: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\E: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\H: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\N: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\W: 210a2f88858d303bba941b263f4054a9.exe File opened (read-only) \??\X: 210a2f88858d303bba941b263f4054a9.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe 210a2f88858d303bba941b263f4054a9.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 210a2f88858d303bba941b263f4054a9.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 210a2f88858d303bba941b263f4054a9.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 210a2f88858d303bba941b263f4054a9.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e578647 210a2f88858d303bba941b263f4054a9.exe File opened for modification C:\Windows\SYSTEM.INI 210a2f88858d303bba941b263f4054a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings 210a2f88858d303bba941b263f4054a9.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2692 210a2f88858d303bba941b263f4054a9.exe 2692 210a2f88858d303bba941b263f4054a9.exe 2692 210a2f88858d303bba941b263f4054a9.exe 2692 210a2f88858d303bba941b263f4054a9.exe 2692 210a2f88858d303bba941b263f4054a9.exe 2692 210a2f88858d303bba941b263f4054a9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe Token: SeDebugPrivilege 2692 210a2f88858d303bba941b263f4054a9.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 2692 wrote to memory of 788 2692 210a2f88858d303bba941b263f4054a9.exe 81 PID 2692 wrote to memory of 796 2692 210a2f88858d303bba941b263f4054a9.exe 80 PID 2692 wrote to memory of 1016 2692 210a2f88858d303bba941b263f4054a9.exe 7 PID 2692 wrote to memory of 2828 2692 210a2f88858d303bba941b263f4054a9.exe 61 PID 2692 wrote to memory of 2848 2692 210a2f88858d303bba941b263f4054a9.exe 60 PID 2692 wrote to memory of 2992 2692 210a2f88858d303bba941b263f4054a9.exe 26 PID 2692 wrote to memory of 3320 2692 210a2f88858d303bba941b263f4054a9.exe 55 PID 2692 wrote to memory of 3452 2692 210a2f88858d303bba941b263f4054a9.exe 27 PID 2692 wrote to memory of 3712 2692 210a2f88858d303bba941b263f4054a9.exe 54 PID 2692 wrote to memory of 3812 2692 210a2f88858d303bba941b263f4054a9.exe 53 PID 2692 wrote to memory of 3920 2692 210a2f88858d303bba941b263f4054a9.exe 28 PID 2692 wrote to memory of 4000 2692 210a2f88858d303bba941b263f4054a9.exe 52 PID 2692 wrote to memory of 3900 2692 210a2f88858d303bba941b263f4054a9.exe 51 PID 2692 wrote to memory of 2836 2692 210a2f88858d303bba941b263f4054a9.exe 30 PID 2692 wrote to memory of 1428 2692 210a2f88858d303bba941b263f4054a9.exe 41 PID 2692 wrote to memory of 3284 2692 210a2f88858d303bba941b263f4054a9.exe 32 PID 2692 wrote to memory of 1924 2692 210a2f88858d303bba941b263f4054a9.exe 37 PID 2692 wrote to memory of 4880 2692 210a2f88858d303bba941b263f4054a9.exe 36 PID 2692 wrote to memory of 3360 2692 210a2f88858d303bba941b263f4054a9.exe 86 PID 2692 wrote to memory of 788 2692 210a2f88858d303bba941b263f4054a9.exe 81 PID 2692 wrote to memory of 796 2692 210a2f88858d303bba941b263f4054a9.exe 80 PID 2692 wrote to memory of 1016 2692 210a2f88858d303bba941b263f4054a9.exe 7 PID 2692 wrote to memory of 2828 2692 210a2f88858d303bba941b263f4054a9.exe 61 PID 2692 wrote to memory of 2848 2692 210a2f88858d303bba941b263f4054a9.exe 60 PID 2692 wrote to memory of 2992 2692 210a2f88858d303bba941b263f4054a9.exe 26 PID 2692 wrote to memory of 3320 2692 210a2f88858d303bba941b263f4054a9.exe 55 PID 2692 wrote to memory of 3452 2692 210a2f88858d303bba941b263f4054a9.exe 27 PID 2692 wrote to memory of 3712 2692 210a2f88858d303bba941b263f4054a9.exe 54 PID 2692 wrote to memory of 3812 2692 210a2f88858d303bba941b263f4054a9.exe 53 PID 2692 wrote to memory of 3920 2692 210a2f88858d303bba941b263f4054a9.exe 28 PID 2692 wrote to memory of 4000 2692 210a2f88858d303bba941b263f4054a9.exe 52 PID 2692 wrote to memory of 3900 2692 210a2f88858d303bba941b263f4054a9.exe 51 PID 2692 wrote to memory of 2836 2692 210a2f88858d303bba941b263f4054a9.exe 30 PID 2692 wrote to memory of 1428 2692 210a2f88858d303bba941b263f4054a9.exe 41 PID 2692 wrote to memory of 3284 2692 210a2f88858d303bba941b263f4054a9.exe 32 PID 2692 wrote to memory of 1924 2692 210a2f88858d303bba941b263f4054a9.exe 37 PID 2692 wrote to memory of 4880 2692 210a2f88858d303bba941b263f4054a9.exe 36 PID 2692 wrote to memory of 224 2692 210a2f88858d303bba941b263f4054a9.exe 87 PID 2692 wrote to memory of 4188 2692 210a2f88858d303bba941b263f4054a9.exe 88 PID 2692 wrote to memory of 788 2692 210a2f88858d303bba941b263f4054a9.exe 81 PID 2692 wrote to memory of 796 2692 210a2f88858d303bba941b263f4054a9.exe 80 PID 2692 wrote to memory of 1016 2692 210a2f88858d303bba941b263f4054a9.exe 7 PID 2692 wrote to memory of 2828 2692 210a2f88858d303bba941b263f4054a9.exe 61 PID 2692 wrote to memory of 2848 2692 210a2f88858d303bba941b263f4054a9.exe 60 PID 2692 wrote to memory of 2992 2692 210a2f88858d303bba941b263f4054a9.exe 26 PID 2692 wrote to memory of 3320 2692 210a2f88858d303bba941b263f4054a9.exe 55 PID 2692 wrote to memory of 3452 2692 210a2f88858d303bba941b263f4054a9.exe 27 PID 2692 wrote to memory of 3712 2692 210a2f88858d303bba941b263f4054a9.exe 54 PID 2692 wrote to memory of 3812 2692 210a2f88858d303bba941b263f4054a9.exe 53 PID 2692 wrote to memory of 3920 2692 210a2f88858d303bba941b263f4054a9.exe 28 PID 2692 wrote to memory of 4000 2692 210a2f88858d303bba941b263f4054a9.exe 52 PID 2692 wrote to memory of 3900 2692 210a2f88858d303bba941b263f4054a9.exe 51 PID 2692 wrote to memory of 2836 2692 210a2f88858d303bba941b263f4054a9.exe 30 PID 2692 wrote to memory of 1428 2692 210a2f88858d303bba941b263f4054a9.exe 41 PID 2692 wrote to memory of 3284 2692 210a2f88858d303bba941b263f4054a9.exe 32 PID 2692 wrote to memory of 1924 2692 210a2f88858d303bba941b263f4054a9.exe 37 PID 2692 wrote to memory of 4880 2692 210a2f88858d303bba941b263f4054a9.exe 36 PID 2692 wrote to memory of 224 2692 210a2f88858d303bba941b263f4054a9.exe 87 PID 2692 wrote to memory of 4188 2692 210a2f88858d303bba941b263f4054a9.exe 88 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 210a2f88858d303bba941b263f4054a9.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2836
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3284
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4880
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1428
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3812
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3712
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\210a2f88858d303bba941b263f4054a9.exe"C:\Users\Admin\AppData\Local\Temp\210a2f88858d303bba941b263f4054a9.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2692
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2848
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2828
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3360
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:224
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57c5d431b111c55aad6d3781b953af711
SHA14b2d591b158ddc2d1aa62d9479812a60f0e84d87
SHA2567b49f3601de882cd9ceb1621a87ec01f89372be8b96ad46703cfec456bacfacd
SHA5126cec85f14aa8319c3880f90d888daf59048757bf90eae9d8d70155f64e5d1471016c5ade45dd312958d78aa4eab6e28869806085a6c7d19ffffebbc3a3960a9c