Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 20:20
Behavioral task
behavioral1
Sample
6df0096cf0c1f91b398a7ff67d935f65.exe
Resource
win7-20231129-en
windows7-x64
22 signatures
150 seconds
General
-
Target
6df0096cf0c1f91b398a7ff67d935f65.exe
-
Size
160KB
-
MD5
6df0096cf0c1f91b398a7ff67d935f65
-
SHA1
1de4c4714d279418196c9654a3926d35bd85976f
-
SHA256
8392cbbda680d84a0c5a48763fa1e5e1d28506a5fd53e2814a99047a6b7062a4
-
SHA512
02c52f334777498d45886cc9d5160dd5d064f1cb1d3d861a2d512a35a2264bf39c784e5d03473e0e2a1afbc9d7f63ee70d3572291e2bec9d7688e120abb08452
-
SSDEEP
3072:6Lp3qvhn9VI8VjCX1I43fAwegLM6rFDBSxEnSM78ChPr9T4gQNlyAVrhkt24:6LQvhnDIBSilL3DDnSM78C1r9TwbXs7
Malware Config
Extracted
Family
netwire
C2
cb4.noip.me:3360
fuxxer.myvnc.com:3360
Attributes
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
AppleINC-%Rand%
-
install_path
%AppData%\WindowUpdate\sys32.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
TUbvRjPs
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" sys32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" sys32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" sys32.exe -
NetWire RAT payload 6 IoCs
resource yara_rule behavioral2/memory/436-0-0x0000000000400000-0x0000000000431000-memory.dmp netwire behavioral2/files/0x0006000000023226-5.dat netwire behavioral2/memory/1876-9-0x0000000000400000-0x0000000000431000-memory.dmp netwire behavioral2/memory/436-8-0x0000000000400000-0x0000000000431000-memory.dmp netwire behavioral2/memory/1876-11-0x0000000000400000-0x0000000000431000-memory.dmp netwire behavioral2/memory/1876-59-0x0000000000400000-0x0000000000431000-memory.dmp netwire -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sys32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sys32.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" sys32.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 1876 sys32.exe -
Executes dropped EXE 1 IoCs
pid Process 1876 sys32.exe -
resource yara_rule behavioral2/memory/436-1-0x00000000025C0000-0x000000000364E000-memory.dmp upx behavioral2/memory/1876-10-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-13-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-14-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-17-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-20-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-21-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-22-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-23-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-24-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-25-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-26-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-27-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-28-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-29-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-31-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-32-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-33-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-36-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-37-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-39-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-41-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-44-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-46-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-48-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-50-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-57-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-60-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-62-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-64-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-67-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-69-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-70-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-71-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-73-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-75-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-77-0x0000000002900000-0x000000000398E000-memory.dmp upx behavioral2/memory/1876-79-0x0000000002900000-0x000000000398E000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sys32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" sys32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sys32.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: sys32.exe File opened (read-only) \??\Q: sys32.exe File opened (read-only) \??\T: sys32.exe File opened (read-only) \??\Y: sys32.exe File opened (read-only) \??\E: sys32.exe File opened (read-only) \??\G: sys32.exe File opened (read-only) \??\I: sys32.exe File opened (read-only) \??\L: sys32.exe File opened (read-only) \??\V: sys32.exe File opened (read-only) \??\K: sys32.exe File opened (read-only) \??\O: sys32.exe File opened (read-only) \??\S: sys32.exe File opened (read-only) \??\U: sys32.exe File opened (read-only) \??\J: sys32.exe File opened (read-only) \??\M: sys32.exe File opened (read-only) \??\Z: sys32.exe File opened (read-only) \??\X: sys32.exe File opened (read-only) \??\H: sys32.exe File opened (read-only) \??\N: sys32.exe File opened (read-only) \??\R: sys32.exe File opened (read-only) \??\W: sys32.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf sys32.exe File opened for modification C:\autorun.inf sys32.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe sys32.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe sys32.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe sys32.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe sys32.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe sys32.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe sys32.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe sys32.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe sys32.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe sys32.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe sys32.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe sys32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI sys32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe 1876 sys32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe Token: SeDebugPrivilege 1876 sys32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 436 wrote to memory of 1876 436 6df0096cf0c1f91b398a7ff67d935f65.exe 86 PID 436 wrote to memory of 1876 436 6df0096cf0c1f91b398a7ff67d935f65.exe 86 PID 436 wrote to memory of 1876 436 6df0096cf0c1f91b398a7ff67d935f65.exe 86 PID 1876 wrote to memory of 804 1876 sys32.exe 83 PID 1876 wrote to memory of 812 1876 sys32.exe 82 PID 1876 wrote to memory of 384 1876 sys32.exe 79 PID 1876 wrote to memory of 2536 1876 sys32.exe 13 PID 1876 wrote to memory of 2656 1876 sys32.exe 14 PID 1876 wrote to memory of 2836 1876 sys32.exe 51 PID 1876 wrote to memory of 3360 1876 sys32.exe 46 PID 1876 wrote to memory of 3484 1876 sys32.exe 45 PID 1876 wrote to memory of 3744 1876 sys32.exe 44 PID 1876 wrote to memory of 3832 1876 sys32.exe 43 PID 1876 wrote to memory of 3956 1876 sys32.exe 20 PID 1876 wrote to memory of 4036 1876 sys32.exe 42 PID 1876 wrote to memory of 3876 1876 sys32.exe 41 PID 1876 wrote to memory of 3296 1876 sys32.exe 23 PID 1876 wrote to memory of 1828 1876 sys32.exe 32 PID 1876 wrote to memory of 5084 1876 sys32.exe 87 PID 1876 wrote to memory of 4576 1876 sys32.exe 88 PID 1876 wrote to memory of 804 1876 sys32.exe 83 PID 1876 wrote to memory of 812 1876 sys32.exe 82 PID 1876 wrote to memory of 384 1876 sys32.exe 79 PID 1876 wrote to memory of 2536 1876 sys32.exe 13 PID 1876 wrote to memory of 2656 1876 sys32.exe 14 PID 1876 wrote to memory of 2836 1876 sys32.exe 51 PID 1876 wrote to memory of 3360 1876 sys32.exe 46 PID 1876 wrote to memory of 3484 1876 sys32.exe 45 PID 1876 wrote to memory of 3744 1876 sys32.exe 44 PID 1876 wrote to memory of 3832 1876 sys32.exe 43 PID 1876 wrote to memory of 3956 1876 sys32.exe 20 PID 1876 wrote to memory of 4036 1876 sys32.exe 42 PID 1876 wrote to memory of 3876 1876 sys32.exe 41 PID 1876 wrote to memory of 3296 1876 sys32.exe 23 PID 1876 wrote to memory of 1828 1876 sys32.exe 32 PID 1876 wrote to memory of 5084 1876 sys32.exe 87 PID 1876 wrote to memory of 4576 1876 sys32.exe 88 PID 1876 wrote to memory of 804 1876 sys32.exe 83 PID 1876 wrote to memory of 812 1876 sys32.exe 82 PID 1876 wrote to memory of 384 1876 sys32.exe 79 PID 1876 wrote to memory of 2536 1876 sys32.exe 13 PID 1876 wrote to memory of 2656 1876 sys32.exe 14 PID 1876 wrote to memory of 2836 1876 sys32.exe 51 PID 1876 wrote to memory of 3360 1876 sys32.exe 46 PID 1876 wrote to memory of 3484 1876 sys32.exe 45 PID 1876 wrote to memory of 3744 1876 sys32.exe 44 PID 1876 wrote to memory of 3832 1876 sys32.exe 43 PID 1876 wrote to memory of 3956 1876 sys32.exe 20 PID 1876 wrote to memory of 4036 1876 sys32.exe 42 PID 1876 wrote to memory of 3876 1876 sys32.exe 41 PID 1876 wrote to memory of 3296 1876 sys32.exe 23 PID 1876 wrote to memory of 1828 1876 sys32.exe 32 PID 1876 wrote to memory of 5084 1876 sys32.exe 87 PID 1876 wrote to memory of 4576 1876 sys32.exe 88 PID 1876 wrote to memory of 804 1876 sys32.exe 83 PID 1876 wrote to memory of 812 1876 sys32.exe 82 PID 1876 wrote to memory of 384 1876 sys32.exe 79 PID 1876 wrote to memory of 2536 1876 sys32.exe 13 PID 1876 wrote to memory of 2656 1876 sys32.exe 14 PID 1876 wrote to memory of 2836 1876 sys32.exe 51 PID 1876 wrote to memory of 3360 1876 sys32.exe 46 PID 1876 wrote to memory of 3484 1876 sys32.exe 45 PID 1876 wrote to memory of 3744 1876 sys32.exe 44 PID 1876 wrote to memory of 3832 1876 sys32.exe 43 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sys32.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3296
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3484
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\6df0096cf0c1f91b398a7ff67d935f65.exe"C:\Users\Admin\AppData\Local\Temp\6df0096cf0c1f91b398a7ff67d935f65.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Roaming\WindowUpdate\sys32.exe-m "C:\Users\Admin\AppData\Local\Temp\6df0096cf0c1f91b398a7ff67d935f65.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1876
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2836
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:812
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5084
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4576
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD56df0096cf0c1f91b398a7ff67d935f65
SHA11de4c4714d279418196c9654a3926d35bd85976f
SHA2568392cbbda680d84a0c5a48763fa1e5e1d28506a5fd53e2814a99047a6b7062a4
SHA51202c52f334777498d45886cc9d5160dd5d064f1cb1d3d861a2d512a35a2264bf39c784e5d03473e0e2a1afbc9d7f63ee70d3572291e2bec9d7688e120abb08452
-
Filesize
27KB
MD5fb6b2daa1f73ea83e8f8f5ce32077321
SHA1e51e7613d1924c2fe327bc21903ff2fb7a68a9cd
SHA256a476181e930bfc79482f87c05a338e534d7cb2b4a83c3d3c03f782a57281b3ee
SHA512d458b8cd539e521697acdb16a28d6d06525a77672052ec83dc982df6ff916c4f4cfe18a41d74f7ad57ec5b29f1c7546df7a972cb83f1df1b34213f58123f0cd1