Analysis
-
max time kernel
129s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 02:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
82a3a6020caa80a0412b2310bb4dbc8e.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
General
-
Target
82a3a6020caa80a0412b2310bb4dbc8e.exe
-
Size
132KB
-
MD5
82a3a6020caa80a0412b2310bb4dbc8e
-
SHA1
45432a91c28d7b4a5a513e4e33aeda535a2e386f
-
SHA256
011b83dc87cabe59ca9c35876598cf5453e894d269589c261ddc6ad7660bfee6
-
SHA512
226e31514055b0a80199eaba055df382b0ffb91678db9416cde31da1a9d3a6b8d7c7335c5ec9f2e79af5119ca2bbaa055f2504d92ffee73dd89e6cbcaa752059
-
SSDEEP
3072:VzbrksiVyyY2y1MixVIkm7wjRDrfxryiDgo:VvfyY2WMixVu7wRZyiEo
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 82a3a6020caa80a0412b2310bb4dbc8e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe -
resource yara_rule behavioral2/memory/4436-1-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-5-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-10-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-6-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-12-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-13-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-14-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-20-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-21-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-22-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-23-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-24-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-25-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-26-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-27-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-29-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-30-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-31-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-33-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-36-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-38-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-40-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-43-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-45-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-47-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-54-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-56-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-58-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-59-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-60-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-63-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-65-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-67-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-69-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-71-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-73-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-75-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx behavioral2/memory/4436-77-0x0000000002D80000-0x0000000003E3A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 82a3a6020caa80a0412b2310bb4dbc8e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 82a3a6020caa80a0412b2310bb4dbc8e.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\J: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\P: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\E: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\H: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\L: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\Q: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\S: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\V: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\W: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\Y: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\G: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\K: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\M: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\O: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\R: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\T: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\N: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\U: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\X: 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened (read-only) \??\Z: 82a3a6020caa80a0412b2310bb4dbc8e.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\autorun.inf 82a3a6020caa80a0412b2310bb4dbc8e.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\7-Zip\7z.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 82a3a6020caa80a0412b2310bb4dbc8e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e5751c9 82a3a6020caa80a0412b2310bb4dbc8e.exe File opened for modification C:\Windows\SYSTEM.INI 82a3a6020caa80a0412b2310bb4dbc8e.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe Token: SeDebugPrivilege 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4436 wrote to memory of 772 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 8 PID 4436 wrote to memory of 768 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 9 PID 4436 wrote to memory of 336 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 10 PID 4436 wrote to memory of 2604 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 65 PID 4436 wrote to memory of 2620 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 64 PID 4436 wrote to memory of 2748 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 62 PID 4436 wrote to memory of 3552 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 55 PID 4436 wrote to memory of 3688 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 29 PID 4436 wrote to memory of 3876 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 54 PID 4436 wrote to memory of 3964 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 53 PID 4436 wrote to memory of 4024 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 52 PID 4436 wrote to memory of 1028 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 51 PID 4436 wrote to memory of 1428 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 30 PID 4436 wrote to memory of 1972 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 49 PID 4436 wrote to memory of 4372 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 40 PID 4436 wrote to memory of 772 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 8 PID 4436 wrote to memory of 768 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 9 PID 4436 wrote to memory of 336 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 10 PID 4436 wrote to memory of 2604 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 65 PID 4436 wrote to memory of 2620 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 64 PID 4436 wrote to memory of 2748 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 62 PID 4436 wrote to memory of 3552 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 55 PID 4436 wrote to memory of 3688 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 29 PID 4436 wrote to memory of 3876 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 54 PID 4436 wrote to memory of 3964 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 53 PID 4436 wrote to memory of 4024 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 52 PID 4436 wrote to memory of 1028 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 51 PID 4436 wrote to memory of 1428 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 30 PID 4436 wrote to memory of 1972 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 49 PID 4436 wrote to memory of 4372 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 40 PID 4436 wrote to memory of 772 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 8 PID 4436 wrote to memory of 768 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 9 PID 4436 wrote to memory of 336 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 10 PID 4436 wrote to memory of 2604 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 65 PID 4436 wrote to memory of 2620 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 64 PID 4436 wrote to memory of 2748 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 62 PID 4436 wrote to memory of 3552 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 55 PID 4436 wrote to memory of 3688 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 29 PID 4436 wrote to memory of 3876 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 54 PID 4436 wrote to memory of 3964 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 53 PID 4436 wrote to memory of 4024 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 52 PID 4436 wrote to memory of 1028 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 51 PID 4436 wrote to memory of 1428 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 30 PID 4436 wrote to memory of 1972 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 49 PID 4436 wrote to memory of 4372 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 40 PID 4436 wrote to memory of 772 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 8 PID 4436 wrote to memory of 768 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 9 PID 4436 wrote to memory of 336 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 10 PID 4436 wrote to memory of 2604 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 65 PID 4436 wrote to memory of 2620 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 64 PID 4436 wrote to memory of 2748 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 62 PID 4436 wrote to memory of 3552 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 55 PID 4436 wrote to memory of 3688 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 29 PID 4436 wrote to memory of 3876 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 54 PID 4436 wrote to memory of 3964 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 53 PID 4436 wrote to memory of 4024 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 52 PID 4436 wrote to memory of 1028 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 51 PID 4436 wrote to memory of 1428 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 30 PID 4436 wrote to memory of 1972 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 49 PID 4436 wrote to memory of 4372 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 40 PID 4436 wrote to memory of 772 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 8 PID 4436 wrote to memory of 768 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 9 PID 4436 wrote to memory of 336 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 10 PID 4436 wrote to memory of 2604 4436 82a3a6020caa80a0412b2310bb4dbc8e.exe 65 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 82a3a6020caa80a0412b2310bb4dbc8e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3688
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1428
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3964
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3876
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\82a3a6020caa80a0412b2310bb4dbc8e.exe"C:\Users\Admin\AppData\Local\Temp\82a3a6020caa80a0412b2310bb4dbc8e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4436
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2620
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2604
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5ee82d280b79e04809b550011f5991537
SHA168e40f7d2a9f0eb0e5bac11b50c031777c987471
SHA256dc2950568300579b3afcc5dc807694d05020da99e9a5dfe221348f1fad716b83
SHA5125bd44e3690ac5bee4c258244ce90a397ca969d0bfbf2eae9a5ae32c9d4537f5c07b13ef8cf614fdf3cd9d6a06ead2634f020ca11f6fbcd435ea6cfbf27c816df