Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/02/2024, 21:36
Static task
static1
Behavioral task
behavioral1
Sample
808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe
Resource
win7-20231215-en
General
-
Target
808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe
-
Size
185KB
-
MD5
f92de49a96b1bde10d1442ebbc5cf47d
-
SHA1
90ae669123d835cb79c5a964638efb9cfb58db47
-
SHA256
808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534
-
SHA512
b641e55fd4d69d46a15bcf69a63d990f508fe0f82cfd785383a03184c47eac5b13a01b54b6071dc21b701dc6b788cb5dadf5e4c2cdc3d3703993c801ebd8ca1f
-
SSDEEP
3072:rajIMvS5ujzAYWjtAed6TC+cweppRKWyXZEv5HZfKvkTRUsVnAiB0eyk390CO:rAr6ojE1iWRcZEvrfKuUsbCkN0CO
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe -
resource yara_rule behavioral2/memory/5044-1-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-3-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-4-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-6-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-10-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-16-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-17-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-19-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-20-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-21-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral2/memory/5044-27-0x00000000023B0000-0x000000000346A000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e5749ea 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe File opened for modification C:\Windows\SYSTEM.INI 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 4400 msedge.exe 4400 msedge.exe 3004 msedge.exe 3004 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3004 msedge.exe 3004 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe Token: SeDebugPrivilege 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 772 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 8 PID 5044 wrote to memory of 776 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 17 PID 5044 wrote to memory of 60 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 10 PID 5044 wrote to memory of 768 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 59 PID 5044 wrote to memory of 2124 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 58 PID 5044 wrote to memory of 3124 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 27 PID 5044 wrote to memory of 3420 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 55 PID 5044 wrote to memory of 3540 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 54 PID 5044 wrote to memory of 3736 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 53 PID 5044 wrote to memory of 3824 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 52 PID 5044 wrote to memory of 3888 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 28 PID 5044 wrote to memory of 3976 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 51 PID 5044 wrote to memory of 3660 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 50 PID 5044 wrote to memory of 3240 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 38 PID 5044 wrote to memory of 4968 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 37 PID 5044 wrote to memory of 3004 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 87 PID 5044 wrote to memory of 3004 5044 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe 87 PID 3004 wrote to memory of 3392 3004 msedge.exe 86 PID 3004 wrote to memory of 3392 3004 msedge.exe 86 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 2064 3004 msedge.exe 89 PID 3004 wrote to memory of 4400 3004 msedge.exe 88 PID 3004 wrote to memory of 4400 3004 msedge.exe 88 PID 3004 wrote to memory of 2480 3004 msedge.exe 90 PID 3004 wrote to memory of 2480 3004 msedge.exe 90 PID 3004 wrote to memory of 2480 3004 msedge.exe 90 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3124
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4968
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3240
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3660
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3976
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3824
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3540
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe"C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.douyin.com/?ug_source=yd_tbbg3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:24⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:84⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:14⤵PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:14⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,8278031217745989142,4737837504143990621,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2124
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8534046f8,0x7ff853404708,0x7ff8534047181⤵PID:3392
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:828
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD55e77545b7e1c504b2f5ce7c5cc2ce1fe
SHA1d81a6af13cf31fa410b85471e4509124ebeaff7e
SHA256cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11
SHA512cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5717328623ddc399dbebdb6c9dae93784
SHA16d137b7b656d8f49332d0bceae1204e504ca0ce7
SHA256342d93e500b8ddbb631cfb8bedb036f5b78439b1b3c57ff58dcae397f37906ef
SHA512705236c5ceff43f7de55c5cf9b8645c09f8c99087b400531ce4a7a603460d441254796bce1178ad61215449f75d60969b7f940bcf17dcaf159dd3e1e859f8f63
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
585B
MD54482fc709a1ebc93bd4db1a7af6b5fe8
SHA1fa8977d7b7fed1bf78eadf4e126ed266e31359ce
SHA256276a3e06fb3ae09de3b2f89b1160f622615a391e289c8b456ac08b3264337e9f
SHA512a5ea0a42df57e74a1d6830cbf2144598f4c4b5e03cdc0fb1a7f8f924ea95121c0840bfdf59aa9cc1fa49370b9a8f3bcb4116cb80304bd3a6c75ace04268b1ece
-
Filesize
5KB
MD524c4642acd4c778e8258df929353a125
SHA1b816790cb354ce8fe68cb0531bac03376297ac13
SHA256b97d0ce220bc81610b8b48af42253358c640362fc3fae619ffe28b1afbc59d49
SHA512ecd39de708841a506d36cb10a8fc1e342575b5ef58351da51dd66a29d980653c317755ddb69f5acd675784ba927b104966c388f6af9b419e13f223f1af6a9e55
-
Filesize
5KB
MD532b725d4d9947f5a9fd0ebfa77f17e08
SHA1b2fca78fc37a5191485cccd27911aec9ea25055e
SHA256884a7e1511068e27dcc23bf76c84b2ad4567c74c340c9a4a69df2796670e3498
SHA5127d896968a52b6169097c835f012bb1c00b95c56b40ad3b4b5e1d30c8e96b9d9b9b34bb4b206701f9ac5113608f26d9f776db56c7c8d946c7fc480b8acbeb2af9
-
Filesize
24KB
MD56db2d2ceb22a030bd1caa72b32cfbf98
SHA1fe50f35e60f88624a28b93b8a76be1377957618b
SHA2567b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4
SHA512d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912
-
Filesize
10KB
MD59c91c15def25533768ade47c23bc40f6
SHA19e3c46c031092cac77e2f99e9eae72322bb5bad5
SHA25638aa2b56f30a6a50416d2832cd2ade97f2af48049665249a7313a33bacc2b51f
SHA51254a2ff10591c3116b8d51abf7d954c348854335ccaec7f3c575b0a133c6cc3d0560887b80b31f52b3ef6275ba1f42172394c24cedba30d3b33a4f3133109b24a