Analysis
-
max time kernel
124s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/02/2024, 21:45
Static task
static1
Behavioral task
behavioral1
Sample
73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe
Resource
win7-20231215-en
General
-
Target
73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe
-
Size
3.0MB
-
MD5
a4d8ae019f013517c7557012dba59dc6
-
SHA1
43b595ed13b1fe31dcd57f65689d7d89db524953
-
SHA256
73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232
-
SHA512
ec470ed69989f656d967bd5b025dc7fb59cc0381b238568a63f844a1c114e9448727431317dfb6a4170bea2ff54faea95d9d15e296ff02f8486f50767c00d945
-
SSDEEP
49152:RBwpxPJg7JW4jhzQpxSlDvZajSiOWJ40PCLdt5bqUl33kwpPN:RBwpxhg7JW4NkpqiOWJ4PLdTqUxV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1972-1-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-11-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-3-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-12-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-13-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-15-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-18-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-23-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-31-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-36-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-37-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-38-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-39-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-40-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-41-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-42-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-44-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-45-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-46-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-48-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-50-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-57-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-59-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-61-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-64-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-67-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-69-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-71-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-73-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-75-0x0000000002210000-0x00000000032CA000-memory.dmp upx behavioral1/memory/1972-77-0x0000000002210000-0x00000000032CA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\V: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\W: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\L: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\N: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\K: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\M: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\O: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\R: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\X: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\Z: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\E: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\I: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\Q: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\S: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\T: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\Y: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\H: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\J: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\G: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened (read-only) \??\P: 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\autorun.inf 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\7-Zip\7z.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\f763ddb 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe File opened for modification C:\Windows\SYSTEM.INI 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe Token: SeDebugPrivilege 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 2240 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 22 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 PID 1972 wrote to memory of 1116 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 15 PID 1972 wrote to memory of 1184 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 13 PID 1972 wrote to memory of 1276 1972 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe 14 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1184
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe"C:\Users\Admin\AppData\Local\Temp\73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1972
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2240
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186B
MD52e3de2fbdda5f9c6fb1cb9ad979fa705
SHA1f6217c1f8bb9b781084080964008bc93cde4f38a
SHA2564061506aa6b8964bbec32ad56a28195406ef195992c8d803e5c566f148ab7a15
SHA512f0129b17e1ee25eadf893046b341be6fb4700954e525853f9ee24b55f40f239064aa5ba0c3a26c9c18ab9772fe38c7da3efe4dd2874caf0a7298e511d1e20c97
-
Filesize
159B
MD5935dd010c805e3a609a202c8b202a853
SHA1c380af9715484890920b82d3ce9a5fb6ef1ae83c
SHA25629a531843cc3497d214e9aa87640a1bb12793b3e0ae4cf9699548e5f865c9ce4
SHA512c303e4dab82fc1a0466df832f588a2db724a4cf1aa600ee34fe618573d81c45b97771b2ad48b25a1115845112b85292ce073729076e208f93c9b5b27de047681
-
Filesize
271B
MD52c02d3dae92d830859464ece8df2d54e
SHA19507c9b9cdb7b0068bc98712e3ef615816a63ee4
SHA256373b9f2263ce2c9c0442ee53274ecb7cb985ebf8c46ce6ccbe3c24859cc6e3fd
SHA512febd3ca050d64781ab742106f1453b0228a44188b69cdec85e5542ce0eb4010f603867df0b8129144b815f72a320e5d4947492b52956c1daf7709ff638c0dfae
-
Filesize
45KB
MD52e561a6c0df02589b36ac975229d5063
SHA131f709f6d3f22b852c5e196f060c54991e63c8d6
SHA256f61d8016131a8b2ef8e58703cc4056eac6accb042719a1eef1f708443dd4a3b2
SHA5128ae5f10165a273fc0ee10809c427c975210b09189a2a54aff0d623f4c080df0b48a1d032cc9db4eb9441a520a613ae5814878c1415d8b741c98c86b7ba39e9e5