Analysis
-
max time kernel
130s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19/02/2024, 21:55
Static task
static1
Behavioral task
behavioral1
Sample
0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe
Resource
win7-20231215-en
General
-
Target
0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe
-
Size
3.0MB
-
MD5
ca5633884f1c2afe5fb697a2eb8e6ceb
-
SHA1
430274f0f8397c09ffe863da74b616f0042e327d
-
SHA256
0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613
-
SHA512
b2b2cf1e38ac2ccf09ba9b57505e0f65c9db1aeb54001c2621b1a231b40ff4df24939f17350908963151fedd835f061075c7f2d6f293ce2fb707ac73ca502b33
-
SSDEEP
98304:81KtVejknMTKCr3Zk2jlEHCluHHYmCR4ZKE:yVzZqCluHHYR2n
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
resource yara_rule behavioral2/memory/4852-1-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-3-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-4-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-9-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-10-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-16-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-17-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-18-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-19-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-20-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-21-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-22-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-23-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-24-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-25-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-27-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-28-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-29-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-31-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-34-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-36-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-38-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-41-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-43-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-45-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-47-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-49-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-51-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-53-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-55-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-58-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-60-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-67-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-69-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-71-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-73-0x00000000026E0000-0x000000000379A000-memory.dmp upx behavioral2/memory/4852-75-0x00000000026E0000-0x000000000379A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\P: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\W: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\Z: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\I: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\T: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\M: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\Q: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\V: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\E: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\G: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\H: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\J: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\K: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\X: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\N: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\R: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\S: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\U: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened (read-only) \??\Y: 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification F:\autorun.inf 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\7-Zip\7z.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e574323 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe File opened for modification C:\Windows\SYSTEM.INI 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe Token: SeDebugPrivilege 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 792 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 75 PID 4852 wrote to memory of 800 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 74 PID 4852 wrote to memory of 380 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 9 PID 4852 wrote to memory of 2528 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 42 PID 4852 wrote to memory of 2572 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 40 PID 4852 wrote to memory of 2668 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 16 PID 4852 wrote to memory of 3284 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 24 PID 4852 wrote to memory of 3616 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 22 PID 4852 wrote to memory of 3812 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 21 PID 4852 wrote to memory of 3920 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 18 PID 4852 wrote to memory of 3988 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 19 PID 4852 wrote to memory of 4068 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 20 PID 4852 wrote to memory of 3880 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 26 PID 4852 wrote to memory of 2152 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 71 PID 4852 wrote to memory of 3200 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 76 PID 4852 wrote to memory of 792 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 75 PID 4852 wrote to memory of 800 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 74 PID 4852 wrote to memory of 380 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 9 PID 4852 wrote to memory of 2528 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 42 PID 4852 wrote to memory of 2572 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 40 PID 4852 wrote to memory of 2668 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 16 PID 4852 wrote to memory of 3284 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 24 PID 4852 wrote to memory of 3616 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 22 PID 4852 wrote to memory of 3812 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 21 PID 4852 wrote to memory of 3920 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 18 PID 4852 wrote to memory of 3988 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 19 PID 4852 wrote to memory of 4068 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 20 PID 4852 wrote to memory of 3880 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 26 PID 4852 wrote to memory of 2152 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 71 PID 4852 wrote to memory of 3200 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 76 PID 4852 wrote to memory of 792 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 75 PID 4852 wrote to memory of 800 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 74 PID 4852 wrote to memory of 380 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 9 PID 4852 wrote to memory of 2528 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 42 PID 4852 wrote to memory of 2572 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 40 PID 4852 wrote to memory of 2668 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 16 PID 4852 wrote to memory of 3284 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 24 PID 4852 wrote to memory of 3616 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 22 PID 4852 wrote to memory of 3812 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 21 PID 4852 wrote to memory of 3920 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 18 PID 4852 wrote to memory of 3988 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 19 PID 4852 wrote to memory of 4068 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 20 PID 4852 wrote to memory of 3880 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 26 PID 4852 wrote to memory of 2152 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 71 PID 4852 wrote to memory of 3200 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 76 PID 4852 wrote to memory of 792 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 75 PID 4852 wrote to memory of 800 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 74 PID 4852 wrote to memory of 380 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 9 PID 4852 wrote to memory of 2528 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 42 PID 4852 wrote to memory of 2572 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 40 PID 4852 wrote to memory of 2668 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 16 PID 4852 wrote to memory of 3284 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 24 PID 4852 wrote to memory of 3616 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 22 PID 4852 wrote to memory of 3812 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 21 PID 4852 wrote to memory of 3920 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 18 PID 4852 wrote to memory of 3988 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 19 PID 4852 wrote to memory of 4068 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 20 PID 4852 wrote to memory of 3880 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 26 PID 4852 wrote to memory of 2152 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 71 PID 4852 wrote to memory of 3200 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 76 PID 4852 wrote to memory of 792 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 75 PID 4852 wrote to memory of 800 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 74 PID 4852 wrote to memory of 380 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 9 PID 4852 wrote to memory of 2528 4852 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe 42 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2668
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3616
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe"C:\Users\Admin\AppData\Local\Temp\0687cd0cce318a55aa8486c3aef8ae063ad74d9414f1ece6a1c411da79ad7613.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4852
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2572
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2528
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2152
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3200
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD59d5e62d96f7ab9c6925486b83e7b634c
SHA166597faea9c89992220a3d8ac16f2be9475d3eb8
SHA256883f87c0065f8c7fc9e137a22a5f0268d5ef16b2dabbce346cee3d149fe0b08b
SHA512b1a3dd83c467f1a4829782ea3dc123837a91bb83988007761a1fccd7835957aef68e0ad3164b82bc4b1ce3241ab3ddb80b3b259e1ee5c76376154fcf7acff50d