Analysis
-
max time kernel
122s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 20:16
Static task
static1
Behavioral task
behavioral1
Sample
acc104b0d02c136dd53cde28c62925f2.exe
Resource
win7-20240220-en
General
-
Target
acc104b0d02c136dd53cde28c62925f2.exe
-
Size
100KB
-
MD5
acc104b0d02c136dd53cde28c62925f2
-
SHA1
1037b9926f072deb1f5b1b79bcd3660694ed56a2
-
SHA256
d6bdc655e8ac85d60704d336f8deb777bfb7c893da8a810ccce0aed1e888d0b9
-
SHA512
d3c531945ca49da98ecd24ef151553f08cdf4f747fdaf30a8f6636ed7abfc96bb53fcd1bcde5f83b558600741d4d46e7176a8b20101d57a7561299cf0e5c4a2a
-
SSDEEP
3072:NGfhrEC5n4N2G1CRNDEpcR+doE4B9NYH:N0hrEC54N2G1CLDE+IdoE43CH
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" acc104b0d02c136dd53cde28c62925f2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acc104b0d02c136dd53cde28c62925f2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe -
resource yara_rule behavioral2/memory/2252-4-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-3-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-5-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-8-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-11-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-12-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-13-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-14-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-15-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-16-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-17-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-18-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-19-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-20-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-22-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-23-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-24-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-26-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-28-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-29-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-32-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-34-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-36-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-38-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-40-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-45-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-47-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-48-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-49-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-50-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-51-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-53-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-56-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-57-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-59-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-61-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-63-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-65-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2252-67-0x0000000002330000-0x00000000033BE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc acc104b0d02c136dd53cde28c62925f2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acc104b0d02c136dd53cde28c62925f2.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\J: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\P: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\U: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\W: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\Z: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\L: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\O: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\R: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\S: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\T: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\E: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\K: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\M: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\X: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\Y: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\H: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\I: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\N: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\Q: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\V: acc104b0d02c136dd53cde28c62925f2.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\autorun.inf acc104b0d02c136dd53cde28c62925f2.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe acc104b0d02c136dd53cde28c62925f2.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI acc104b0d02c136dd53cde28c62925f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings acc104b0d02c136dd53cde28c62925f2.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe 2252 acc104b0d02c136dd53cde28c62925f2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 2252 acc104b0d02c136dd53cde28c62925f2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 808 2252 acc104b0d02c136dd53cde28c62925f2.exe 85 PID 2252 wrote to memory of 816 2252 acc104b0d02c136dd53cde28c62925f2.exe 84 PID 2252 wrote to memory of 376 2252 acc104b0d02c136dd53cde28c62925f2.exe 9 PID 2252 wrote to memory of 2416 2252 acc104b0d02c136dd53cde28c62925f2.exe 57 PID 2252 wrote to memory of 2424 2252 acc104b0d02c136dd53cde28c62925f2.exe 56 PID 2252 wrote to memory of 2584 2252 acc104b0d02c136dd53cde28c62925f2.exe 51 PID 2252 wrote to memory of 3376 2252 acc104b0d02c136dd53cde28c62925f2.exe 44 PID 2252 wrote to memory of 3596 2252 acc104b0d02c136dd53cde28c62925f2.exe 42 PID 2252 wrote to memory of 3792 2252 acc104b0d02c136dd53cde28c62925f2.exe 41 PID 2252 wrote to memory of 3912 2252 acc104b0d02c136dd53cde28c62925f2.exe 40 PID 2252 wrote to memory of 3984 2252 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 2252 wrote to memory of 4088 2252 acc104b0d02c136dd53cde28c62925f2.exe 39 PID 2252 wrote to memory of 4272 2252 acc104b0d02c136dd53cde28c62925f2.exe 38 PID 2252 wrote to memory of 4576 2252 acc104b0d02c136dd53cde28c62925f2.exe 36 PID 2252 wrote to memory of 4984 2252 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 2252 wrote to memory of 4716 2252 acc104b0d02c136dd53cde28c62925f2.exe 20 PID 2252 wrote to memory of 2860 2252 acc104b0d02c136dd53cde28c62925f2.exe 19 PID 2252 wrote to memory of 3136 2252 acc104b0d02c136dd53cde28c62925f2.exe 18 PID 2252 wrote to memory of 808 2252 acc104b0d02c136dd53cde28c62925f2.exe 85 PID 2252 wrote to memory of 816 2252 acc104b0d02c136dd53cde28c62925f2.exe 84 PID 2252 wrote to memory of 376 2252 acc104b0d02c136dd53cde28c62925f2.exe 9 PID 2252 wrote to memory of 2416 2252 acc104b0d02c136dd53cde28c62925f2.exe 57 PID 2252 wrote to memory of 2424 2252 acc104b0d02c136dd53cde28c62925f2.exe 56 PID 2252 wrote to memory of 2584 2252 acc104b0d02c136dd53cde28c62925f2.exe 51 PID 2252 wrote to memory of 3376 2252 acc104b0d02c136dd53cde28c62925f2.exe 44 PID 2252 wrote to memory of 3596 2252 acc104b0d02c136dd53cde28c62925f2.exe 42 PID 2252 wrote to memory of 3792 2252 acc104b0d02c136dd53cde28c62925f2.exe 41 PID 2252 wrote to memory of 3912 2252 acc104b0d02c136dd53cde28c62925f2.exe 40 PID 2252 wrote to memory of 3984 2252 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 2252 wrote to memory of 4088 2252 acc104b0d02c136dd53cde28c62925f2.exe 39 PID 2252 wrote to memory of 4272 2252 acc104b0d02c136dd53cde28c62925f2.exe 38 PID 2252 wrote to memory of 4576 2252 acc104b0d02c136dd53cde28c62925f2.exe 36 PID 2252 wrote to memory of 4984 2252 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 2252 wrote to memory of 4716 2252 acc104b0d02c136dd53cde28c62925f2.exe 20 PID 2252 wrote to memory of 2860 2252 acc104b0d02c136dd53cde28c62925f2.exe 19 PID 2252 wrote to memory of 3136 2252 acc104b0d02c136dd53cde28c62925f2.exe 18 PID 2252 wrote to memory of 4284 2252 acc104b0d02c136dd53cde28c62925f2.exe 87 PID 2252 wrote to memory of 3012 2252 acc104b0d02c136dd53cde28c62925f2.exe 88 PID 2252 wrote to memory of 3808 2252 acc104b0d02c136dd53cde28c62925f2.exe 89 PID 2252 wrote to memory of 808 2252 acc104b0d02c136dd53cde28c62925f2.exe 85 PID 2252 wrote to memory of 816 2252 acc104b0d02c136dd53cde28c62925f2.exe 84 PID 2252 wrote to memory of 376 2252 acc104b0d02c136dd53cde28c62925f2.exe 9 PID 2252 wrote to memory of 2416 2252 acc104b0d02c136dd53cde28c62925f2.exe 57 PID 2252 wrote to memory of 2424 2252 acc104b0d02c136dd53cde28c62925f2.exe 56 PID 2252 wrote to memory of 2584 2252 acc104b0d02c136dd53cde28c62925f2.exe 51 PID 2252 wrote to memory of 3376 2252 acc104b0d02c136dd53cde28c62925f2.exe 44 PID 2252 wrote to memory of 3596 2252 acc104b0d02c136dd53cde28c62925f2.exe 42 PID 2252 wrote to memory of 3792 2252 acc104b0d02c136dd53cde28c62925f2.exe 41 PID 2252 wrote to memory of 3912 2252 acc104b0d02c136dd53cde28c62925f2.exe 40 PID 2252 wrote to memory of 3984 2252 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 2252 wrote to memory of 4088 2252 acc104b0d02c136dd53cde28c62925f2.exe 39 PID 2252 wrote to memory of 4272 2252 acc104b0d02c136dd53cde28c62925f2.exe 38 PID 2252 wrote to memory of 4576 2252 acc104b0d02c136dd53cde28c62925f2.exe 36 PID 2252 wrote to memory of 4984 2252 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 2252 wrote to memory of 4716 2252 acc104b0d02c136dd53cde28c62925f2.exe 20 PID 2252 wrote to memory of 2860 2252 acc104b0d02c136dd53cde28c62925f2.exe 19 PID 2252 wrote to memory of 3136 2252 acc104b0d02c136dd53cde28c62925f2.exe 18 PID 2252 wrote to memory of 3808 2252 acc104b0d02c136dd53cde28c62925f2.exe 89 PID 2252 wrote to memory of 3608 2252 acc104b0d02c136dd53cde28c62925f2.exe 91 PID 2252 wrote to memory of 808 2252 acc104b0d02c136dd53cde28c62925f2.exe 85 PID 2252 wrote to memory of 816 2252 acc104b0d02c136dd53cde28c62925f2.exe 84 PID 2252 wrote to memory of 376 2252 acc104b0d02c136dd53cde28c62925f2.exe 9 PID 2252 wrote to memory of 2416 2252 acc104b0d02c136dd53cde28c62925f2.exe 57 PID 2252 wrote to memory of 2424 2252 acc104b0d02c136dd53cde28c62925f2.exe 56 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acc104b0d02c136dd53cde28c62925f2.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4984
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3136
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2860
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:4716
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4272
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3912
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3596
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\acc104b0d02c136dd53cde28c62925f2.exe"C:\Users\Admin\AppData\Local\Temp\acc104b0d02c136dd53cde28c62925f2.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2252
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2584
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2416
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:4284
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵PID:3012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3808
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3608
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3068
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3248
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5785b0de922b44cfd0024179eb28c6cc1
SHA1a66fc34f1fa7c946a4da86c16efbff8c0cdcdffb
SHA2565ccb5d808ed526a86fe45a704e329b06718a3a35a46039c50bedb1982b38720b
SHA51225e77dfae8e14bb1e248ff15f89e66df6d975343277d476b49070efdc30a1a738e737cb66c1f6bda915d5f0fc2b4ff871c36e2a0d49b40a451d7a954aabb6637