Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 20:37
Static task
static1
Behavioral task
behavioral1
Sample
4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe
Resource
win7-20240221-en
General
-
Target
4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe
-
Size
2.1MB
-
MD5
7159b56159cb1e12a07b4341719ac689
-
SHA1
21f3d0d30784fd6ab6e964f213894fb8f268b3e6
-
SHA256
4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e
-
SHA512
e6a0a450f435aa3395aa8fcda5174902f0fbbf48b034b8c1da7f49268d72753c4f6ea8e93a93eb1df4aa0b6d34fa0952c922c0b470b01f4e3b791f581841e641
-
SSDEEP
24576:Y0QuuAo+kX8ADPTw7UAJ8nnSEO5c2Fg6Abasb79:VQ+ojX8A3wP8nnSvx0
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe -
resource yara_rule behavioral2/memory/5024-1-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-3-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-5-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-9-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-10-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-16-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-17-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-18-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-19-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-20-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-21-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-29-0x0000000002790000-0x000000000384A000-memory.dmp upx behavioral2/memory/5024-50-0x0000000002790000-0x000000000384A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe File created C:\Windows\e579143 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 3516 msedge.exe 3516 msedge.exe 4736 msedge.exe 4736 msedge.exe 1260 identity_helper.exe 1260 identity_helper.exe 1496 msedge.exe 1496 msedge.exe 1496 msedge.exe 1496 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe Token: SeDebugPrivilege 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5024 wrote to memory of 780 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 4 PID 5024 wrote to memory of 788 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 79 PID 5024 wrote to memory of 316 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 5 PID 5024 wrote to memory of 2416 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 32 PID 5024 wrote to memory of 2440 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 29 PID 5024 wrote to memory of 2524 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 21 PID 5024 wrote to memory of 3296 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 37 PID 5024 wrote to memory of 3532 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 43 PID 5024 wrote to memory of 3764 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 46 PID 5024 wrote to memory of 3852 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 45 PID 5024 wrote to memory of 3960 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 44 PID 5024 wrote to memory of 4044 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 69 PID 5024 wrote to memory of 3356 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 68 PID 5024 wrote to memory of 5116 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 66 PID 5024 wrote to memory of 4692 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 55 PID 5024 wrote to memory of 400 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 64 PID 5024 wrote to memory of 2800 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 65 PID 5024 wrote to memory of 3760 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 85 PID 5024 wrote to memory of 1760 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 87 PID 5024 wrote to memory of 4736 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 88 PID 5024 wrote to memory of 4736 5024 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe 88 PID 4736 wrote to memory of 4560 4736 msedge.exe 89 PID 4736 wrote to memory of 4560 4736 msedge.exe 89 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 4388 4736 msedge.exe 90 PID 4736 wrote to memory of 3516 4736 msedge.exe 92 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2440
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2416
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe"C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5024 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://suggest.se.360.cn/sedoctor?ctype=se&cversion=3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa603946f8,0x7ffa60394708,0x7ffa603947184⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:24⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:84⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:14⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:14⤵PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:84⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:14⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:14⤵PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:14⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:14⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:14⤵PID:4056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:14⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:14⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:14⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14775895229076529455,11511671409735631810,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6108 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3532
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3960
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3764
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4692
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:400
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2800
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3356
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4044
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3760
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1760
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3336
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4552
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a774512b00820b61a51258335097b2c9
SHA138c28d1ea3907a1af6c0443255ab610dd9285095
SHA25601946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1
-
Filesize
152B
MD5fd7944a4ff1be37517983ffaf5700b11
SHA1c4287796d78e00969af85b7e16a2d04230961240
SHA256b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA51228c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b
-
Filesize
6KB
MD50f115026424026322e0784a26c1ca49a
SHA14948ea4adc9694c343ba0e67844967995b37398a
SHA25627326cca16186f66ead2965e5b660f95f89d48058334e0b7d416a00aa939edc5
SHA512c0584ff3b1602354fc50739a580d2dac1d54fae398d6e61fe8c3aae61d7ca0177c0238e82c588a1bf1e8ba7e5f703701e34ca9f457b7283ac5c21f6b33193d5e
-
Filesize
6KB
MD5fec21ff0237fdc9d85f98b326bc75301
SHA1c720d45a53ce595ff82dde068301036d9d8c9077
SHA25647672375030f92db0949e0928bd05fd957234f1aee6ae4a0ceb18179bf041ccb
SHA512840e9e3e6a904b407d1d8533230e8cf1f3ff96344d2058af410bdcf9d9608ffcbd4d6d8c4733aa7a620bc253d8ff183758ca6076d5a83d1b3b81282e4b7c5179
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51262e93911d902d3ef514a50d5f83c86
SHA12a3107f78f8a990a0a3505b8412fe5a727ab69b7
SHA25697c4f2c261c97e60a0d2772476eed1ec786263edb76956dfc096106d71082c7a
SHA51263474cdf4d6372ea0d8e947a5702ebbc107dea9fe192666c01de42be03125af00bac9d8b416fcd471e7157bfc4ffa0ec85d3962649acb087f51f77ca82116a52
-
Filesize
12KB
MD54c7df2aafb08813aeff8a5a34fc6c0af
SHA130ed5496cc923ba0dff71ebdc1db59795a5b834d
SHA256a7352db104747bd4ee7202c501bb75a791769174a633ac08dcf8d6c5f5281b92
SHA512af9a3cce1ce3e72b2e2824b51bf85687f5471e4d98058b91a83a7f6e29d90d1319371e6ebeeaf11210305eabebb19cdb9fa7aef2d70648d617b0441cddf66fd3
-
Filesize
704KB
MD5318bf2333b0d85e121578d6fbd24a8e4
SHA121223370b8cef81aac8f440942419bf1476ffca8
SHA2566ce78ea7c8c562bf471c58a62c7792705e46bfafdb931551acfe4cfa519eb8f3
SHA512cd9daff993e38299784ded6ab2670c87f802d403043ddf24fa631ae45e240929e632ec92ab683220f13bc9083d62acc04536db18d03853c7d53ccd45caf945be