Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 00:31
Static task
static1
Behavioral task
behavioral1
Sample
ad3e354c17e6be495f9830bb8f37b582.exe
Resource
win7-20240221-en
General
-
Target
ad3e354c17e6be495f9830bb8f37b582.exe
-
Size
116KB
-
MD5
ad3e354c17e6be495f9830bb8f37b582
-
SHA1
25436edb7618d26fd62b4a04b3e684fe107595e5
-
SHA256
797a03028fb5f9ea40e28ab3c54931c29ffeb604d4f2c50878351876cc382647
-
SHA512
9a5c904f7bcc9c9c3d983ed6eb72146bdedd709dd2a36a8859346c11ec51cb64c9a946482367392c5ca085a6c7ed801f6a2e15ca2bcc6ce29976c14115eedd4e
-
SSDEEP
3072:JMxXB31BcWgPlyq9iJ/lXx76Md2W1VUaXc:qxx3ckqcTd2GVUr
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ad3e354c17e6be495f9830bb8f37b582.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad3e354c17e6be495f9830bb8f37b582.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ad3e354c17e6be495f9830bb8f37b582.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 3320 ad3e354c17e6be495f9830bb8f37b582.exe -
resource yara_rule behavioral2/memory/3708-2-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-5-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-7-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-9-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-13-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-14-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-15-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-16-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-17-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-18-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-19-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3708-26-0x0000000000830000-0x00000000018BE000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3708 set thread context of 3320 3708 ad3e354c17e6be495f9830bb8f37b582.exe 90 PID 3708 set thread context of 0 3708 ad3e354c17e6be495f9830bb8f37b582.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3708 ad3e354c17e6be495f9830bb8f37b582.exe 3708 ad3e354c17e6be495f9830bb8f37b582.exe 3320 ad3e354c17e6be495f9830bb8f37b582.exe 3320 ad3e354c17e6be495f9830bb8f37b582.exe 3320 ad3e354c17e6be495f9830bb8f37b582.exe 3320 ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 3708 ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3708 ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3708 wrote to memory of 776 3708 ad3e354c17e6be495f9830bb8f37b582.exe 5 PID 3708 wrote to memory of 784 3708 ad3e354c17e6be495f9830bb8f37b582.exe 22 PID 3708 wrote to memory of 1012 3708 ad3e354c17e6be495f9830bb8f37b582.exe 9 PID 3708 wrote to memory of 2628 3708 ad3e354c17e6be495f9830bb8f37b582.exe 64 PID 3708 wrote to memory of 2676 3708 ad3e354c17e6be495f9830bb8f37b582.exe 63 PID 3708 wrote to memory of 2816 3708 ad3e354c17e6be495f9830bb8f37b582.exe 61 PID 3708 wrote to memory of 3504 3708 ad3e354c17e6be495f9830bb8f37b582.exe 55 PID 3708 wrote to memory of 3660 3708 ad3e354c17e6be495f9830bb8f37b582.exe 54 PID 3708 wrote to memory of 3856 3708 ad3e354c17e6be495f9830bb8f37b582.exe 53 PID 3708 wrote to memory of 3948 3708 ad3e354c17e6be495f9830bb8f37b582.exe 52 PID 3708 wrote to memory of 4012 3708 ad3e354c17e6be495f9830bb8f37b582.exe 27 PID 3708 wrote to memory of 4092 3708 ad3e354c17e6be495f9830bb8f37b582.exe 51 PID 3708 wrote to memory of 3432 3708 ad3e354c17e6be495f9830bb8f37b582.exe 50 PID 3708 wrote to memory of 1644 3708 ad3e354c17e6be495f9830bb8f37b582.exe 48 PID 3708 wrote to memory of 4428 3708 ad3e354c17e6be495f9830bb8f37b582.exe 37 PID 3708 wrote to memory of 2848 3708 ad3e354c17e6be495f9830bb8f37b582.exe 31 PID 3708 wrote to memory of 2428 3708 ad3e354c17e6be495f9830bb8f37b582.exe 30 PID 3708 wrote to memory of 1324 3708 ad3e354c17e6be495f9830bb8f37b582.exe 29 PID 3708 wrote to memory of 3320 3708 ad3e354c17e6be495f9830bb8f37b582.exe 90 PID 3708 wrote to memory of 3320 3708 ad3e354c17e6be495f9830bb8f37b582.exe 90 PID 3708 wrote to memory of 3320 3708 ad3e354c17e6be495f9830bb8f37b582.exe 90 PID 3708 wrote to memory of 3320 3708 ad3e354c17e6be495f9830bb8f37b582.exe 90 PID 3708 wrote to memory of 3320 3708 ad3e354c17e6be495f9830bb8f37b582.exe 90 PID 3708 wrote to memory of 3320 3708 ad3e354c17e6be495f9830bb8f37b582.exe 90 PID 3708 wrote to memory of 3320 3708 ad3e354c17e6be495f9830bb8f37b582.exe 90 PID 3708 wrote to memory of 0 3708 ad3e354c17e6be495f9830bb8f37b582.exe PID 3708 wrote to memory of 0 3708 ad3e354c17e6be495f9830bb8f37b582.exe PID 3708 wrote to memory of 0 3708 ad3e354c17e6be495f9830bb8f37b582.exe PID 3708 wrote to memory of 0 3708 ad3e354c17e6be495f9830bb8f37b582.exe PID 3320 wrote to memory of 3504 3320 ad3e354c17e6be495f9830bb8f37b582.exe 55 PID 3320 wrote to memory of 3504 3320 ad3e354c17e6be495f9830bb8f37b582.exe 55 PID 3320 wrote to memory of 3504 3320 ad3e354c17e6be495f9830bb8f37b582.exe 55 PID 3320 wrote to memory of 3504 3320 ad3e354c17e6be495f9830bb8f37b582.exe 55 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad3e354c17e6be495f9830bb8f37b582.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4012
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1324
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2428
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:2848
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4428
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1644
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3432
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4092
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\ad3e354c17e6be495f9830bb8f37b582.exe"C:\Users\Admin\AppData\Local\Temp\ad3e354c17e6be495f9830bb8f37b582.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\ad3e354c17e6be495f9830bb8f37b582.exe"C:\Users\Admin\AppData\Local\Temp\ad3e354c17e6be495f9830bb8f37b582.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2676
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2628
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5ad3e354c17e6be495f9830bb8f37b582
SHA125436edb7618d26fd62b4a04b3e684fe107595e5
SHA256797a03028fb5f9ea40e28ab3c54931c29ffeb604d4f2c50878351876cc382647
SHA5129a5c904f7bcc9c9c3d983ed6eb72146bdedd709dd2a36a8859346c11ec51cb64c9a946482367392c5ca085a6c7ed801f6a2e15ca2bcc6ce29976c14115eedd4e