Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 05:41
Static task
static1
Behavioral task
behavioral1
Sample
add36b5b21f775d2ea11c57c78fe7947.exe
Resource
win7-20240221-en
General
-
Target
add36b5b21f775d2ea11c57c78fe7947.exe
-
Size
96KB
-
MD5
add36b5b21f775d2ea11c57c78fe7947
-
SHA1
3ec05dfe7a3fdc01c17f74aac6daf39116eab6ef
-
SHA256
6dec06440131cf4c255ee5e482aca9ad4d913576091502fac8ab5b038887a281
-
SHA512
3e0f7eb44c7139f56914297cf2bb6a51b326b8953a0a4a8623ad694c8914036b1ff74ff5712306fa060cd91a23966868b6bce7a312dee76d77f57fa1c49f4aa8
-
SSDEEP
3072:dYNKSA4HhT+Tg3H1ysg8HZDUX8RAgtwxwmJ:dYNVAm+Tg3VIr8OwwimJ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" add36b5b21f775d2ea11c57c78fe7947.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" add36b5b21f775d2ea11c57c78fe7947.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" add36b5b21f775d2ea11c57c78fe7947.exe -
resource yara_rule behavioral2/memory/2328-1-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-3-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-4-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-5-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-9-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-10-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-11-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-12-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-13-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-14-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-15-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-16-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-17-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-18-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-20-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-21-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-22-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-24-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-25-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-27-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-29-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-32-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-34-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-36-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-38-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-40-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-42-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-44-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-46-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-48-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-50-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-58-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-60-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-62-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-64-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/2328-66-0x0000000002180000-0x000000000320E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" add36b5b21f775d2ea11c57c78fe7947.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" add36b5b21f775d2ea11c57c78fe7947.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" add36b5b21f775d2ea11c57c78fe7947.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" add36b5b21f775d2ea11c57c78fe7947.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\U: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\Z: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\E: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\G: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\P: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\Q: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\S: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\V: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\W: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\L: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\N: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\J: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\K: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\O: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\H: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\I: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\X: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\Y: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\M: add36b5b21f775d2ea11c57c78fe7947.exe File opened (read-only) \??\R: add36b5b21f775d2ea11c57c78fe7947.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification F:\autorun.inf add36b5b21f775d2ea11c57c78fe7947.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe add36b5b21f775d2ea11c57c78fe7947.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe add36b5b21f775d2ea11c57c78fe7947.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI add36b5b21f775d2ea11c57c78fe7947.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings add36b5b21f775d2ea11c57c78fe7947.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe 2328 add36b5b21f775d2ea11c57c78fe7947.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe Token: SeDebugPrivilege 2328 add36b5b21f775d2ea11c57c78fe7947.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 800 2328 add36b5b21f775d2ea11c57c78fe7947.exe 13 PID 2328 wrote to memory of 804 2328 add36b5b21f775d2ea11c57c78fe7947.exe 12 PID 2328 wrote to memory of 376 2328 add36b5b21f775d2ea11c57c78fe7947.exe 8 PID 2328 wrote to memory of 2548 2328 add36b5b21f775d2ea11c57c78fe7947.exe 68 PID 2328 wrote to memory of 2576 2328 add36b5b21f775d2ea11c57c78fe7947.exe 67 PID 2328 wrote to memory of 2704 2328 add36b5b21f775d2ea11c57c78fe7947.exe 65 PID 2328 wrote to memory of 3448 2328 add36b5b21f775d2ea11c57c78fe7947.exe 26 PID 2328 wrote to memory of 3656 2328 add36b5b21f775d2ea11c57c78fe7947.exe 56 PID 2328 wrote to memory of 3856 2328 add36b5b21f775d2ea11c57c78fe7947.exe 29 PID 2328 wrote to memory of 3940 2328 add36b5b21f775d2ea11c57c78fe7947.exe 28 PID 2328 wrote to memory of 4004 2328 add36b5b21f775d2ea11c57c78fe7947.exe 27 PID 2328 wrote to memory of 4088 2328 add36b5b21f775d2ea11c57c78fe7947.exe 55 PID 2328 wrote to memory of 3748 2328 add36b5b21f775d2ea11c57c78fe7947.exe 53 PID 2328 wrote to memory of 4472 2328 add36b5b21f775d2ea11c57c78fe7947.exe 41 PID 2328 wrote to memory of 2432 2328 add36b5b21f775d2ea11c57c78fe7947.exe 40 PID 2328 wrote to memory of 2848 2328 add36b5b21f775d2ea11c57c78fe7947.exe 33 PID 2328 wrote to memory of 1556 2328 add36b5b21f775d2ea11c57c78fe7947.exe 32 PID 2328 wrote to memory of 3180 2328 add36b5b21f775d2ea11c57c78fe7947.exe 31 PID 2328 wrote to memory of 800 2328 add36b5b21f775d2ea11c57c78fe7947.exe 13 PID 2328 wrote to memory of 804 2328 add36b5b21f775d2ea11c57c78fe7947.exe 12 PID 2328 wrote to memory of 376 2328 add36b5b21f775d2ea11c57c78fe7947.exe 8 PID 2328 wrote to memory of 2548 2328 add36b5b21f775d2ea11c57c78fe7947.exe 68 PID 2328 wrote to memory of 2576 2328 add36b5b21f775d2ea11c57c78fe7947.exe 67 PID 2328 wrote to memory of 2704 2328 add36b5b21f775d2ea11c57c78fe7947.exe 65 PID 2328 wrote to memory of 3448 2328 add36b5b21f775d2ea11c57c78fe7947.exe 26 PID 2328 wrote to memory of 3656 2328 add36b5b21f775d2ea11c57c78fe7947.exe 56 PID 2328 wrote to memory of 3856 2328 add36b5b21f775d2ea11c57c78fe7947.exe 29 PID 2328 wrote to memory of 3940 2328 add36b5b21f775d2ea11c57c78fe7947.exe 28 PID 2328 wrote to memory of 4004 2328 add36b5b21f775d2ea11c57c78fe7947.exe 27 PID 2328 wrote to memory of 4088 2328 add36b5b21f775d2ea11c57c78fe7947.exe 55 PID 2328 wrote to memory of 3748 2328 add36b5b21f775d2ea11c57c78fe7947.exe 53 PID 2328 wrote to memory of 4472 2328 add36b5b21f775d2ea11c57c78fe7947.exe 41 PID 2328 wrote to memory of 2432 2328 add36b5b21f775d2ea11c57c78fe7947.exe 40 PID 2328 wrote to memory of 2848 2328 add36b5b21f775d2ea11c57c78fe7947.exe 33 PID 2328 wrote to memory of 3180 2328 add36b5b21f775d2ea11c57c78fe7947.exe 31 PID 2328 wrote to memory of 2472 2328 add36b5b21f775d2ea11c57c78fe7947.exe 89 PID 2328 wrote to memory of 772 2328 add36b5b21f775d2ea11c57c78fe7947.exe 90 PID 2328 wrote to memory of 800 2328 add36b5b21f775d2ea11c57c78fe7947.exe 13 PID 2328 wrote to memory of 804 2328 add36b5b21f775d2ea11c57c78fe7947.exe 12 PID 2328 wrote to memory of 376 2328 add36b5b21f775d2ea11c57c78fe7947.exe 8 PID 2328 wrote to memory of 2548 2328 add36b5b21f775d2ea11c57c78fe7947.exe 68 PID 2328 wrote to memory of 2576 2328 add36b5b21f775d2ea11c57c78fe7947.exe 67 PID 2328 wrote to memory of 2704 2328 add36b5b21f775d2ea11c57c78fe7947.exe 65 PID 2328 wrote to memory of 3448 2328 add36b5b21f775d2ea11c57c78fe7947.exe 26 PID 2328 wrote to memory of 3656 2328 add36b5b21f775d2ea11c57c78fe7947.exe 56 PID 2328 wrote to memory of 3856 2328 add36b5b21f775d2ea11c57c78fe7947.exe 29 PID 2328 wrote to memory of 3940 2328 add36b5b21f775d2ea11c57c78fe7947.exe 28 PID 2328 wrote to memory of 4004 2328 add36b5b21f775d2ea11c57c78fe7947.exe 27 PID 2328 wrote to memory of 4088 2328 add36b5b21f775d2ea11c57c78fe7947.exe 55 PID 2328 wrote to memory of 3748 2328 add36b5b21f775d2ea11c57c78fe7947.exe 53 PID 2328 wrote to memory of 4472 2328 add36b5b21f775d2ea11c57c78fe7947.exe 41 PID 2328 wrote to memory of 2432 2328 add36b5b21f775d2ea11c57c78fe7947.exe 40 PID 2328 wrote to memory of 2848 2328 add36b5b21f775d2ea11c57c78fe7947.exe 33 PID 2328 wrote to memory of 3180 2328 add36b5b21f775d2ea11c57c78fe7947.exe 31 PID 2328 wrote to memory of 2472 2328 add36b5b21f775d2ea11c57c78fe7947.exe 89 PID 2328 wrote to memory of 772 2328 add36b5b21f775d2ea11c57c78fe7947.exe 90 PID 2328 wrote to memory of 800 2328 add36b5b21f775d2ea11c57c78fe7947.exe 13 PID 2328 wrote to memory of 804 2328 add36b5b21f775d2ea11c57c78fe7947.exe 12 PID 2328 wrote to memory of 376 2328 add36b5b21f775d2ea11c57c78fe7947.exe 8 PID 2328 wrote to memory of 2548 2328 add36b5b21f775d2ea11c57c78fe7947.exe 68 PID 2328 wrote to memory of 2576 2328 add36b5b21f775d2ea11c57c78fe7947.exe 67 PID 2328 wrote to memory of 2704 2328 add36b5b21f775d2ea11c57c78fe7947.exe 65 PID 2328 wrote to memory of 3448 2328 add36b5b21f775d2ea11c57c78fe7947.exe 26 PID 2328 wrote to memory of 3656 2328 add36b5b21f775d2ea11c57c78fe7947.exe 56 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" add36b5b21f775d2ea11c57c78fe7947.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\add36b5b21f775d2ea11c57c78fe7947.exe"C:\Users\Admin\AppData\Local\Temp\add36b5b21f775d2ea11c57c78fe7947.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2328
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3180
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1556
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:2848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2432
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4472
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3656
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2548
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2472
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:772
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5369579ebc7d27bf5bc3b3f1d6e9ac311
SHA16a9195c33239b8c7d7890674552615e5bcbafde2
SHA25698fd4cc0cb40630ac0016f65ce63e53653fda14806176e0a0af726c6f7227ec5
SHA51261fb55698745e97a0f7a98100034cacf2dfb581a292a233d3851dc18ca1fa99e1f26e1c9f3b07dd56e84dd2dad92dd18689f56c760ddfa35071d4f9cfb1d3c09