Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 14:00
Static task
static1
Behavioral task
behavioral1
Sample
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Resource
win7-20240221-en
General
-
Target
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
-
Size
11.5MB
-
MD5
28888bd9ca38693de7a63b68b49ea57e
-
SHA1
33386637a11a825a77d38336f6435199d460b1f4
-
SHA256
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a
-
SHA512
9f6ff1be7bc3e164c2a975213d77bc6bf5f2db35246758bf9c9eb7b40241b0d096e4e32c329abc4adba1eba8da20e9d1b8711ed9803b454aee8386bce57a9962
-
SSDEEP
196608:vwwmggPmkzg3h4kwDy9cWWfIqw2XRJ2NFEzvwr3RDjRJQLY1vaWoA7fxFgRg8y:vjqx0R9kyTWfnwkRINmTyFjILcvabArL
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe -
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1464 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
invcol.exepid process 3028 invcol.exe -
Loads dropped DLL 6 IoCs
Processes:
invcol.exepid process 3028 invcol.exe 3028 invcol.exe 3028 invcol.exe 3028 invcol.exe 3028 invcol.exe 3028 invcol.exe -
Processes:
resource yara_rule behavioral2/memory/2860-1-0x0000000002420000-0x0000000003453000-memory.dmp upx behavioral2/memory/2860-27-0x0000000002420000-0x0000000003453000-memory.dmp upx behavioral2/memory/2860-163-0x0000000002420000-0x0000000003453000-memory.dmp upx -
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe -
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe -
Drops file in Windows directory 1 IoCs
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exepid process 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exedescription pid process Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Token: SeDebugPrivilege 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exedescription pid process target process PID 2860 wrote to memory of 1464 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe netsh.exe PID 2860 wrote to memory of 1464 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe netsh.exe PID 2860 wrote to memory of 1464 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe netsh.exe PID 2860 wrote to memory of 804 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe fontdrvhost.exe PID 2860 wrote to memory of 800 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe fontdrvhost.exe PID 2860 wrote to memory of 384 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe dwm.exe PID 2860 wrote to memory of 2660 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe sihost.exe PID 2860 wrote to memory of 2684 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe svchost.exe PID 2860 wrote to memory of 2900 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe taskhostw.exe PID 2860 wrote to memory of 3348 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Explorer.EXE PID 2860 wrote to memory of 3564 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe svchost.exe PID 2860 wrote to memory of 3752 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe DllHost.exe PID 2860 wrote to memory of 3880 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe StartMenuExperienceHost.exe PID 2860 wrote to memory of 3976 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe RuntimeBroker.exe PID 2860 wrote to memory of 4064 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe SearchApp.exe PID 2860 wrote to memory of 4112 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe RuntimeBroker.exe PID 2860 wrote to memory of 4460 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe RuntimeBroker.exe PID 2860 wrote to memory of 3056 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe TextInputHost.exe PID 2860 wrote to memory of 1244 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe msedge.exe PID 2860 wrote to memory of 4788 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe msedge.exe PID 2860 wrote to memory of 1084 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe msedge.exe PID 2860 wrote to memory of 2232 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe msedge.exe PID 2860 wrote to memory of 4820 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe msedge.exe PID 2860 wrote to memory of 4228 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe msedge.exe PID 2860 wrote to memory of 4568 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe msedge.exe PID 2860 wrote to memory of 2732 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe backgroundTaskHost.exe PID 2860 wrote to memory of 2320 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe backgroundTaskHost.exe PID 2860 wrote to memory of 4868 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe backgroundTaskHost.exe PID 2860 wrote to memory of 216 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe BackgroundTaskHost.exe PID 2860 wrote to memory of 4844 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe Conhost.exe PID 2860 wrote to memory of 5024 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe RuntimeBroker.exe PID 2860 wrote to memory of 1464 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe netsh.exe PID 2860 wrote to memory of 1464 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe netsh.exe PID 2860 wrote to memory of 3028 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe invcol.exe PID 2860 wrote to memory of 3028 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe invcol.exe PID 2860 wrote to memory of 3028 2860 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe invcol.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe"C:\Users\Admin\AppData\Local\Temp\188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\invcol.exeC:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\.\invcol.exe -bdir="C:\Users\Admin\AppData\Local\Temp"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ff9adf35fd8,0x7ff9adf35fe4,0x7ff9adf35ff02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2252 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3212 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3360 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5536 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5544 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E576E69_Rar\188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exeFilesize
11.4MB
MD5ada55ba90caddd5608f8cff24fa1aebf
SHA1ab4fb117391cfc7c237b83b002467cc9d2bd9861
SHA256c11c47c3d653e28834639981838fd0bb633851eb71f2c5b740cfcf11ba8add3c
SHA512d9ef070f916b7723bd150bee8b630a5869dbd4d300fb488138cdf6f9063a78d92e294bb53f49294c8adb059f0da382f7e5de4f5802a146df3bc678e3841b0007
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\ICConfig_user.xmlFilesize
5KB
MD543b8b7358adedb0c648341e3793525f2
SHA166f1a7c386834d9b2d541e49f293a9982dd4e837
SHA2565c80c1ee6233cdffd0ba077d124162ca2ddb8524d0fb7891ac7ef099c082ea3b
SHA51222a1bc5f845132814a7b0e57b93d8e00832ad455475c5adb484a27d0b6c67ac30ef57bf3b427cd38bdaf86a6ddf273140bc9e0301a3145dcfca086b362b64f85
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\IMAGE\DrvCfg32.iniFilesize
499B
MD54228bbca64f8930e731f86a04c315a97
SHA1832e5c640c186f23097012a05029435d9e334bc7
SHA2561bc14f6aae8579e18446fad5fca50568dc2ebbbda16f7bc9fee78e6f85d5eb71
SHA512ea2646c663c84bf8c30d8b215e991991cc2033a3cc117bac343275b59525b3f222c4b1471606f74affa00d59d633c659f62778e2d41a8cdf6b48941e6e64703f
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\Thunderbolt_Reg\Executables\DRVUpdate.exeFilesize
376KB
MD5149c2c52887c6977e446e6850b3664a4
SHA1d8412451dc43276beb33fb98e272420faa14096e
SHA256834031bfd5cb81c33f453ee26d35f4d57544098f223b6bee5ec8e5f2927b4756
SHA512bcb45848ef0f2776ca1103c05222dd8d76d2518d40a80b7576214e16f015023ef58a6bd90a9e746b2c13ed62bb0f8bbeb76daeb31d05c477b614b2203e493656
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\Thunderbolt_Reg\RLtek_Ethernate\RegForceInventory.xmlFilesize
128KB
MD530aa7e953010b6b40f5cb83f6aff782e
SHA15ec0f4e8c60db66567983c858bd9b2780158b881
SHA25695fdc46b7b1f57f0546304f9816894a6caf5fb767b7dd0aff2889cdc79f97ee0
SHA512f58676f8f517da6aba2b02da014fd4b5c6e66d646c9635783e7f4af9d65e9c37e3ce7f86e87f11bef53c8d03a5938c732f3b777b7109f7177062049e1b0e8c9c
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\Thunderbolt_Reg\RLtek_USB_Driver_WOW\DrvCfg32.iniFilesize
1KB
MD59512cb4a8245bea4322f8bc680ac0dc3
SHA17ed23dc741ca0328562629f782e6456372f1c04b
SHA2569141964056b46365da57f704104eea7d222741b3438d567c7f1b7569e0c0534c
SHA512aae4d6e8c6edb14b774e348fec4e5fa3a3790e747c8526fc313efe34d7c2607779ff81785aca2640a60a7e308ec398a3035adac6488d66946b3e06fdaeddbdf4
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\dsupt32.dllFilesize
701KB
MD5daff72a6f9ead46c5d4a6f098b9de957
SHA10588095631d10727a780c99089da975317891d4a
SHA2567bb19abe5a3cbda2fd3832f711b960761af79d7e1845a3533864df51c30ba241
SHA512950953335dda9759429806425449a9540c6dc11f88abf104227f8da97f8d8d30b2a96430a426829fad9c1654630f6c96dbf6487c49f3e36f9ade0fe2ab669dff
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\icsvc32.dllFilesize
1.1MB
MD5fd2d1ffd075c2e4014287d7be6144b02
SHA137128eab6cc55f834eaf64eb95308e3cff73323b
SHA256513ce4c09b4454e98fce4575cffcee7707298450cabe3b6fa76496dbdb82097d
SHA512bdf2a881f393bf678d0b285e429ed2edeec8eb8901f5549d71ab350b693782f48352b355573293fa5fd96179f95e7db607c76d586d32773882905eb35e34ecf9
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\invcol.exeFilesize
40KB
MD5f292f713153bec1c8fc47d528b107ad7
SHA1d967cdacfe26dfdcf8f144218a9b9e2ed3d48624
SHA2565bf0af9992ed358073d8a8e89c81b313f9c4ee7fec93245e2a9923a02e8e25c0
SHA51237399aae2ec9f523fbb5a9f1010c77f3ee34ac69a9d00be56544d75377f2ce93dce78f319756b92e7f1a701faa9315ecbd9e37f8ceee4c13f66fbf42a43cbeaf
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\msvcp140.dllFilesize
436KB
MD537dcbba718886e5c24703b1268ce10b9
SHA1441738a1ea802c266cb0a84789ace62e40010335
SHA256968bbd2a36b04cc5795c6fc99afe85e4d294ff9c28032ce0e870463827181799
SHA51200ab4cfe4b5bb989f2931cc8928982819a99df027b118c731957fc84c58cc8d636687ff39cf90dac313e3fe7c7738a4899fba98ebab5b6ed4cbfa372b0eb2561
-
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\vcruntime140.dllFilesize
88KB
MD581b11024a8ed0c9adfd5fbf6916b133c
SHA1c87f446d9655ba2f6fddd33014c75dc783941c33
SHA256eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829
SHA512e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1
-
memory/1464-172-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/1464-400-0x00000000021C0000-0x00000000021C2000-memory.dmpFilesize
8KB
-
memory/1464-194-0x00000000021C0000-0x00000000021C2000-memory.dmpFilesize
8KB
-
memory/2860-136-0x0000000003CD0000-0x0000000003CD1000-memory.dmpFilesize
4KB
-
memory/2860-163-0x0000000002420000-0x0000000003453000-memory.dmpFilesize
16.2MB
-
memory/2860-171-0x0000000003A80000-0x0000000003A82000-memory.dmpFilesize
8KB
-
memory/2860-0-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2860-131-0x0000000003A80000-0x0000000003A82000-memory.dmpFilesize
8KB
-
memory/2860-27-0x0000000002420000-0x0000000003453000-memory.dmpFilesize
16.2MB
-
memory/2860-392-0x0000000003A80000-0x0000000003A82000-memory.dmpFilesize
8KB
-
memory/2860-399-0x0000000000400000-0x000000000048C000-memory.dmpFilesize
560KB
-
memory/2860-1-0x0000000002420000-0x0000000003453000-memory.dmpFilesize
16.2MB
-
memory/3028-271-0x0000000000900000-0x0000000000A1E000-memory.dmpFilesize
1.1MB