Analysis
-
max time kernel
61s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 20:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f33bed5ddf8fb85d982445d29a1176a6.exe
Resource
win7-20240221-en
windows7-x64
23 signatures
150 seconds
General
-
Target
f33bed5ddf8fb85d982445d29a1176a6.exe
-
Size
292KB
-
MD5
f33bed5ddf8fb85d982445d29a1176a6
-
SHA1
03f75d8f8bfac2551c28fa47db70dcc4df1da5d9
-
SHA256
bd58456c628edc0a7b30f03ef173b6df45b57f268455fcb8cf8c7ffc96a25dce
-
SHA512
b01d8aa157405be0bf65746cd6e6c1da7413801f614d9244e0cde5cc0ffa384c275af17e549a458d66d8e68e08c6d51cc330112d224530572db72bd47094822c
-
SSDEEP
6144:0vEF2U+T6i5LirrllHy4HUcMQY65dgykIduVr/GASXETS:mEFN+T5xYrllrU7QY65LkIo6A9S
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f33bed5ddf8fb85d982445d29a1176a6.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Deletes itself 1 IoCs
pid Process 1488 svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 904 explorer.exe 4720 spoolsv.exe 1488 svchost.exe 2196 spoolsv.exe -
resource yara_rule behavioral2/memory/2760-1-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-4-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-5-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-6-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-11-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-12-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-13-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-14-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-16-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-26-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-30-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-34-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-36-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-40-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/2760-61-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/1488-85-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-87-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-88-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-93-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-94-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-95-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-96-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-97-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-98-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-99-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-100-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-101-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-102-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-103-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-105-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-106-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-107-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx behavioral2/memory/1488-152-0x0000000003ED0000-0x0000000004F5E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f33bed5ddf8fb85d982445d29a1176a6.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\K: svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\SYSTEM.INI f33bed5ddf8fb85d982445d29a1176a6.exe File opened for modification \??\c:\windows\system\explorer.exe f33bed5ddf8fb85d982445d29a1176a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 1488 svchost.exe 904 explorer.exe 1488 svchost.exe 904 explorer.exe 1488 svchost.exe 1488 svchost.exe 1488 svchost.exe 1488 svchost.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 1488 svchost.exe 1488 svchost.exe 904 explorer.exe 1488 svchost.exe 904 explorer.exe 1488 svchost.exe 1488 svchost.exe 1488 svchost.exe 904 explorer.exe 904 explorer.exe 904 explorer.exe 1488 svchost.exe 904 explorer.exe 1488 svchost.exe 1488 svchost.exe 1488 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 904 explorer.exe 1488 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe Token: SeDebugPrivilege 2760 f33bed5ddf8fb85d982445d29a1176a6.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 904 explorer.exe 904 explorer.exe 4720 spoolsv.exe 4720 spoolsv.exe 1488 svchost.exe 1488 svchost.exe 2196 spoolsv.exe 2196 spoolsv.exe 904 explorer.exe 904 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 776 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 9 PID 2760 wrote to memory of 784 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 10 PID 2760 wrote to memory of 1004 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 13 PID 2760 wrote to memory of 2472 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 43 PID 2760 wrote to memory of 2480 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 44 PID 2760 wrote to memory of 2612 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 47 PID 2760 wrote to memory of 3512 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 57 PID 2760 wrote to memory of 3720 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 58 PID 2760 wrote to memory of 3932 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 59 PID 2760 wrote to memory of 4052 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 60 PID 2760 wrote to memory of 1436 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 61 PID 2760 wrote to memory of 2368 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 62 PID 2760 wrote to memory of 4168 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 63 PID 2760 wrote to memory of 2376 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 65 PID 2760 wrote to memory of 1360 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 75 PID 2760 wrote to memory of 2884 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 82 PID 2760 wrote to memory of 4992 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 85 PID 2760 wrote to memory of 904 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 87 PID 2760 wrote to memory of 904 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 87 PID 2760 wrote to memory of 904 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 87 PID 904 wrote to memory of 4720 904 explorer.exe 88 PID 904 wrote to memory of 4720 904 explorer.exe 88 PID 904 wrote to memory of 4720 904 explorer.exe 88 PID 4720 wrote to memory of 1488 4720 spoolsv.exe 89 PID 4720 wrote to memory of 1488 4720 spoolsv.exe 89 PID 4720 wrote to memory of 1488 4720 spoolsv.exe 89 PID 1488 wrote to memory of 2196 1488 svchost.exe 91 PID 1488 wrote to memory of 2196 1488 svchost.exe 91 PID 1488 wrote to memory of 2196 1488 svchost.exe 91 PID 2760 wrote to memory of 776 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 9 PID 2760 wrote to memory of 784 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 10 PID 2760 wrote to memory of 1004 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 13 PID 2760 wrote to memory of 2472 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 43 PID 2760 wrote to memory of 2480 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 44 PID 2760 wrote to memory of 2612 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 47 PID 2760 wrote to memory of 3512 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 57 PID 2760 wrote to memory of 3720 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 58 PID 2760 wrote to memory of 3932 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 59 PID 2760 wrote to memory of 4052 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 60 PID 2760 wrote to memory of 1436 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 61 PID 2760 wrote to memory of 2368 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 62 PID 2760 wrote to memory of 4168 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 63 PID 2760 wrote to memory of 2376 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 65 PID 2760 wrote to memory of 1360 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 75 PID 2760 wrote to memory of 2884 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 82 PID 2760 wrote to memory of 4992 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 85 PID 2760 wrote to memory of 2692 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 86 PID 2760 wrote to memory of 904 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 87 PID 2760 wrote to memory of 904 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 87 PID 2760 wrote to memory of 4720 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 88 PID 2760 wrote to memory of 4720 2760 f33bed5ddf8fb85d982445d29a1176a6.exe 88 PID 1488 wrote to memory of 4484 1488 svchost.exe 93 PID 1488 wrote to memory of 4484 1488 svchost.exe 93 PID 1488 wrote to memory of 4484 1488 svchost.exe 93 PID 1488 wrote to memory of 776 1488 svchost.exe 9 PID 1488 wrote to memory of 784 1488 svchost.exe 10 PID 1488 wrote to memory of 1004 1488 svchost.exe 13 PID 1488 wrote to memory of 2472 1488 svchost.exe 43 PID 1488 wrote to memory of 2480 1488 svchost.exe 44 PID 1488 wrote to memory of 2612 1488 svchost.exe 47 PID 1488 wrote to memory of 3512 1488 svchost.exe 57 PID 1488 wrote to memory of 3720 1488 svchost.exe 58 PID 1488 wrote to memory of 3932 1488 svchost.exe 59 PID 1488 wrote to memory of 4052 1488 svchost.exe 60 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f33bed5ddf8fb85d982445d29a1176a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1004
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2480
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2612
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\f33bed5ddf8fb85d982445d29a1176a6.exe"C:\Users\Admin\AppData\Local\Temp\f33bed5ddf8fb85d982445d29a1176a6.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2760 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2196
-
-
C:\Windows\SysWOW64\at.exeat 20:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:4484
-
-
C:\Windows\SysWOW64\at.exeat 20:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:5096
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3720
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3932
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1436
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2368
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4168
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2376
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1360
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2692
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD5c137e4c2d459bc1192922b35e6ee9751
SHA179bbd1443bd5dd4e9ff9d75cde12437812878e27
SHA25618568ac0b3bd785e4aaab77321750e67f54a1fe276cf316ca2fb6c9c3086e572
SHA512fa2b8bf83df2001b3fc7a6d5f5b0d16db75203f69cfe7a04955dcd2312ddc6b378f71ee56197f6c8915096ac6e794985a2820ae94e9c594b45e6f127a788ac33
-
Filesize
257B
MD50ca39a737d1ec7349199d0868d4b3fb8
SHA16f336bf7a62c59f69030d854a8de864de6ed4104
SHA25643cfb0e38911cf001786e26197edee185f65586cd8d2e890d3a6dbbe2fcff75b
SHA51226de73358da9b2c4339c08860e384f30c22486b9af283153d4ab4ae8089f0e21c8d9a55c70d297a6ad354e0a540159f0f9685d44557069202d3170e0a088fe12
-
Filesize
292KB
MD5d24da6e55029c1cd1f4767ee85c8895c
SHA18ef85b0a8a83a34f0e9339eaef55fd92f4749209
SHA25639c0c0da916eed4f65ec690ec3d9e7eb9e956e61ce23c458eb02d29d975e61e9
SHA512dc27fb41f0469150f4d0253e5c8399ea5f50160af3434e5ef9e681f902d79ec4cce670c57d632abdbe1b676e8a501522567c90b627ebfab98cb59298fdf5aa1d
-
Filesize
292KB
MD5f983cd14988992e3248f6a040b82c003
SHA1d0630f8950482ced111e6b791f6983f764f90bb6
SHA2564a2daf8cc99e55577ba5771da328c89bb781ffe11a2c1028c7e76cdc08097d75
SHA5129c6b8bb1611d6cf844059519bdee4dd6dea44ff1937677a56a01b25c98c9c6f0109cd79eb35daecbddcc7e55e41d168c36881aeb0a32950ce74641ccf37248d9
-
Filesize
100KB
MD5a302b8bc888557d8587f740fa3c552f4
SHA122f2c3c76fc2aec521646a818b1df2df8795f683
SHA25644eeb45c595a83f605ecfc1bb52fd07eed25b8c769610688e098089e7e90ff15
SHA512bccf56a496a9bdf6231e56a95308df76d1aa940d8cf70ec6de848f2ab614f2ced58cb312707a183dfa2d7d2ae7f4a01b126984270bf74c79e304ed4c80ed8b10
-
Filesize
292KB
MD5684aee1ca4d2c97144fc84b60157dc26
SHA1d16a1211048bd8414306eed963804b24fa23aa75
SHA25644bb27d1af5353256c914cf9c07fafdd087680ffbe64ec1cf8413b69151719a1
SHA512dec618d1467cc2ae354a0adc3daed97fb3a7fce2929605e037af2fc7d9024525a33b0b7caab13e4ab3ad6343ee4ebed9768e3c49cf49e4fecef7261b6adffbab