sality | 6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002325f-54.dat	acprotect

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2920-0-0x0000000000400000-0x0000000000778000-memory.dmp	upx
behavioral2/memory/2920-1-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-3-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-4-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-8-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-9-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-10-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-11-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-12-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-13-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-14-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-15-0x0000000000400000-0x0000000000778000-memory.dmp	upx
behavioral2/memory/2920-22-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-23-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-24-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-25-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-26-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-29-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-31-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-37-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-38-0x0000000000400000-0x0000000000778000-memory.dmp	upx
behavioral2/memory/2920-44-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-48-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/4560-58-0x0000000072F80000-0x000000007303A000-memory.dmp	upx
behavioral2/files/0x000700000002325f-54.dat	upx
behavioral2/memory/2920-67-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-87-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-93-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-101-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-103-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-105-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-107-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/4560-109-0x0000000072F80000-0x000000007303A000-memory.dmp	upx
behavioral2/memory/2920-110-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-112-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-114-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-117-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-119-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-122-0x0000000002660000-0x000000000371A000-memory.dmp	upx
behavioral2/memory/2920-124-0x0000000002660000-0x000000000371A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
File opened (read-only)	\??\G:	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\e57e5eb	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
File opened for modification	C:\Windows\SYSTEM.INI	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
Token: SeDebugPrivilege	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 792	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	9
PID 2920 wrote to memory of 796	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	10
PID 2920 wrote to memory of 316	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	13
PID 2920 wrote to memory of 2376	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	42
PID 2920 wrote to memory of 2404	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	43
PID 2920 wrote to memory of 2520	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	46
PID 2920 wrote to memory of 3156	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	57
PID 2920 wrote to memory of 3484	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	58
PID 2920 wrote to memory of 3692	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	59
PID 2920 wrote to memory of 3792	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	60
PID 2920 wrote to memory of 3928	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	61
PID 2920 wrote to memory of 4012	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	62
PID 2920 wrote to memory of 3864	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	63
PID 2920 wrote to memory of 4320	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	65
PID 2920 wrote to memory of 4976	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	76
PID 2920 wrote to memory of 2132	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	78
PID 2920 wrote to memory of 2352	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	79
PID 2920 wrote to memory of 4028	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	80
PID 2920 wrote to memory of 1828	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	81
PID 2920 wrote to memory of 4160	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	82
PID 2920 wrote to memory of 452	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	84
PID 2920 wrote to memory of 3336	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	85
PID 2920 wrote to memory of 792	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	9
PID 2920 wrote to memory of 796	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	10
PID 2920 wrote to memory of 316	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	13
PID 2920 wrote to memory of 2376	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	42
PID 2920 wrote to memory of 2404	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	43
PID 2920 wrote to memory of 2520	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	46
PID 2920 wrote to memory of 3156	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	57
PID 2920 wrote to memory of 3484	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	58
PID 2920 wrote to memory of 3692	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	59
PID 2920 wrote to memory of 3792	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	60
PID 2920 wrote to memory of 3928	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	61
PID 2920 wrote to memory of 4012	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	62
PID 2920 wrote to memory of 3864	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	63
PID 2920 wrote to memory of 4320	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	65
PID 2920 wrote to memory of 4976	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	76
PID 2920 wrote to memory of 2132	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	78
PID 2920 wrote to memory of 2352	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	79
PID 2920 wrote to memory of 4028	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	80
PID 2920 wrote to memory of 1828	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	81
PID 2920 wrote to memory of 4160	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	82
PID 2920 wrote to memory of 452	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	84
PID 2920 wrote to memory of 3336	2920	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe	85

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2404

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2520

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3156
- C:\Users\Admin\AppData\Local\Temp\6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe
  "C:\Users\Admin\AppData\Local\Temp\6bbf7cfc33e88a075485839faf5141b6202b79ac1668b40a3a2cdd9e98c875df.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2920
- - C:\Users\Admin\Downloads\ToDesk_Setup.exe
    "C:\Users\Admin\Downloads\ToDesk_Setup.exe"
    3⤵
    PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3484

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3692

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4320

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7ffdb24e2e98,0x7ffdb24e2ea4,0x7ffdb24e2eb0
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2268 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3228 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3336 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5396 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5524 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3836 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry