Analysis
-
max time kernel
121s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 18:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe
Resource
win7-20240221-en
windows7-x64
18 signatures
150 seconds
General
-
Target
0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe
-
Size
65KB
-
MD5
0f739e39a63fdbb8f6ab5db33fc7841f
-
SHA1
e68bac07774b19db176d9f872a7b307d75ddb692
-
SHA256
0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76
-
SHA512
f6a7ee7b8f12818cf1ac8332aee343f866cddfb1846d32f5dd53c444f0fef883baa27d97f2ba25f6fcfcde008ee160b802db562ae30fbe374616577176f9ccb1
-
SSDEEP
1536:LZ1DgNcx4995A/Xfw+sgUlBRS1GoklfcRtJ:bgmx4KYkU/RS1Ikl
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 39 IoCs
resource yara_rule behavioral2/memory/444-1-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-3-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-4-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-7-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-10-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-16-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-17-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-18-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-19-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-20-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-21-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-22-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-23-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-24-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-25-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-27-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-28-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-29-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-31-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-32-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-34-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-36-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-39-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-41-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-43-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-50-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-52-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-54-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-56-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-58-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-60-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-63-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-65-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-67-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-69-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-71-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-73-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-76-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/444-77-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 39 IoCs
resource yara_rule behavioral2/memory/444-1-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-3-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-4-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-7-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-10-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-16-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-17-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-18-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-19-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-20-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-21-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-22-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-23-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-24-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-25-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-27-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-28-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-29-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-31-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-32-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-34-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-36-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-39-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-41-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-43-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-50-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-52-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-54-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-56-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-58-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-60-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-63-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-65-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-67-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-69-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-71-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-73-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-76-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/444-77-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX -
resource yara_rule behavioral2/memory/444-1-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-3-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-4-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-7-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-10-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-16-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-17-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-18-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-19-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-20-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-21-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-22-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-23-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-24-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-25-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-27-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-28-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-29-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-31-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-32-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-34-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-39-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-41-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-43-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-50-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-52-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-54-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-56-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-58-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-60-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-63-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-65-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-67-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-69-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-71-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-73-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-76-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/444-77-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\L: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\R: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\Z: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\I: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\X: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\Y: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\T: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\J: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\N: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\O: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\S: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\V: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\G: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\H: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\M: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\P: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\Q: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\U: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\W: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened (read-only) \??\E: 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification F:\autorun.inf 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Program Files\7-Zip\7z.exe 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e5736ee 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe File opened for modification C:\Windows\SYSTEM.INI 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe Token: SeDebugPrivilege 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 444 wrote to memory of 768 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 8 PID 444 wrote to memory of 772 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 9 PID 444 wrote to memory of 316 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 13 PID 444 wrote to memory of 2720 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 45 PID 444 wrote to memory of 2732 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 46 PID 444 wrote to memory of 2936 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 52 PID 444 wrote to memory of 3524 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 56 PID 444 wrote to memory of 3692 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 57 PID 444 wrote to memory of 3848 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 58 PID 444 wrote to memory of 3940 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 59 PID 444 wrote to memory of 4004 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 60 PID 444 wrote to memory of 4092 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 61 PID 444 wrote to memory of 2856 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 62 PID 444 wrote to memory of 4052 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 73 PID 444 wrote to memory of 4404 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 74 PID 444 wrote to memory of 2052 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 78 PID 444 wrote to memory of 2296 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 79 PID 444 wrote to memory of 1876 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 80 PID 444 wrote to memory of 768 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 8 PID 444 wrote to memory of 772 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 9 PID 444 wrote to memory of 316 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 13 PID 444 wrote to memory of 2720 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 45 PID 444 wrote to memory of 2732 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 46 PID 444 wrote to memory of 2936 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 52 PID 444 wrote to memory of 3524 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 56 PID 444 wrote to memory of 3692 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 57 PID 444 wrote to memory of 3848 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 58 PID 444 wrote to memory of 3940 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 59 PID 444 wrote to memory of 4004 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 60 PID 444 wrote to memory of 4092 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 61 PID 444 wrote to memory of 2856 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 62 PID 444 wrote to memory of 4052 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 73 PID 444 wrote to memory of 4404 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 74 PID 444 wrote to memory of 2052 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 78 PID 444 wrote to memory of 2296 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 79 PID 444 wrote to memory of 1484 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 84 PID 444 wrote to memory of 4284 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 85 PID 444 wrote to memory of 768 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 8 PID 444 wrote to memory of 772 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 9 PID 444 wrote to memory of 316 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 13 PID 444 wrote to memory of 2720 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 45 PID 444 wrote to memory of 2732 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 46 PID 444 wrote to memory of 2936 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 52 PID 444 wrote to memory of 3524 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 56 PID 444 wrote to memory of 3692 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 57 PID 444 wrote to memory of 3848 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 58 PID 444 wrote to memory of 3940 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 59 PID 444 wrote to memory of 4004 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 60 PID 444 wrote to memory of 4092 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 61 PID 444 wrote to memory of 2856 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 62 PID 444 wrote to memory of 4052 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 73 PID 444 wrote to memory of 4404 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 74 PID 444 wrote to memory of 2052 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 78 PID 444 wrote to memory of 2296 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 79 PID 444 wrote to memory of 1484 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 84 PID 444 wrote to memory of 4284 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 85 PID 444 wrote to memory of 768 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 8 PID 444 wrote to memory of 772 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 9 PID 444 wrote to memory of 316 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 13 PID 444 wrote to memory of 2720 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 45 PID 444 wrote to memory of 2732 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 46 PID 444 wrote to memory of 2936 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 52 PID 444 wrote to memory of 3524 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 56 PID 444 wrote to memory of 3692 444 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe 57 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2732
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2936
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe"C:\Users\Admin\AppData\Local\Temp\0e56066a38a0216bcd94ee96b36885a16134a196d512277da15987ebd05b6e76.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:444
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3692
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4092
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2856
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4404
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:2052
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2296
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1484
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4284
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2336
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5ec6db6e842e1f2e5eb63df52b788a70a
SHA13ff90971a88028a5e42a23bbc6c0b601a3647fd5
SHA2565d69d9db806c270ac509e9016205a0001af88c51ecfe3593830c34135a5b4c30
SHA512b412934d27f5be6d3640ca29b13e525a3ad5df0c206de73a961207a68c4456466603e4d6f6bcf690bb44147e03e972104d02ba740bf92b7b7b4b1d193ebf8ced