Analysis
-
max time kernel
31s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 18:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe
Resource
win7-20240508-en
windows7-x64
17 signatures
150 seconds
General
-
Target
74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe
-
Size
2.5MB
-
MD5
60df5c5241c16e6c9c822a27be92bb8e
-
SHA1
67f353b7cdccafa5252e5cf2b2c39bf2abf3f5d1
-
SHA256
74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412
-
SHA512
19c19253644abf8db34134860b032d2f921d73093dcbc4e8643e866073d2d363352c1a3f80b6f432061d3fbf9b11b9b92f6d1f5d1e43c0ba97a41c99b4aec038
-
SSDEEP
49152:rSI0BLMg7iLR3r495uNIQKwpbwYCDIs7tubTJB59n30xHvBx:rvjt095uNIQKwtw5DIoq930xHv
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Un_A.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Un_A.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Un_A.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Un_A.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Un_A.exe -
Executes dropped EXE 1 IoCs
pid Process 3528 Un_A.exe -
Loads dropped DLL 1 IoCs
pid Process 3528 Un_A.exe -
resource yara_rule behavioral2/memory/4640-3-0x00000000022E0000-0x000000000339A000-memory.dmp upx behavioral2/memory/4640-5-0x00000000022E0000-0x000000000339A000-memory.dmp upx behavioral2/memory/4640-1-0x00000000022E0000-0x000000000339A000-memory.dmp upx behavioral2/memory/4640-7-0x00000000022E0000-0x000000000339A000-memory.dmp upx behavioral2/memory/4640-6-0x00000000022E0000-0x000000000339A000-memory.dmp upx behavioral2/memory/4640-15-0x00000000022E0000-0x000000000339A000-memory.dmp upx behavioral2/memory/4640-21-0x00000000022E0000-0x000000000339A000-memory.dmp upx behavioral2/memory/4640-37-0x00000000022E0000-0x000000000339A000-memory.dmp upx behavioral2/memory/4640-16-0x00000000022E0000-0x000000000339A000-memory.dmp upx behavioral2/memory/3528-50-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-52-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-65-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-68-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-69-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-67-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-61-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-58-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-66-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-57-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-53-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-71-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-72-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-73-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-74-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-75-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-77-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-78-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-79-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-81-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-82-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-83-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-86-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-94-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-96-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-99-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-100-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-102-0x00000000082F0000-0x00000000093AA000-memory.dmp upx behavioral2/memory/3528-139-0x00000000082F0000-0x00000000093AA000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Un_A.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Un_A.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Un_A.exe File opened (read-only) \??\G: Un_A.exe File opened (read-only) \??\K: Un_A.exe File opened (read-only) \??\I: Un_A.exe File opened (read-only) \??\J: Un_A.exe File opened (read-only) \??\L: Un_A.exe File opened (read-only) \??\N: Un_A.exe File opened (read-only) \??\E: Un_A.exe File opened (read-only) \??\H: Un_A.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe Un_A.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Un_A.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Un_A.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57418d 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe File opened for modification C:\Windows\SYSTEM.INI 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe File created C:\Windows\e576b5c Un_A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 3528 Un_A.exe 3528 Un_A.exe 3528 Un_A.exe 3528 Un_A.exe 3528 Un_A.exe 3528 Un_A.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Token: SeDebugPrivilege 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3528 Un_A.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4640 wrote to memory of 796 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 9 PID 4640 wrote to memory of 804 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 10 PID 4640 wrote to memory of 336 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 13 PID 4640 wrote to memory of 2640 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 44 PID 4640 wrote to memory of 2676 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 46 PID 4640 wrote to memory of 2844 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 51 PID 4640 wrote to memory of 3384 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 56 PID 4640 wrote to memory of 3532 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 57 PID 4640 wrote to memory of 3740 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 58 PID 4640 wrote to memory of 3828 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 59 PID 4640 wrote to memory of 3888 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 60 PID 4640 wrote to memory of 3976 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 61 PID 4640 wrote to memory of 2768 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 62 PID 4640 wrote to memory of 4684 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 74 PID 4640 wrote to memory of 4140 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 75 PID 4640 wrote to memory of 3748 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 79 PID 4640 wrote to memory of 4940 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 80 PID 4640 wrote to memory of 3528 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 82 PID 4640 wrote to memory of 3528 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 82 PID 4640 wrote to memory of 3528 4640 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe 82 PID 3528 wrote to memory of 796 3528 Un_A.exe 9 PID 3528 wrote to memory of 804 3528 Un_A.exe 10 PID 3528 wrote to memory of 336 3528 Un_A.exe 13 PID 3528 wrote to memory of 2640 3528 Un_A.exe 44 PID 3528 wrote to memory of 2676 3528 Un_A.exe 46 PID 3528 wrote to memory of 2844 3528 Un_A.exe 51 PID 3528 wrote to memory of 3384 3528 Un_A.exe 56 PID 3528 wrote to memory of 3532 3528 Un_A.exe 57 PID 3528 wrote to memory of 3740 3528 Un_A.exe 58 PID 3528 wrote to memory of 3828 3528 Un_A.exe 59 PID 3528 wrote to memory of 3888 3528 Un_A.exe 60 PID 3528 wrote to memory of 3976 3528 Un_A.exe 61 PID 3528 wrote to memory of 2768 3528 Un_A.exe 62 PID 3528 wrote to memory of 4684 3528 Un_A.exe 74 PID 3528 wrote to memory of 4140 3528 Un_A.exe 75 PID 3528 wrote to memory of 3748 3528 Un_A.exe 79 PID 3528 wrote to memory of 852 3528 Un_A.exe 84 PID 3528 wrote to memory of 4064 3528 Un_A.exe 85 PID 3528 wrote to memory of 796 3528 Un_A.exe 9 PID 3528 wrote to memory of 804 3528 Un_A.exe 10 PID 3528 wrote to memory of 336 3528 Un_A.exe 13 PID 3528 wrote to memory of 2640 3528 Un_A.exe 44 PID 3528 wrote to memory of 2676 3528 Un_A.exe 46 PID 3528 wrote to memory of 2844 3528 Un_A.exe 51 PID 3528 wrote to memory of 3384 3528 Un_A.exe 56 PID 3528 wrote to memory of 3532 3528 Un_A.exe 57 PID 3528 wrote to memory of 3740 3528 Un_A.exe 58 PID 3528 wrote to memory of 3828 3528 Un_A.exe 59 PID 3528 wrote to memory of 3888 3528 Un_A.exe 60 PID 3528 wrote to memory of 3976 3528 Un_A.exe 61 PID 3528 wrote to memory of 2768 3528 Un_A.exe 62 PID 3528 wrote to memory of 4684 3528 Un_A.exe 74 PID 3528 wrote to memory of 4140 3528 Un_A.exe 75 PID 3528 wrote to memory of 3748 3528 Un_A.exe 79 PID 3528 wrote to memory of 852 3528 Un_A.exe 84 PID 3528 wrote to memory of 4064 3528 Un_A.exe 85 PID 3528 wrote to memory of 796 3528 Un_A.exe 9 PID 3528 wrote to memory of 804 3528 Un_A.exe 10 PID 3528 wrote to memory of 336 3528 Un_A.exe 13 PID 3528 wrote to memory of 2640 3528 Un_A.exe 44 PID 3528 wrote to memory of 2676 3528 Un_A.exe 46 PID 3528 wrote to memory of 2844 3528 Un_A.exe 51 PID 3528 wrote to memory of 3384 3528 Un_A.exe 56 PID 3528 wrote to memory of 3532 3528 Un_A.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Un_A.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2676
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2844
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe"C:\Users\Admin\AppData\Local\Temp\74253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3528
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3532
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2768
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4684
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4140
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3748
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4064
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4196
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD570aa4d94eee8de60580aa93541c91f5c
SHA19a9ddcefe0124aa2a368ce578521cb80a8d7b527
SHA25663b8fdd4aeead4935e1db48b38f6c71628a3bcd94c74e84234244ed35ca7699f
SHA5127832c2a4cc19bd21a654d629c90a7c34809b1a3c487af135c356218cd8993bc51281dbbe9da470c100a14a1f95dcb5fa8e1a3a1ad2c9ecf1014477f98877e833
-
Filesize
3.6MB
MD5de3f4cebe1418c28d69dde18a1021171
SHA1e7bd63f09c0ab7864ca29bb271f3f327534fa92d
SHA2561414074368a1bd050103ff851784aa203c7624243edf83c0828d55fcf5f9ea7d
SHA5120b37afc278479f104bd0e96bd4d3ab258a681b70ec5ca88f35cb389afdb9a80c722790dfc1bee23cbd181d240dfac2073cfc1a10407e316762a7a607367a6252
-
Filesize
2.5MB
MD560df5c5241c16e6c9c822a27be92bb8e
SHA167f353b7cdccafa5252e5cf2b2c39bf2abf3f5d1
SHA25674253c286ffd16a8f0cb7eec0519e10e871e56db5dd274d14aeb1eb0f194c412
SHA51219c19253644abf8db34134860b032d2f921d73093dcbc4e8643e866073d2d363352c1a3f80b6f432061d3fbf9b11b9b92f6d1f5d1e43c0ba97a41c99b4aec038
-
Filesize
257B
MD5a9b035b04eb09b8764a1603805848c0c
SHA14738490ec6941c8f04ab6904d1e818962de72994
SHA2568d4c25c57cd277e0a7bbb5500adb3825fa5c69b992300140169b28c453ec2ae7
SHA51271abd08975f6cb332ce4c93bde06d95b0b62d4858b7721c47394d71e1047f177b349411a4d893a2fc7501cdd76b3ddf0fc9498badafa28ef0392c8d0a0d89efe
-
Filesize
97KB
MD51e5ead40a5274cce7ac5d93e38e18230
SHA1f9262e4a535edafaad8e93efdcaf9967e2c37492
SHA256b6ec51e398ae712816a9c89658ba5f6ebb13200107101fefe924dca15766ae54
SHA512328c40034cece79d5fcd619e3e15dc622b702e16f0afa910a01697aac92839d21a6aa1f661527374815f81d16f56330dba397ac489e6487e5820ec443c58b5f2