sality | 870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf

Analysis

max time kernel
19s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Size

4.4MB
MD5

93bf1a918b8ea7bfd4d53f7f54de6282
SHA1

b8aea380163f1a82bee3b41d1042261c06f70e04
SHA256

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
SHA512

ecfae311b2782766deabba0828e962e3211b2b355797a23568f51b500af0365f488afd2a69a0b915dd03129551bc527c047d183286cb337fdcffa9d0d8996066
SSDEEP

1536:MNyqVAb8dnlAUTFTgKDzRDVE4jt5HMCceGzcfdRTgYtSp1C7Sqbz67:sZVAIBlAUJTznR7qCVGzcf7g2Sq67

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

scvhost.exe870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

regedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exescvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	scvhost.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exescvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 39 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1956-1-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1956-4-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1956-8-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1956-11-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1956-5-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1956-9-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1956-15-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1956-16-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1956-17-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1956-32-0x00000000029C0000-0x0000000003A4E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-62-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-65-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-66-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-64-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-70-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-72-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-69-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-74-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-73-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-80-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-81-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-82-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-88-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-89-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-98-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-102-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-108-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-109-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-118-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-130-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-131-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-142-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-143-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-161-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-160-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-163-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-172-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2040-180-0x0000000003220000-0x00000000042AE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
C:\mdldp.pif	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 40 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1956-1-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/1956-4-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/1956-8-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/1956-11-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/1956-5-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/1956-9-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/1956-15-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/1956-16-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/1956-17-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/2040-25-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/1956-32-0x00000000029C0000-0x0000000003A4E000-memory.dmp	UPX
behavioral2/memory/1956-41-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2040-62-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-65-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-66-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-64-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-70-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-72-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-69-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-74-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-73-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-80-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-81-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-82-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-88-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-89-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-98-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-102-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-108-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-109-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-118-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-130-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-131-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-142-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-143-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-161-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-160-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-163-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-172-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX
behavioral2/memory/2040-180-0x0000000003220000-0x00000000042AE000-memory.dmp	UPX

Disables RegEdit via registry modification 4 IoCs

evasion

Processes:

regedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe

Disables Task Manager via registry modification
evasion
Deletes itself 1 IoCs

Processes:

scvhost.exe

pid process

2040 scvhost.exe
Executes dropped EXE 1 IoCs

Processes:

scvhost.exe

pid process

2040 scvhost.exe

pid	process
2040	scvhost.exe

pid	process
2040	scvhost.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

regedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1956-1-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1956-4-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1956-8-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1956-11-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1956-5-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1956-9-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1956-15-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1956-16-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1956-17-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1956-32-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/2040-62-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-65-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-66-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-64-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-70-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-72-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-69-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-74-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-73-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-80-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-81-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-82-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-88-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-89-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-98-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-102-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-108-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-109-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-118-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-130-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-131-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-142-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-143-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-161-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-160-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-163-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-172-0x0000000003220000-0x00000000042AE000-memory.dmp	upx
behavioral2/memory/2040-180-0x0000000003220000-0x00000000042AE000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exescvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	scvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Windows\\SysWOW64\\scvhost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Windows\\SysWOW64\\scvhost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Windows\\SysWOW64\\scvhost.exe"	regedit.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exescvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	scvhost.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

scvhost.exe

description	ioc	process
File opened (read-only)	\??\E:	scvhost.exe
File opened (read-only)	\??\G:	scvhost.exe
File opened (read-only)	\??\H:	scvhost.exe
File opened (read-only)	\??\I:	scvhost.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

scvhost.exe

description ioc process

File opened for modification \??\c:\Autorun.inf scvhost.exe

description	ioc	process
File opened for modification	\??\c:\Autorun.inf	scvhost.exe

Drops file in System32 directory 3 IoCs

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exescvhost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\scvhost.exe	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
File opened for modification	C:\Windows\SysWOW64\Funny!.reg	scvhost.exe

Drops file in Windows directory 1 IoCs

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 31 IoCs

Processes:

explorer.exeregedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe

Runs .reg file with regedit 64 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
4044	regedit.exe
1420	regedit.exe
1584	regedit.exe
1848	regedit.exe
2752	regedit.exe
3220	regedit.exe
2236	regedit.exe
1604	regedit.exe
4908	regedit.exe
1304	regedit.exe
4464	regedit.exe
3552	regedit.exe
4400	regedit.exe
5084	regedit.exe
3840	regedit.exe
2924	regedit.exe
724	regedit.exe
4328	regedit.exe
3600	regedit.exe
640	regedit.exe
1556	regedit.exe
3944	regedit.exe
4084	regedit.exe
1412	regedit.exe
772	regedit.exe
3220	regedit.exe
2324	regedit.exe
5108	regedit.exe
5048	regedit.exe
3744	regedit.exe
1848	regedit.exe
4644	regedit.exe
5096	regedit.exe
1800	regedit.exe
4428	regedit.exe
4044	regedit.exe
4884	regedit.exe
468	regedit.exe
408	regedit.exe
3952	regedit.exe
2424	regedit.exe
2908	regedit.exe
2728	regedit.exe
2588	regedit.exe
3524	regedit.exe
3832	regedit.exe
2764	regedit.exe
1956	regedit.exe
4864	regedit.exe
536	regedit.exe
3584	regedit.exe
3628	regedit.exe
1524	regedit.exe
1636	regedit.exe
2840	regedit.exe
4760	regedit.exe
972	regedit.exe
2752	regedit.exe
3372	regedit.exe
3148	regedit.exe
2324	regedit.exe
1692	regedit.exe
4388	regedit.exe
4044	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

3884 explorer.exe

pid	process
3884	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exescvhost.exe

pid	process
1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
2040	scvhost.exe
2040	scvhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

description	pid	process
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Token: SeDebugPrivilege	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exescvhost.exeexplorer.exe

pid process

1956 870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
2040 scvhost.exe
3884 explorer.exe
3884 explorer.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exescvhost.exe

description	pid	process	target process
PID 1956 wrote to memory of 780	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	fontdrvhost.exe
PID 1956 wrote to memory of 784	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	fontdrvhost.exe
PID 1956 wrote to memory of 336	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	dwm.exe
PID 1956 wrote to memory of 2604	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	sihost.exe
PID 1956 wrote to memory of 2636	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	svchost.exe
PID 1956 wrote to memory of 2880	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	taskhostw.exe
PID 1956 wrote to memory of 3424	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	Explorer.EXE
PID 1956 wrote to memory of 3536	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	svchost.exe
PID 1956 wrote to memory of 3728	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	DllHost.exe
PID 1956 wrote to memory of 3824	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	StartMenuExperienceHost.exe
PID 1956 wrote to memory of 3892	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	RuntimeBroker.exe
PID 1956 wrote to memory of 3976	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	SearchApp.exe
PID 1956 wrote to memory of 2932	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	RuntimeBroker.exe
PID 1956 wrote to memory of 4664	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	RuntimeBroker.exe
PID 1956 wrote to memory of 2240	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	TextInputHost.exe
PID 1956 wrote to memory of 5028	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	RuntimeBroker.exe
PID 1956 wrote to memory of 4932	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	backgroundTaskHost.exe
PID 1956 wrote to memory of 5092	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	backgroundTaskHost.exe
PID 1956 wrote to memory of 2296	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	explorer.exe
PID 1956 wrote to memory of 2296	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	explorer.exe
PID 1956 wrote to memory of 2296	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	explorer.exe
PID 1956 wrote to memory of 5096	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	regedit.exe
PID 1956 wrote to memory of 5096	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	regedit.exe
PID 1956 wrote to memory of 5096	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	regedit.exe
PID 1956 wrote to memory of 2040	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	scvhost.exe
PID 1956 wrote to memory of 2040	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	scvhost.exe
PID 1956 wrote to memory of 2040	1956	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe	scvhost.exe
PID 2040 wrote to memory of 3944	2040	scvhost.exe	regedit.exe
PID 2040 wrote to memory of 3944	2040	scvhost.exe	regedit.exe
PID 2040 wrote to memory of 3944	2040	scvhost.exe	regedit.exe
PID 2040 wrote to memory of 780	2040	scvhost.exe	fontdrvhost.exe
PID 2040 wrote to memory of 784	2040	scvhost.exe	fontdrvhost.exe
PID 2040 wrote to memory of 336	2040	scvhost.exe	dwm.exe
PID 2040 wrote to memory of 2604	2040	scvhost.exe	sihost.exe
PID 2040 wrote to memory of 2636	2040	scvhost.exe	svchost.exe
PID 2040 wrote to memory of 2880	2040	scvhost.exe	taskhostw.exe
PID 2040 wrote to memory of 3424	2040	scvhost.exe	Explorer.EXE
PID 2040 wrote to memory of 3536	2040	scvhost.exe	svchost.exe
PID 2040 wrote to memory of 3728	2040	scvhost.exe	DllHost.exe
PID 2040 wrote to memory of 3824	2040	scvhost.exe	StartMenuExperienceHost.exe
PID 2040 wrote to memory of 3892	2040	scvhost.exe	RuntimeBroker.exe
PID 2040 wrote to memory of 3976	2040	scvhost.exe	SearchApp.exe
PID 2040 wrote to memory of 2932	2040	scvhost.exe	RuntimeBroker.exe
PID 2040 wrote to memory of 4664	2040	scvhost.exe	RuntimeBroker.exe
PID 2040 wrote to memory of 2240	2040	scvhost.exe	TextInputHost.exe
PID 2040 wrote to memory of 5028	2040	scvhost.exe	RuntimeBroker.exe
PID 2040 wrote to memory of 4932	2040	scvhost.exe	backgroundTaskHost.exe
PID 2040 wrote to memory of 3884	2040	scvhost.exe	explorer.exe
PID 2040 wrote to memory of 4888	2040	scvhost.exe	RuntimeBroker.exe
PID 2040 wrote to memory of 4464	2040	scvhost.exe	regedit.exe
PID 2040 wrote to memory of 4464	2040	scvhost.exe	regedit.exe
PID 2040 wrote to memory of 4464	2040	scvhost.exe	regedit.exe
PID 2040 wrote to memory of 2424	2040	scvhost.exe	regedit.exe
PID 2040 wrote to memory of 2424	2040	scvhost.exe	regedit.exe
PID 2040 wrote to memory of 2424	2040	scvhost.exe	regedit.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exescvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	scvhost.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2636

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2880

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
  "C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1956
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\Funny!.reg
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Modifies registry class
    - Runs .reg file with regedit
    PID:5096
- - C:\Windows\SysWOW64\scvhost.exe
    C:\Windows\System32\scvhost.exe
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Deletes itself
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2040
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Modifies system executable filetype association
      Adds Run key to start application
      Modifies registry class
      Runs .reg file with regedit
      PID:3944
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Modifies system executable filetype association
      Adds Run key to start application
      Modifies registry class
      Runs .reg file with regedit
      PID:4464
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Modifies system executable filetype association
      Adds Run key to start application
      Modifies registry class
      Runs .reg file with regedit
      PID:2424
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2324
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3524
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3584
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2236
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4760
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:468
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2908
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3220
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1604
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4884
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1848
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2324
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3832
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:724
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:5108
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2924
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:408
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2752
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1692
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4388
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3372
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:5084
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3628
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2764
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4044
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1956
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4084
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4328
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:5048
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3600
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3552
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4864
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1800
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4428
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1584
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2752
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3744
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1524
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3220
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3148
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4908
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2728
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1412
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4044
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3840
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1636
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2588
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1848
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:640
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4400
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1556
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:2840
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:3952
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:536
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:972
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1420
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4044
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:4644
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:1304
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\Windows\SysWOW64\Funny!.reg
      4⤵
      Runs .reg file with regedit
      PID:772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4664

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2240

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5028

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4932

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5092

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4888

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2288

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Funny!.reg

Filesize
649B

MD5
ca7cc4fbc1b64aca44aa87e06bdfb37c

SHA1
bf7b81080a8268a0370cada6f9123de4583be83a

SHA256
cd1763b9cf7b6064f2627f6f44fe057b339de6388475e97ecfa3e3423386b840

SHA512
6c20ea4830c6732a1a2c84dd070f9ac90ae394c1dc891310fe615bc1991b99ff47c95d142d6e88fbc0ea84eea1842624cfbf9fc20144785cbe445c15826f0437

Download Submit
C:\Windows\SYSTEM.INI

Filesize
256B

MD5
ae88d414c556e52d6bf60ca30b3af233

SHA1
2f1764c228ad575a9935955ceabe5c1bc1b78052

SHA256
db1e0ccb82ffa18b4972dcbe705d9e206758a4d6e31e6c3cc38019f3b44f3214

SHA512
62a3bd53cf678f3c93e49bd134d74dc731883f238e9408a2cdcb4ea530b6ea7058d42cc14cd99642e4451f973096a064f03dfc880348c6eba522f8bba1bd17b2

Download Submit
C:\Windows\SysWOW64\Funny!.reg

Filesize
575B

MD5
3d12304930d03f2cbbc4b7fc6fbe4994

SHA1
3270ce4fc3f7be8f318d5d88abbe04f412efb259

SHA256
c9c584407078a606b868fcbf5ccdf2648724969f6c79b882f15ec0a8773ec826

SHA512
d1014cafffe5f509986b9c0769563648d13db32b2a6247dda5beb5cadc8a11589c643c96da2ff6f8801a8581e0c5e8ee3550ad810af4d3658fe95a42efd6dabb

Download Submit
C:\Windows\SysWOW64\scvhost.exe

Filesize
4.4MB

MD5
93bf1a918b8ea7bfd4d53f7f54de6282

SHA1
b8aea380163f1a82bee3b41d1042261c06f70e04

SHA256
870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf

SHA512
ecfae311b2782766deabba0828e962e3211b2b355797a23568f51b500af0365f488afd2a69a0b915dd03129551bc527c047d183286cb337fdcffa9d0d8996066

Download Submit
C:\autorun.inf

Filesize
264B

MD5
6bc3d11bd81af37b5af86c9e307526f1

SHA1
e94c73160d3917a7a162c5a9eda2cdd3c751feeb

SHA256
d4acf93d0dec8bdebbd6ecc0ca20159bbc8018a176a40292b857d4fac3f80fb2

SHA512
0cd9c4704bcb8e6ac3a0844832ae1cec6664cc65fff73839517ed8e758336109d0525221a6e823fea30fa154620ef4a67276a28f8392af4354e9c765f9af2c6d

Download Submit
C:\mdldp.pif

Filesize
100KB

MD5
81423315cb3b362cdb86bc18501be804

SHA1
4992fc0e7afb24e15fcb180683f97812da81fd1c

SHA256
e7cdd5d5de75dbd5d1c828c5f2463a1425da7b1cc08347d1aca50b6375471c87

SHA512
8d9a25e25ea61ba85d6c1b9fe29e34df9749c033aa8d1b856c24eafb03708aae172aa8443fb87fe84cfe27c0dbf4f0926d9a7cf94fcd7c24a25acaf79bf101dc

Download Submit
memory/1956-7-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/1956-17-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/1956-11-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/1956-5-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/1956-9-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/1956-15-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/1956-16-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/1956-14-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/1956-13-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/1956-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1956-6-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/1956-8-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/1956-32-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/1956-41-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1956-4-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/1956-1-0x00000000029C0000-0x0000000003A4E000-memory.dmp

Filesize
16.6MB

Download
memory/2040-68-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/2040-98-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-71-0x0000000002240000-0x0000000002242000-memory.dmp

Filesize
8KB

Download
memory/2040-64-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-65-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-70-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-72-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-69-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-74-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-73-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-80-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-81-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-82-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-88-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-89-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-66-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-102-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-108-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-109-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-118-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-130-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-131-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-142-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-143-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-161-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-160-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-163-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-172-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-180-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-62-0x0000000003220000-0x00000000042AE000-memory.dmp

Filesize
16.6MB

Download
memory/2040-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download