sality | ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577

Windows Service

T1543.003

Processes:

wmimgmt.exeddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	wmimgmt.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wmimgmt.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wmimgmt.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2808-19-0x0000000001EB0000-0x0000000002F6A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2204-7-0x0000000001EC0000-0x0000000002F7A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2204-2-0x0000000001EC0000-0x0000000002F7A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

UPX dump on OEP (original entry point) 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2808-19-0x0000000001EB0000-0x0000000002F6A000-memory.dmp	UPX
behavioral1/memory/2808-20-0x0000000000400000-0x000000000044F000-memory.dmp	UPX
behavioral1/memory/2808-27-0x0000000000400000-0x000000000044F000-memory.dmp	UPX
behavioral1/memory/2220-16-0x0000000000390000-0x00000000003DF000-memory.dmp	UPX
behavioral1/memory/2204-7-0x0000000001EC0000-0x0000000002F7A000-memory.dmp	UPX
behavioral1/memory/2204-5-0x0000000000400000-0x000000000044F000-memory.dmp	UPX
behavioral1/memory/2204-2-0x0000000001EC0000-0x0000000002F7A000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

Processes:

wmimgmt.exewmimgmt.exe

pid process

2808 wmimgmt.exe
2504 wmimgmt.exe

pid	process
2808	wmimgmt.exe
2504	wmimgmt.exe

Loads dropped DLL 3 IoCs

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exe

pid	process
2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
2808	wmimgmt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2808-19-0x0000000001EB0000-0x0000000002F6A000-memory.dmp	upx
behavioral1/memory/2204-7-0x0000000001EC0000-0x0000000002F7A000-memory.dmp	upx
behavioral1/memory/2204-2-0x0000000001EC0000-0x0000000002F7A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wmimgmt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wmimgmt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wmimgmt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

wmimgmt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmi32 = "\"C:\\ProgramData\\Application Data\\wmimgmt.exe\""	wmimgmt.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wmimgmt.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

wmimgmt.exe

description ioc process

File opened (read-only) \??\F: wmimgmt.exe

description	ioc	process
File opened (read-only)	\??\F:	wmimgmt.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exe

description	pid	process	target process
PID 2204 set thread context of 2220	2204	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
PID 2808 set thread context of 2504	2808	wmimgmt.exe	wmimgmt.exe

Drops file in Windows directory 1 IoCs

Processes:

wmimgmt.exe

description ioc process

File created C:\Windows\f7612d5 wmimgmt.exe
Discovers systems in the same network 1 TTPs 4 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exenet.exe

pid process

2488 net.exe
944 net.exe
916 net.exe
1800 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

320 tasklist.exe
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exeNETSTAT.EXE

pid process

596 NETSTAT.EXE
2148 ipconfig.exe
1932 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2424 systeminfo.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2252 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exe

pid process

2204 ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
2808 wmimgmt.exe

description	ioc	process
File created	C:\Windows\f7612d5	wmimgmt.exe

pid	process
2488	net.exe
944	net.exe
916	net.exe
1800	net.exe

pid	process
320	tasklist.exe

pid	process
596	NETSTAT.EXE
2148	ipconfig.exe
1932	NETSTAT.EXE

pid	process
2424	systeminfo.exe

pid	process
2252	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exetasklist.exeNETSTAT.EXE

description	pid	process
Token: SeBackupPrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeRestorePrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeBackupPrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeBackupPrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeRestorePrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeBackupPrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeRestorePrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeBackupPrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeRestorePrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeBackupPrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeRestorePrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeBackupPrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeRestorePrivilege	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Token: SeDebugPrivilege	320	tasklist.exe
Token: SeDebugPrivilege	1932	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exe

pid	process
2204	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
2204	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
2808	wmimgmt.exe
2808	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exeddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exewmimgmt.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2204 wrote to memory of 2220	2204	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
PID 2204 wrote to memory of 2220	2204	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
PID 2204 wrote to memory of 2220	2204	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
PID 2204 wrote to memory of 2220	2204	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
PID 2204 wrote to memory of 2220	2204	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
PID 2204 wrote to memory of 2220	2204	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
PID 2220 wrote to memory of 2808	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	wmimgmt.exe
PID 2220 wrote to memory of 2808	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	wmimgmt.exe
PID 2220 wrote to memory of 2808	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	wmimgmt.exe
PID 2220 wrote to memory of 2808	2220	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe	wmimgmt.exe
PID 2808 wrote to memory of 2504	2808	wmimgmt.exe	wmimgmt.exe
PID 2808 wrote to memory of 2504	2808	wmimgmt.exe	wmimgmt.exe
PID 2808 wrote to memory of 2504	2808	wmimgmt.exe	wmimgmt.exe
PID 2808 wrote to memory of 2504	2808	wmimgmt.exe	wmimgmt.exe
PID 2808 wrote to memory of 2504	2808	wmimgmt.exe	wmimgmt.exe
PID 2808 wrote to memory of 2504	2808	wmimgmt.exe	wmimgmt.exe
PID 2504 wrote to memory of 3024	2504	wmimgmt.exe	cmd.exe
PID 2504 wrote to memory of 3024	2504	wmimgmt.exe	cmd.exe
PID 2504 wrote to memory of 3024	2504	wmimgmt.exe	cmd.exe
PID 2504 wrote to memory of 3024	2504	wmimgmt.exe	cmd.exe
PID 3024 wrote to memory of 2516	3024	cmd.exe	findstr.exe
PID 3024 wrote to memory of 2516	3024	cmd.exe	findstr.exe
PID 3024 wrote to memory of 2516	3024	cmd.exe	findstr.exe
PID 3024 wrote to memory of 2516	3024	cmd.exe	findstr.exe
PID 3024 wrote to memory of 1848	3024	cmd.exe	chcp.com
PID 3024 wrote to memory of 1848	3024	cmd.exe	chcp.com
PID 3024 wrote to memory of 1848	3024	cmd.exe	chcp.com
PID 3024 wrote to memory of 1848	3024	cmd.exe	chcp.com
PID 3024 wrote to memory of 1836	3024	cmd.exe	net.exe
PID 3024 wrote to memory of 1836	3024	cmd.exe	net.exe
PID 3024 wrote to memory of 1836	3024	cmd.exe	net.exe
PID 3024 wrote to memory of 1836	3024	cmd.exe	net.exe
PID 1836 wrote to memory of 2016	1836	net.exe	net1.exe
PID 1836 wrote to memory of 2016	1836	net.exe	net1.exe
PID 1836 wrote to memory of 2016	1836	net.exe	net1.exe
PID 1836 wrote to memory of 2016	1836	net.exe	net1.exe
PID 3024 wrote to memory of 2036	3024	cmd.exe	net.exe
PID 3024 wrote to memory of 2036	3024	cmd.exe	net.exe
PID 3024 wrote to memory of 2036	3024	cmd.exe	net.exe
PID 3024 wrote to memory of 2036	3024	cmd.exe	net.exe
PID 2036 wrote to memory of 2664	2036	net.exe	net1.exe
PID 2036 wrote to memory of 2664	2036	net.exe	net1.exe
PID 2036 wrote to memory of 2664	2036	net.exe	net1.exe
PID 2036 wrote to memory of 2664	2036	net.exe	net1.exe
PID 3024 wrote to memory of 320	3024	cmd.exe	tasklist.exe
PID 3024 wrote to memory of 320	3024	cmd.exe	tasklist.exe
PID 3024 wrote to memory of 320	3024	cmd.exe	tasklist.exe
PID 3024 wrote to memory of 320	3024	cmd.exe	tasklist.exe
PID 3024 wrote to memory of 2424	3024	cmd.exe	systeminfo.exe
PID 3024 wrote to memory of 2424	3024	cmd.exe	systeminfo.exe
PID 3024 wrote to memory of 2424	3024	cmd.exe	systeminfo.exe
PID 3024 wrote to memory of 2424	3024	cmd.exe	systeminfo.exe
PID 3024 wrote to memory of 1632	3024	cmd.exe	reg.exe
PID 3024 wrote to memory of 1632	3024	cmd.exe	reg.exe
PID 3024 wrote to memory of 1632	3024	cmd.exe	reg.exe
PID 3024 wrote to memory of 1632	3024	cmd.exe	reg.exe
PID 3024 wrote to memory of 1788	3024	cmd.exe	find.exe
PID 3024 wrote to memory of 1788	3024	cmd.exe	find.exe
PID 3024 wrote to memory of 1788	3024	cmd.exe	find.exe
PID 3024 wrote to memory of 1788	3024	cmd.exe	find.exe
PID 3024 wrote to memory of 2116	3024	cmd.exe	reg.exe
PID 3024 wrote to memory of 2116	3024	cmd.exe	reg.exe
PID 3024 wrote to memory of 2116	3024	cmd.exe	reg.exe
PID 3024 wrote to memory of 2116	3024	cmd.exe	reg.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exewmimgmt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wmimgmt.exe

C:\Users\Admin\AppData\Local\Temp\ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
"C:\Users\Admin\AppData\Local\Temp\ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204
- C:\Users\Admin\AppData\Local\Temp\ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
  C:\Users\Admin\AppData\Local\Temp\ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\ProgramData\Application Data\wmimgmt.exe
    "C:\ProgramData\Application Data\wmimgmt.exe"
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2808
  - - C:\ProgramData\Application Data\wmimgmt.exe
      "C:\ProgramData\Application Data\wmimgmt.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /v:on /c "C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\ghi.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
        6⤵
        
        PID:2516
      - C:\Windows\SysWOW64\chcp.com
        
        chcp
        6⤵
        
        PID:1848
      - C:\Windows\SysWOW64\net.exe
        
        net user
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:2016
      - C:\Windows\SysWOW64\net.exe
        
        net localgroup administrators
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:2664
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
      - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:2424
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\find.exe
        
        find "REG_"
        6⤵
        
        PID:1788
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Software\Microsoft\Office
        6⤵
        
        PID:2116
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
        6⤵
        
        PID:1660
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
        6⤵
        
        PID:1412
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
        6⤵
        
        PID:2056
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
        6⤵
        
        PID:2904
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
        6⤵
        
        PID:2908
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
        6⤵
        
        PID:2428
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:2148
      - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -ano
        6⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
      - C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        6⤵
        
        PID:2076
      - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -r
        6⤵
        Gathers network information
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        7⤵
        
        PID:268
        
        C:\Windows\SysWOW64\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        8⤵
        
        PID:776
      - C:\Windows\SysWOW64\net.exe
        
        net start
        6⤵
        
        PID:820
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        7⤵
        
        PID:1168
      - C:\Windows\SysWOW64\net.exe
        
        net use
        6⤵
        
        PID:1304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo n"
        6⤵
        
        PID:1092
      - C:\Windows\SysWOW64\net.exe
        
        net share
        6⤵
        
        PID:652
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        7⤵
        
        PID:2292
      - C:\Windows\SysWOW64\net.exe
        
        net view /domain
        6⤵
        Discovers systems in the same network
        
        PID:2488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "
        6⤵
        
        PID:1144
      - C:\Windows\SysWOW64\find.exe
        
        find /i /v "------"
        6⤵
        
        PID:2420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "
        6⤵
        
        PID:1248
      - C:\Windows\SysWOW64\find.exe
        
        find /i /v "domain"
        6⤵
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "
        6⤵
        
        PID:2104
      - C:\Windows\SysWOW64\find.exe
        
        find /i /v "¬A╛╣"
        6⤵
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "
        6⤵
        
        PID:2012
      - C:\Windows\SysWOW64\find.exe
        
        find /i /v "░⌡ªµª¿"
        6⤵
        
        PID:1368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "
        6⤵
        
        PID:1716
      - C:\Windows\SysWOW64\find.exe
        
        find /i /v "├ⁿ┴ε"
        6⤵
        
        PID:1696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "
        6⤵
        
        PID:1576
      - C:\Windows\SysWOW64\find.exe
        
        find /i /v "completed successfully"
        6⤵
        
        PID:964
      - C:\Windows\SysWOW64\net.exe
        
        net view /domain:"WORKGROUP"
        6⤵
        Discovers systems in the same network
        
        PID:944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\workgrp.tmp "
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\find.exe
        
        find "\\"
        6⤵
        
        PID:3060
      - C:\Windows\SysWOW64\net.exe
        
        net view \\GHPZRGFC
        6⤵
        Discovers systems in the same network
        
        PID:916
      - C:\Windows\SysWOW64\net.exe
        
        net view \\GHPZRGFC
        6⤵
        Discovers systems in the same network
        
        PID:1800
      - C:\Windows\SysWOW64\find.exe
        
        find "Disk"
        6⤵
        
        PID:2320
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 GHPZRGFC
        6⤵
        Runs ping.exe
        
        PID:2252
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "Pinging Reply Request Unknown"
        6⤵
        
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry