sality | eca844e81be6c7c82a329dfb4d31bc61a7d6b82e64758cb1cdbf15450910d686

Windows Service

T1543.003

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 39 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2984-0-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2984-2-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2984-12-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2984-5-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2984-15-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2984-14-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2984-16-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2984-3-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2984-4-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2984-20-0x0000000002B40000-0x0000000003BCE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-32-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-34-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-35-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-36-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-37-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-38-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-39-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-40-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-41-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-42-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-43-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-44-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-45-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-46-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-48-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-49-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-50-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-52-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-53-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-55-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-57-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-60-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-62-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-64-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-66-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-68-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-70-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4852-95-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
F:\ucql.pif	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 40 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2984-0-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-2-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-12-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-5-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-15-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-14-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-16-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-3-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-7-0x0000000000400000-0x0000000000DB0000-memory.dmp	UPX
behavioral2/memory/2984-4-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-20-0x0000000002B40000-0x0000000003BCE000-memory.dmp	UPX
behavioral2/memory/2984-31-0x0000000000400000-0x0000000000DB0000-memory.dmp	UPX
behavioral2/memory/4852-32-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-34-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-35-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-36-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-37-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-38-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-39-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-40-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-41-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-42-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-43-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-44-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-45-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-46-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-48-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-49-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-50-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-52-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-53-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-55-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-57-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-60-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-62-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-64-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-66-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-68-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-70-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX
behavioral2/memory/4852-95-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	UPX

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	explorer.exe

Disables Task Manager via registry modification
evasion
Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

4852 explorer.exe

pid	process
4852	explorer.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2984-0-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/2984-2-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/2984-12-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/2984-5-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/2984-15-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/2984-14-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/2984-16-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/2984-3-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/2984-4-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/2984-20-0x0000000002B40000-0x0000000003BCE000-memory.dmp	upx
behavioral2/memory/4852-32-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-34-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-35-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-36-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-37-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-38-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-39-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-40-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-41-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-42-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-43-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-44-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-45-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-46-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-48-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-49-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-50-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-52-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-53-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-55-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-57-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-60-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-62-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-64-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-66-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-68-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-70-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx
behavioral2/memory/4852-95-0x0000000002DD0000-0x0000000003E5E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe

Drops file in Windows directory 1 IoCs

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4624 2984 WerFault.exe 2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

pid	pid_target	process	target process
4624	2984	WerFault.exe	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exeexplorer.exe

pid	process
2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
4852	explorer.exe
4852	explorer.exe
4852	explorer.exe
4852	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

description	pid	process
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
Token: SeDebugPrivilege	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exeexplorer.exe

description	pid	process	target process
PID 2984 wrote to memory of 4852	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	explorer.exe
PID 2984 wrote to memory of 4852	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	explorer.exe
PID 2984 wrote to memory of 4852	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	explorer.exe
PID 2984 wrote to memory of 760	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	fontdrvhost.exe
PID 2984 wrote to memory of 764	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	fontdrvhost.exe
PID 2984 wrote to memory of 1016	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	dwm.exe
PID 2984 wrote to memory of 2480	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	sihost.exe
PID 2984 wrote to memory of 2500	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	svchost.exe
PID 2984 wrote to memory of 2684	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	taskhostw.exe
PID 2984 wrote to memory of 3500	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	Explorer.EXE
PID 2984 wrote to memory of 3648	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	svchost.exe
PID 2984 wrote to memory of 3824	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	DllHost.exe
PID 2984 wrote to memory of 3912	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	StartMenuExperienceHost.exe
PID 2984 wrote to memory of 3972	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	RuntimeBroker.exe
PID 2984 wrote to memory of 4060	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	SearchApp.exe
PID 2984 wrote to memory of 3944	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	RuntimeBroker.exe
PID 2984 wrote to memory of 456	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	TextInputHost.exe
PID 2984 wrote to memory of 2572	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	RuntimeBroker.exe
PID 2984 wrote to memory of 2812	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	backgroundTaskHost.exe
PID 2984 wrote to memory of 440	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	backgroundTaskHost.exe
PID 2984 wrote to memory of 4852	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	explorer.exe
PID 2984 wrote to memory of 4852	2984	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe	explorer.exe
PID 4852 wrote to memory of 760	4852	explorer.exe	fontdrvhost.exe
PID 4852 wrote to memory of 764	4852	explorer.exe	fontdrvhost.exe
PID 4852 wrote to memory of 1016	4852	explorer.exe	dwm.exe
PID 4852 wrote to memory of 2480	4852	explorer.exe	sihost.exe
PID 4852 wrote to memory of 2500	4852	explorer.exe	svchost.exe
PID 4852 wrote to memory of 2684	4852	explorer.exe	taskhostw.exe
PID 4852 wrote to memory of 3500	4852	explorer.exe	Explorer.EXE
PID 4852 wrote to memory of 3648	4852	explorer.exe	svchost.exe
PID 4852 wrote to memory of 3824	4852	explorer.exe	DllHost.exe
PID 4852 wrote to memory of 3912	4852	explorer.exe	StartMenuExperienceHost.exe
PID 4852 wrote to memory of 3972	4852	explorer.exe	RuntimeBroker.exe
PID 4852 wrote to memory of 4060	4852	explorer.exe	SearchApp.exe
PID 4852 wrote to memory of 3944	4852	explorer.exe	RuntimeBroker.exe
PID 4852 wrote to memory of 456	4852	explorer.exe	TextInputHost.exe
PID 4852 wrote to memory of 2572	4852	explorer.exe	RuntimeBroker.exe
PID 4852 wrote to memory of 2812	4852	explorer.exe	backgroundTaskHost.exe
PID 4852 wrote to memory of 2064	4852	explorer.exe	RuntimeBroker.exe
PID 4852 wrote to memory of 5096	4852	explorer.exe	RuntimeBroker.exe
PID 4852 wrote to memory of 760	4852	explorer.exe	fontdrvhost.exe
PID 4852 wrote to memory of 764	4852	explorer.exe	fontdrvhost.exe
PID 4852 wrote to memory of 1016	4852	explorer.exe	dwm.exe
PID 4852 wrote to memory of 2480	4852	explorer.exe	sihost.exe
PID 4852 wrote to memory of 2500	4852	explorer.exe	svchost.exe
PID 4852 wrote to memory of 2684	4852	explorer.exe	taskhostw.exe
PID 4852 wrote to memory of 3500	4852	explorer.exe	Explorer.EXE
PID 4852 wrote to memory of 3648	4852	explorer.exe	svchost.exe
PID 4852 wrote to memory of 3824	4852	explorer.exe	DllHost.exe
PID 4852 wrote to memory of 3912	4852	explorer.exe	StartMenuExperienceHost.exe
PID 4852 wrote to memory of 3972	4852	explorer.exe	RuntimeBroker.exe
PID 4852 wrote to memory of 4060	4852	explorer.exe	SearchApp.exe
PID 4852 wrote to memory of 3944	4852	explorer.exe	RuntimeBroker.exe
PID 4852 wrote to memory of 456	4852	explorer.exe	TextInputHost.exe
PID 4852 wrote to memory of 2572	4852	explorer.exe	RuntimeBroker.exe
PID 4852 wrote to memory of 2812	4852	explorer.exe	backgroundTaskHost.exe
PID 4852 wrote to memory of 2064	4852	explorer.exe	RuntimeBroker.exe
PID 4852 wrote to memory of 5096	4852	explorer.exe	RuntimeBroker.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2500

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2684

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_6a2839b47bde6cb093f618cfd6fe63a4_darpapox_icedid_nymaim.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2984

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 836
3⤵
- Program crash
PID:4624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3912

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2572

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2812

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2984 -ip 2984
1⤵
PID:792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control