Analysis
-
max time kernel
21s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 18:15
Static task
static1
Behavioral task
behavioral1
Sample
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe
Resource
win7-20240221-en
General
-
Target
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe
-
Size
287KB
-
MD5
a9300349e56df396f27110591c3c4e8a
-
SHA1
91d6b1133ac0cb5115fbaf99be8d3bc0af138574
-
SHA256
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a
-
SHA512
51c9994735350821cf03c26d170ae0f5de6a7837d1cccce8ba7c114b9fa1005a95719458a02c531873fb59ff58c6eeb646fb47c7df3f80f7d8b9a1b30df2996f
-
SSDEEP
6144:dvE72U+T6i5LirrllHy4HUcMQY6A+5Y+21Eqe:9E7N+T5xYrllrU7QY6A+LX
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
explorer.exe042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Processes:
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Processes:
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 36 IoCs
Processes:
resource yara_rule behavioral2/memory/4360-1-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-8-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-6-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-14-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-20-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-21-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-7-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-3-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-4-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-46-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-49-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4360-56-0x0000000002A80000-0x0000000003B0E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-70-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-78-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-75-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-79-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-73-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-72-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-77-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-76-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-74-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-86-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-87-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-88-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-89-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-90-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-92-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-93-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-94-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-95-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-97-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-98-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-100-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-103-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2144-105-0x0000000003510000-0x000000000459E000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine C:\ylmbtk.pif INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 39 IoCs
Processes:
resource yara_rule behavioral2/memory/4360-1-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/4360-8-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/4360-6-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/4360-14-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/4360-20-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/4360-21-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/4360-7-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/4360-3-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/4360-4-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/5024-45-0x0000000000400000-0x0000000000441000-memory.dmp UPX behavioral2/memory/4360-46-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/4360-49-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/5024-51-0x0000000000400000-0x0000000000441000-memory.dmp UPX behavioral2/memory/2148-55-0x0000000000400000-0x0000000000441000-memory.dmp UPX behavioral2/memory/4360-68-0x0000000000400000-0x0000000000441000-memory.dmp UPX behavioral2/memory/4360-56-0x0000000002A80000-0x0000000003B0E000-memory.dmp UPX behavioral2/memory/2144-70-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-78-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-75-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-79-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-73-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-72-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-77-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-76-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-74-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-86-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-87-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-88-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-89-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-90-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-92-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-93-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-94-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-95-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-97-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-98-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-100-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-103-0x0000000003510000-0x000000000459E000-memory.dmp UPX behavioral2/memory/2144-105-0x0000000003510000-0x000000000459E000-memory.dmp UPX -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 2144 explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2144 explorer.exe 2148 spoolsv.exe 1648 svchost.exe 5024 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/4360-1-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-8-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-6-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-14-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-20-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-21-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-7-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-3-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-4-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-46-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-49-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/4360-56-0x0000000002A80000-0x0000000003B0E000-memory.dmp upx behavioral2/memory/2144-70-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-78-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-75-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-79-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-73-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-72-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-77-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-76-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-74-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-86-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-87-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-88-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-89-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-90-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-92-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-93-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-94-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-95-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-97-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-98-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-100-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-103-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/2144-105-0x0000000003510000-0x000000000459E000-memory.dmp upx -
Processes:
explorer.exe042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Processes:
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\K: explorer.exe -
Drops file in Windows directory 6 IoCs
Processes:
spoolsv.exeexplorer.exesvchost.exe042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\SYSTEM.INI 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe File opened for modification \??\c:\windows\system\explorer.exe 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exeexplorer.exesvchost.exepid process 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 2144 explorer.exe 2144 explorer.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 1648 svchost.exe 2144 explorer.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 1648 svchost.exe 2144 explorer.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 1648 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2144 explorer.exe 1648 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exedescription pid process Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Token: SeDebugPrivilege 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe 2144 explorer.exe 2144 explorer.exe 2148 spoolsv.exe 2148 spoolsv.exe 1648 svchost.exe 1648 svchost.exe 5024 spoolsv.exe 5024 spoolsv.exe 2144 explorer.exe 2144 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4360 wrote to memory of 800 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe fontdrvhost.exe PID 4360 wrote to memory of 808 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe fontdrvhost.exe PID 4360 wrote to memory of 380 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe dwm.exe PID 4360 wrote to memory of 2456 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe sihost.exe PID 4360 wrote to memory of 2484 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe svchost.exe PID 4360 wrote to memory of 2736 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe taskhostw.exe PID 4360 wrote to memory of 3488 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe Explorer.EXE PID 4360 wrote to memory of 3672 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe svchost.exe PID 4360 wrote to memory of 3860 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe DllHost.exe PID 4360 wrote to memory of 3948 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe StartMenuExperienceHost.exe PID 4360 wrote to memory of 4016 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe RuntimeBroker.exe PID 4360 wrote to memory of 768 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe SearchApp.exe PID 4360 wrote to memory of 788 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe RuntimeBroker.exe PID 4360 wrote to memory of 4496 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe TextInputHost.exe PID 4360 wrote to memory of 4944 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe RuntimeBroker.exe PID 4360 wrote to memory of 2444 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe backgroundTaskHost.exe PID 4360 wrote to memory of 2144 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe explorer.exe PID 4360 wrote to memory of 2144 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe explorer.exe PID 4360 wrote to memory of 2144 4360 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe explorer.exe PID 2144 wrote to memory of 2148 2144 explorer.exe spoolsv.exe PID 2144 wrote to memory of 2148 2144 explorer.exe spoolsv.exe PID 2144 wrote to memory of 2148 2144 explorer.exe spoolsv.exe PID 2148 wrote to memory of 1648 2148 spoolsv.exe svchost.exe PID 2148 wrote to memory of 1648 2148 spoolsv.exe svchost.exe PID 2148 wrote to memory of 1648 2148 spoolsv.exe svchost.exe PID 1648 wrote to memory of 5024 1648 svchost.exe spoolsv.exe PID 1648 wrote to memory of 5024 1648 svchost.exe spoolsv.exe PID 1648 wrote to memory of 5024 1648 svchost.exe spoolsv.exe PID 1648 wrote to memory of 4652 1648 svchost.exe at.exe PID 1648 wrote to memory of 4652 1648 svchost.exe at.exe PID 1648 wrote to memory of 4652 1648 svchost.exe at.exe PID 2144 wrote to memory of 800 2144 explorer.exe fontdrvhost.exe PID 2144 wrote to memory of 808 2144 explorer.exe fontdrvhost.exe PID 2144 wrote to memory of 380 2144 explorer.exe dwm.exe PID 2144 wrote to memory of 2456 2144 explorer.exe sihost.exe PID 2144 wrote to memory of 2484 2144 explorer.exe svchost.exe PID 2144 wrote to memory of 2736 2144 explorer.exe taskhostw.exe PID 2144 wrote to memory of 3488 2144 explorer.exe Explorer.EXE PID 2144 wrote to memory of 3672 2144 explorer.exe svchost.exe PID 2144 wrote to memory of 3860 2144 explorer.exe DllHost.exe PID 2144 wrote to memory of 3948 2144 explorer.exe StartMenuExperienceHost.exe PID 2144 wrote to memory of 4016 2144 explorer.exe RuntimeBroker.exe PID 2144 wrote to memory of 768 2144 explorer.exe SearchApp.exe PID 2144 wrote to memory of 788 2144 explorer.exe RuntimeBroker.exe PID 2144 wrote to memory of 4496 2144 explorer.exe TextInputHost.exe PID 2144 wrote to memory of 4944 2144 explorer.exe RuntimeBroker.exe PID 2144 wrote to memory of 1648 2144 explorer.exe svchost.exe PID 2144 wrote to memory of 1648 2144 explorer.exe svchost.exe PID 2144 wrote to memory of 1684 2144 explorer.exe RuntimeBroker.exe PID 2144 wrote to memory of 848 2144 explorer.exe RuntimeBroker.exe PID 2144 wrote to memory of 800 2144 explorer.exe fontdrvhost.exe PID 2144 wrote to memory of 808 2144 explorer.exe fontdrvhost.exe PID 2144 wrote to memory of 380 2144 explorer.exe dwm.exe PID 2144 wrote to memory of 2456 2144 explorer.exe sihost.exe PID 2144 wrote to memory of 2484 2144 explorer.exe svchost.exe PID 2144 wrote to memory of 2736 2144 explorer.exe taskhostw.exe PID 2144 wrote to memory of 3488 2144 explorer.exe Explorer.EXE PID 2144 wrote to memory of 3672 2144 explorer.exe svchost.exe PID 2144 wrote to memory of 3860 2144 explorer.exe DllHost.exe PID 2144 wrote to memory of 3948 2144 explorer.exe StartMenuExperienceHost.exe PID 2144 wrote to memory of 4016 2144 explorer.exe RuntimeBroker.exe PID 2144 wrote to memory of 768 2144 explorer.exe SearchApp.exe PID 2144 wrote to memory of 788 2144 explorer.exe RuntimeBroker.exe PID 2144 wrote to memory of 4496 2144 explorer.exe TextInputHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
explorer.exe042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2484
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2736
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe"C:\Users\Admin\AppData\Local\Temp\042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4360 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2144 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5024
-
-
C:\Windows\SysWOW64\at.exeat 18:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:4652
-
-
C:\Windows\SysWOW64\at.exeat 18:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:244
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵PID:432
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵PID:2416
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3860
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:768
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:788
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4496
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4944
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2444
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1684
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:848
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:2092
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD51f34a06f0d34eb0ca983c66c4107ace7
SHA1a8d93746f29565903a2eae07e028937f7ca43d91
SHA2569e3bde1b37cc5efb387171a4aec602664ce772fa8fd71ea0f6f3b9043612d0c9
SHA5120ca21df767f11fdc31005970629227152503a41784864801b650fcdc756db45d750555a1707aacf3b02a0ffa1863e986d7f4aa0e4a63eab59037e24fb81c5dc0
-
Filesize
256B
MD536958c0091467a28ec3abc1cebf7f1dd
SHA1cbcab47200410d4d33b11803a9433ceac8613583
SHA256fbf08d534e30a4ce2bc45a261f93ee2e338621ae4ec693c08d822a5a05035272
SHA512df5333f963853ed2c4c7970de65e35acd9f9f31b9b37ff178884952bff59b8e8577d6d12fb3f2d06bcbab2a7dce17c0f68a8aed762ba979a09d780e7198b1a16
-
Filesize
287KB
MD5df01c9d50965fae182c59480838d379a
SHA1adcf255442222007bd2a46fa1e10261a75b4b674
SHA2565c76957b18fecce67aec7e3f88af32f6246f27aae7661b8f03f672a7cdc97b65
SHA512992550393995bd6d344aa34b669e48a356bf0b307a032b7b1b7b736e1dd6e7f2b09790a31bf20b44fd1005b39ba2944163e2763c4f1c5504589f9b452dbbc3b7
-
Filesize
287KB
MD5e7b434b849dcca171235ba6cd0b77b08
SHA15d58b5c59dd2a7e3c816f7c68a63d82c476ca751
SHA2565b6d20e3f7e0cd81d91687e1dc5d54791df7b28cc03e53cbc80c03c2c64e4e36
SHA512e5ed4d77ca1c7f85142c8f102a2103e559755940bac2e74e689a10a06cb9a97ac65c246a1f1e8c778979f74921ec6d7eb2997e0db92e34654f5ec4f4c906e287
-
Filesize
100KB
MD5b16822fb84ca8970500aa26a0a81b458
SHA183481e14dc4bb95359975b1ddbb1358db02c6e46
SHA25671c14d4036fe9b8f72f9b96e2a76169a8f572c0d62565ff171cf182bb5e71366
SHA5128eb3de69a85d4d37ede2ce220eb46855ba0810e68aa114317d7b731cf18e3900741127f3fcf579f421ef0109a0392947e3a6e1f8477a39225b6b7189f202ffca
-
Filesize
287KB
MD5569d41cf2eaea595432d8e4cd5f940cc
SHA139ad6fef56befd95122305c5f79d8929e5509587
SHA2564e5134d486b0452e3b299d64b9d2bd5eda12a2dc0154442756b8c38d236a074f
SHA512c01e176a764bbbf7b061b09ca649ab3ae44277a12da7f9f2bdf054de6beaced6a775e1d33b959484904f75bde1a02e65a1891f8d309651dacc6428a9d9ee42c0