Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 02:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe
Resource
win7-20240508-en
windows7-x64
15 signatures
150 seconds
General
-
Target
b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe
-
Size
97KB
-
MD5
a3ac7a77366f0312dd67bbb9989e169b
-
SHA1
0c317f054d9ebf10f8aea4f6a77c6fe89971292a
-
SHA256
b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e
-
SHA512
d82403ff443d72f4a0f3be4268b3ba32af6f539bdb5b3e11daa862cbc403f0f51c0db2cd88eaaa8c4cae344f998a59a0bc1b274923832b877c55a7d8eb8a5cde
-
SSDEEP
1536:Z0iLuFuWsCjN04UY4F8xeZVu5Bm/Zqw/7ZBhOj3ZQvCglHFb0gFfadNpLuF:iPRxN04UgQZVu8/Lp+JQv/lHFbFFsN8
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 33 IoCs
resource yara_rule behavioral2/memory/1508-3-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-4-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-11-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-17-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-8-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-18-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-6-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-7-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-5-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-1-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-21-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-22-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-23-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-24-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-25-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-26-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-28-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-29-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-30-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-32-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-33-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-35-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-37-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-40-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-42-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-44-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-47-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-48-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-50-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-52-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-53-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-54-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1508-61-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 34 IoCs
resource yara_rule behavioral2/memory/1508-3-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-4-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-11-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-17-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-8-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-18-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-6-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-7-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-5-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-1-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-21-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-22-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-23-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-24-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-25-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-26-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-28-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-29-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-30-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-32-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-33-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-35-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-37-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-40-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-42-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-44-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-47-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-48-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-50-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-52-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-53-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-54-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/1508-78-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1508-61-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX -
resource yara_rule behavioral2/memory/1508-3-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-4-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-11-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-17-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-18-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-7-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-5-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-1-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-21-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-22-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-23-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-24-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-25-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-26-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-28-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-29-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-30-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-32-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-33-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-40-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-42-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-44-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-47-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-48-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-50-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-52-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-53-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-54-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1508-61-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\S: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\E: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\H: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\J: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\M: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\O: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\G: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\I: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\K: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\L: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\N: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\P: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened (read-only) \??\R: b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened for modification C:\Program Files\7-Zip\7zG.exe b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e5735b6 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe File opened for modification C:\Windows\SYSTEM.INI b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe Token: SeDebugPrivilege 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1508 wrote to memory of 760 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 8 PID 1508 wrote to memory of 764 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 9 PID 1508 wrote to memory of 64 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 13 PID 1508 wrote to memory of 2628 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 44 PID 1508 wrote to memory of 2648 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 45 PID 1508 wrote to memory of 2792 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 47 PID 1508 wrote to memory of 3404 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 56 PID 1508 wrote to memory of 3576 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 57 PID 1508 wrote to memory of 3780 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 58 PID 1508 wrote to memory of 3868 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 59 PID 1508 wrote to memory of 3932 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 60 PID 1508 wrote to memory of 4016 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 61 PID 1508 wrote to memory of 4132 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 62 PID 1508 wrote to memory of 4516 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 73 PID 1508 wrote to memory of 3788 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 74 PID 1508 wrote to memory of 4752 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 81 PID 1508 wrote to memory of 760 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 8 PID 1508 wrote to memory of 764 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 9 PID 1508 wrote to memory of 64 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 13 PID 1508 wrote to memory of 2628 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 44 PID 1508 wrote to memory of 2648 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 45 PID 1508 wrote to memory of 2792 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 47 PID 1508 wrote to memory of 3404 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 56 PID 1508 wrote to memory of 3576 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 57 PID 1508 wrote to memory of 3780 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 58 PID 1508 wrote to memory of 3868 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 59 PID 1508 wrote to memory of 3932 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 60 PID 1508 wrote to memory of 4016 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 61 PID 1508 wrote to memory of 4132 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 62 PID 1508 wrote to memory of 4516 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 73 PID 1508 wrote to memory of 3788 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 74 PID 1508 wrote to memory of 1012 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 84 PID 1508 wrote to memory of 5056 1508 b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe 85 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2648
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2792
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe"C:\Users\Admin\AppData\Local\Temp\b9ba1ac421fa2b27447bfb9aeb3239d418c2a2db57ef75c7b3429a90b8c2534e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1508
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3932
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4132
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4516
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3788
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4752
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5056
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5