Analysis
-
max time kernel
92s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 07:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe
Resource
win7-20240508-en
windows7-x64
17 signatures
150 seconds
General
-
Target
ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe
-
Size
4.8MB
-
MD5
cf0b2b6db9247d897dce923963cd4489
-
SHA1
69ee0a9e0d6162cf702e57f3869eb5ae3eec8661
-
SHA256
ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975
-
SHA512
2d9a61c9c38f3e71c558a2fa155a9b39ed48b4fe2dd2c045bf5c38ff7c70dfa640a7b4d85533ba74156cc4fba3dfe6f6ee28e84ea1d032ee2ae9f37cdbcc1dd9
-
SSDEEP
24576:W4L1dN9IgGFCXy3DryDNYhJkfdTazmaj9Tb9X9Pu3mmGld6oKZmMP+73lIqV:NB3pyYqhJkfdVa5TLG3mmhHmMP+bl3V
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
Loads dropped DLL 1 IoCs
pid Process 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
resource yara_rule behavioral2/memory/4308-1-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-3-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-5-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-6-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-14-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-16-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-4-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-17-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-19-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-20-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-31-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-30-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-32-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-34-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-35-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-37-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-38-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-39-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-41-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-42-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-44-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-46-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-49-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-51-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-53-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-55-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-57-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-59-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-61-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-63-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-65-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-72-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-74-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-77-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-79-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-82-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-84-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-88-0x00000000027D0000-0x000000000388A000-memory.dmp upx behavioral2/memory/4308-113-0x00000000027D0000-0x000000000388A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\R: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\W: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\X: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\I: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\K: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\S: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\V: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\Y: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\T: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\E: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\J: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\L: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\M: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\N: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\G: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\O: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\P: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\U: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened (read-only) \??\Z: ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\autorun.inf ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\7-Zip\7z.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\7-Zip\7zG.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e574120 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe File opened for modification C:\Windows\SYSTEM.INI ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe Token: SeDebugPrivilege 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4308 wrote to memory of 788 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 8 PID 4308 wrote to memory of 792 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 9 PID 4308 wrote to memory of 336 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 13 PID 4308 wrote to memory of 2568 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 44 PID 4308 wrote to memory of 2632 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 45 PID 4308 wrote to memory of 3008 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 52 PID 4308 wrote to memory of 3472 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 56 PID 4308 wrote to memory of 3608 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 57 PID 4308 wrote to memory of 3784 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 58 PID 4308 wrote to memory of 3900 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 59 PID 4308 wrote to memory of 3964 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 60 PID 4308 wrote to memory of 4052 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 61 PID 4308 wrote to memory of 4268 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 62 PID 4308 wrote to memory of 1956 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 73 PID 4308 wrote to memory of 4732 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 74 PID 4308 wrote to memory of 3116 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 79 PID 4308 wrote to memory of 788 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 8 PID 4308 wrote to memory of 792 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 9 PID 4308 wrote to memory of 336 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 13 PID 4308 wrote to memory of 2568 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 44 PID 4308 wrote to memory of 2632 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 45 PID 4308 wrote to memory of 3008 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 52 PID 4308 wrote to memory of 3472 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 56 PID 4308 wrote to memory of 3608 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 57 PID 4308 wrote to memory of 3784 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 58 PID 4308 wrote to memory of 3900 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 59 PID 4308 wrote to memory of 3964 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 60 PID 4308 wrote to memory of 4052 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 61 PID 4308 wrote to memory of 4268 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 62 PID 4308 wrote to memory of 1956 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 73 PID 4308 wrote to memory of 4732 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 74 PID 4308 wrote to memory of 64 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 82 PID 4308 wrote to memory of 4196 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 83 PID 4308 wrote to memory of 788 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 8 PID 4308 wrote to memory of 792 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 9 PID 4308 wrote to memory of 336 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 13 PID 4308 wrote to memory of 2568 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 44 PID 4308 wrote to memory of 2632 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 45 PID 4308 wrote to memory of 3008 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 52 PID 4308 wrote to memory of 3472 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 56 PID 4308 wrote to memory of 3608 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 57 PID 4308 wrote to memory of 3784 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 58 PID 4308 wrote to memory of 3900 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 59 PID 4308 wrote to memory of 3964 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 60 PID 4308 wrote to memory of 4052 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 61 PID 4308 wrote to memory of 4268 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 62 PID 4308 wrote to memory of 1956 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 73 PID 4308 wrote to memory of 4732 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 74 PID 4308 wrote to memory of 64 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 82 PID 4308 wrote to memory of 4196 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 83 PID 4308 wrote to memory of 788 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 8 PID 4308 wrote to memory of 792 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 9 PID 4308 wrote to memory of 336 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 13 PID 4308 wrote to memory of 2568 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 44 PID 4308 wrote to memory of 2632 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 45 PID 4308 wrote to memory of 3008 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 52 PID 4308 wrote to memory of 3472 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 56 PID 4308 wrote to memory of 3608 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 57 PID 4308 wrote to memory of 3784 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 58 PID 4308 wrote to memory of 3900 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 59 PID 4308 wrote to memory of 3964 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 60 PID 4308 wrote to memory of 4052 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 61 PID 4308 wrote to memory of 4268 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 62 PID 4308 wrote to memory of 1956 4308 ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe 73 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2632
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3008
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe"C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4308
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3784
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3900
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4268
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4732
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:64
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4196
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
480KB
MD5d5f22fc1beff60f5fa9398effca73e2f
SHA1f84c5f048b5269381a8c6d1dc21905458856543b
SHA256214a5e9aab33148866db82ab51c5bcce9e4240794c2c2850fa0f7b3bc3aa34e6
SHA512b031336bf42a55e738a412b39acff8b57892f8d2b49c3ec4eadc9f7c9ad45cbc0f5b06a921fd07cfed2faf2de07c6957dfd8975de5e322f0f82c558ee9dcf1c3
-
Filesize
97KB
MD5bc70255749b5dac4a612e2e00cfa141d
SHA1b962c993424d5f0625fc4622ee96ae328e7197f4
SHA2566cb9f64f7cdf277f5f496dbeace7d7fe4c62c43b05a3f52326fe8e55136290bc
SHA5121878530d81b79e1a13443a7a942fd96c06f662c036a195dab0fdada1dcaf38e27a9ed424f3b2ea6a5f8d08f1b40920472d4ef8a34dd2c411d5ea033654ac3577