Analysis
-
max time kernel
123s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
150 seconds
General
-
Target
0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe
-
Size
124KB
-
MD5
9a1ab17165e7479a824fff589f61ff4c
-
SHA1
3e113fde76fd0132f92ba18d8eca697925d1ded3
-
SHA256
0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05
-
SHA512
3af303a03dd9a63dd0efddbf8f56944c5654467ca440e67843253d2461458b9836c8dc678315c347a491b9fc901ec431e166c2ac9f7d40eb2e06e11ad89c86a8
-
SSDEEP
1536:A3SHmLKarIpY/LcP50Gb8Tfp804Xel9hx5r6XOcCaWuG3rgQSw8O:AkF3p8LchVYW0Uel9hD6XvCduVQth
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Executes dropped EXE 2 IoCs
pid Process 1424 Logo1_.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
resource yara_rule behavioral2/memory/4272-19-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-21-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-23-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-22-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-24-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-33-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-37-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-42-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-43-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-45-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-48-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-49-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-50-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-51-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-52-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-55-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-56-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-59-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-60-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-62-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-64-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-67-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-69-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-71-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-73-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-75-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-83-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-87-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-88-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-96-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-98-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-101-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-103-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4272-104-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\W: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\Z: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\Q: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\H: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\S: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\U: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\V: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\I: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\P: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\T: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\X: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\G: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\J: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\N: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\K: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\R: 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened (read-only) \??\Y: Logo1_.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened for modification F:\autorun.inf 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\host\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\_desktop.ini Logo1_.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\e5772af 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened for modification C:\Windows\SYSTEM.INI 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File created C:\Windows\Logo1_.exe 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 1424 Logo1_.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe Token: SeDebugPrivilege 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4984 wrote to memory of 4068 4984 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 84 PID 4984 wrote to memory of 4068 4984 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 84 PID 4984 wrote to memory of 4068 4984 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 84 PID 4984 wrote to memory of 1424 4984 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 85 PID 4984 wrote to memory of 1424 4984 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 85 PID 4984 wrote to memory of 1424 4984 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 85 PID 1424 wrote to memory of 3664 1424 Logo1_.exe 86 PID 1424 wrote to memory of 3664 1424 Logo1_.exe 86 PID 1424 wrote to memory of 3664 1424 Logo1_.exe 86 PID 3664 wrote to memory of 5044 3664 net.exe 89 PID 3664 wrote to memory of 5044 3664 net.exe 89 PID 3664 wrote to memory of 5044 3664 net.exe 89 PID 4068 wrote to memory of 4272 4068 cmd.exe 90 PID 4068 wrote to memory of 4272 4068 cmd.exe 90 PID 4068 wrote to memory of 4272 4068 cmd.exe 90 PID 4272 wrote to memory of 780 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 8 PID 4272 wrote to memory of 784 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 9 PID 4272 wrote to memory of 336 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 13 PID 4272 wrote to memory of 2452 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 42 PID 4272 wrote to memory of 2488 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 45 PID 4272 wrote to memory of 2700 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 47 PID 4272 wrote to memory of 3564 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 56 PID 4272 wrote to memory of 3688 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 57 PID 4272 wrote to memory of 3888 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 58 PID 4272 wrote to memory of 3980 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 59 PID 4272 wrote to memory of 4044 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 60 PID 4272 wrote to memory of 776 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 61 PID 4272 wrote to memory of 2356 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 62 PID 4272 wrote to memory of 1728 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 74 PID 4272 wrote to memory of 532 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 76 PID 4272 wrote to memory of 4264 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 81 PID 4272 wrote to memory of 4724 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 82 PID 4272 wrote to memory of 4068 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 84 PID 4272 wrote to memory of 4068 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 84 PID 4272 wrote to memory of 1424 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 85 PID 4272 wrote to memory of 1424 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 85 PID 4272 wrote to memory of 3648 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 88 PID 1424 wrote to memory of 3564 1424 Logo1_.exe 56 PID 1424 wrote to memory of 3564 1424 Logo1_.exe 56 PID 4272 wrote to memory of 780 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 8 PID 4272 wrote to memory of 784 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 9 PID 4272 wrote to memory of 336 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 13 PID 4272 wrote to memory of 2452 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 42 PID 4272 wrote to memory of 2488 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 45 PID 4272 wrote to memory of 2700 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 47 PID 4272 wrote to memory of 3564 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 56 PID 4272 wrote to memory of 3688 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 57 PID 4272 wrote to memory of 3888 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 58 PID 4272 wrote to memory of 3980 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 59 PID 4272 wrote to memory of 4044 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 60 PID 4272 wrote to memory of 776 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 61 PID 4272 wrote to memory of 2356 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 62 PID 4272 wrote to memory of 1728 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 74 PID 4272 wrote to memory of 532 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 76 PID 4272 wrote to memory of 4264 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 81 PID 4272 wrote to memory of 3648 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 88 PID 4272 wrote to memory of 2408 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 92 PID 4272 wrote to memory of 64 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 95 PID 4272 wrote to memory of 780 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 8 PID 4272 wrote to memory of 784 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 9 PID 4272 wrote to memory of 336 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 13 PID 4272 wrote to memory of 2452 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 42 PID 4272 wrote to memory of 2488 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 45 PID 4272 wrote to memory of 2700 4272 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe 47 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2488
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2700
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe"C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7109.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3648
-
-
C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe"C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4272
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:5044
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3688
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4044
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:776
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2356
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1728
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:532
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4264
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4724
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:64
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4064
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2408
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD5a188505d53ad954d1b2e6456cf1e7668
SHA1cb8cbeffe88729f7f734ce9e5a6b6c514de79dbe
SHA256c8779deb43865dd24d098fa7dc000ca3c126f2c59f8043cb0fe3b3c8c92d3f35
SHA5129f120b140406c118c2c4574445083bff00108c837b5939538d783c5443d68f462feaa660198b65a92917e2751b05bac68cc67f3b2213efe6cb4d8b125c684353
-
Filesize
571KB
MD5bf443202aa28f39e7c39ccda18a2ce00
SHA1523a5b15315bb5023863c7fc9a166aa94c378ce8
SHA2562a9023ed807f186bcc2e56b4d35b55919b464839bc61a3e59517863804a44f17
SHA5124ce6d6323960ef7fde2931b76f26130c2f253af98d6f7cbcc77c3cf3e99610c9c23c4f38276c20f4c62778eb2744e84bf7b774e45f8afd9461f1937da8c679a2
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize637KB
MD59cba1e86016b20490fff38fb45ff4963
SHA1378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA5122f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765
-
Filesize
722B
MD53aa39ecf6e4c524b0e9f5026863de7b3
SHA13914b00b82e4e19e2c23a89b60e00f5f38bdbd94
SHA256a7e6e3de00437c7be8406d6694ab8c89786570ca5cc7ccd7dd9fe47ecbbe45c3
SHA51219bbb14b35c596394c14acb42f73edb627067871fcca8c32ff8c95ae6801c449c53d50eb047c363c163d9a1ab289a027803cd5ab6ba8a33968e8fd7c2c4199a7
-
C:\Users\Admin\AppData\Local\Temp\0cf7e1c3efbe6b365efbc513c2ba80b9a93fe9de5241ef030f01fd99574a5e05.exe.exe
Filesize97KB
MD546556ee3036ad5f36d9e11c707732357
SHA1c29cda7b177901a11b78e2aed416c17086c332e8
SHA256a9703618fd528863b15123b95e24f46fdc9cd1968634c1bff2dfffb40ff12746
SHA5125081dbd9f14dcea8dc9889213d23fea44460fac1c83ad9b8e97fc669b6ab641b545f084f7cffa3ab13752acd6a8e88601c2078232bb0450de1bd375294046bd1
-
Filesize
27KB
MD53992018359c15d0314fdd929a93f6de6
SHA1f555c42a2d4e15a428a549ac4a6efd625dca9f1d
SHA25629351c1cb276aa4bd87e3e0c7aed4808a2c80cad99b26b8be984350aeeee2b48
SHA512236360097d9fe4f693a17d4b7e9d08d4f017019eba021e17217ba1486a6ecaa1a1ad54c93a3819d84b5af2bbeb3096b81ef8e055fd973954323cfcd7107f7dc2
-
Filesize
9B
MD51368e4d784ef82633de86fa6bc6e37f9
SHA177c7384e886b27647bb4f2fd364e7947e7b6abc6
SHA25657507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772
SHA5123cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b
-
Filesize
97KB
MD57982ffffdda85c5fe79906a51d466059
SHA1dcba568e70f11225a4bbfef94631322f15a9e8e1
SHA256a95eab176e2d55f2dafae31b072a92d083db5ee10b5031de33a748ff18aa6520
SHA5121ef4ff4a941f3300846f8bcbe3536fde8b0be7dd99c522c3622dc49e89e7cc843fe6f807c08f84211ec01cb0b2d998c3628926b9b7e42a2a41a5a0b6581b8959