Analysis
-
max time kernel
13s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 04:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63bf82b7bd6f481c0ca2ba4618f2e800N.exe
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
63bf82b7bd6f481c0ca2ba4618f2e800N.exe
-
Size
216KB
-
MD5
63bf82b7bd6f481c0ca2ba4618f2e800
-
SHA1
8c4b139e9bbba1aa4da71e96aa434643e9e9f7df
-
SHA256
2073c59a323a901cf607b310b15125ef457e8c8c7fda2dce33c93f7bdd92aff3
-
SHA512
8acff7ef8a861f28469100357aee9e6677c5544f1d200c64d3f8cbea6cb174b6ce57d810cb6ea01cd6b0326d251f7f843b2d41606bb6f235bf3d404bb5a71b65
-
SSDEEP
3072:mv+htWMtf+7GZYGVA2QJgi8xJLDoUPJEeUFMskH3dJV4CJruNs0:4EGqZYGVd82PDNEzFMXH3df1Jr30
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Nopqrs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nopqrs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Nopqrs.exe -
Fatal Rat payload 3 IoCs
resource yara_rule behavioral2/memory/4276-2-0x0000000010000000-0x000000001001C000-memory.dmp fatalrat behavioral2/memory/3676-33-0x0000000010000000-0x000000001001C000-memory.dmp fatalrat behavioral2/memory/4276-123-0x0000000000400000-0x0000000000436000-memory.dmp fatalrat -
Executes dropped EXE 1 IoCs
pid Process 3676 Nopqrs.exe -
resource yara_rule behavioral2/memory/4276-19-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-9-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-8-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-15-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-14-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-13-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-12-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-11-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-10-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-22-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-21-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-23-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-24-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-25-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-27-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/3676-47-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-46-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-45-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-44-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-43-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-39-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-32-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-55-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-42-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-41-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-40-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-54-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-53-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/4276-51-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-57-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/3676-58-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/4276-92-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-77-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/4276-71-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/3676-88-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-84-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/3676-81-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/4276-74-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/3676-72-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/4276-126-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/3676-70-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/4276-63-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/3676-61-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral2/memory/4276-60-0x00000000007F0000-0x000000000187E000-memory.dmp upx behavioral2/memory/3676-59-0x00000000007E0000-0x000000000186E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Nopqrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" Nopqrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" Nopqrs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nopqrs.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\G: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened (read-only) \??\H: 63bf82b7bd6f481c0ca2ba4618f2e800N.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File created C:\Windows\Nopqrs.exe 63bf82b7bd6f481c0ca2ba4618f2e800N.exe File opened for modification C:\Windows\Nopqrs.exe 63bf82b7bd6f481c0ca2ba4618f2e800N.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_100 = "4035896428" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_122 = "784071591" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_132 = "2582794401" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_168 = "3897148470" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_4 = "1410191389" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_110 = "986909571" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_236 = "3082232017" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_255 = "4278575856" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_109 = "3867042430" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_188 = "3979721411" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_196 = "2524033990" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_4 = "1364026700" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_41 = "3603902486" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_55 = "501756117" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_62 = "2806106966" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_90 = "2773318601" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_192 = "1048772160" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_273 = "262306366" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_29 = "2373000807" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_141 = "1894471838" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_276 = "869441738" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_0 = "3299283285" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_130 = "3528674248" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_130 = "3545249295" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_149 = "344124162" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_61 = "503398042" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_17 = "2575888003" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_124 = "3630122036" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_173 = "4233315448" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_214 = "2108468066" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_233 = "3218885771" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_291 = "265333760" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_14 = "2626609802" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_110 = "1003519072" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_143 = "462262132" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_207 = "3048264649" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_52 = "552477916" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_113 = "3881412082" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_116 = "902068636" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_125 = "749911987" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_133 = "2339183170" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_72 = "3077636983" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_68 = "1713617420" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_136 = "3427234840" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_215 = "1743551459" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_276 = "3923529084" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_277 = "1043310287" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_30 = "3787746970" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_101 = "1172395926" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_181 = "2683129222" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_294 = "3619198290" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_70 = "248147122" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_49 = "603199715" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_211 = "2159182190" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_212 = "3573932807" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_11 = "2677328230" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1516192097 = "397" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_8 = "3010704065" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_93 = "435326789" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = "0" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_99 = "2760348325" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_202 = "2311349593" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_245 = "1869983796" Nopqrs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_83 = "1443274688" Nopqrs.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 3676 Nopqrs.exe 3676 Nopqrs.exe 3676 Nopqrs.exe 3676 Nopqrs.exe 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 3676 Nopqrs.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Token: SeDebugPrivilege 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 4276 wrote to memory of 796 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 9 PID 4276 wrote to memory of 800 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 10 PID 4276 wrote to memory of 384 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 13 PID 4276 wrote to memory of 2784 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 49 PID 4276 wrote to memory of 2856 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 50 PID 4276 wrote to memory of 2140 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 52 PID 4276 wrote to memory of 3380 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 55 PID 4276 wrote to memory of 3604 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 57 PID 4276 wrote to memory of 3792 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 58 PID 4276 wrote to memory of 3936 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 59 PID 4276 wrote to memory of 3996 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 60 PID 4276 wrote to memory of 4080 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 61 PID 4276 wrote to memory of 3904 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 62 PID 4276 wrote to memory of 2144 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 64 PID 4276 wrote to memory of 1188 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 76 PID 4276 wrote to memory of 2400 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 81 PID 4276 wrote to memory of 2764 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 82 PID 3676 wrote to memory of 796 3676 Nopqrs.exe 9 PID 3676 wrote to memory of 800 3676 Nopqrs.exe 10 PID 3676 wrote to memory of 384 3676 Nopqrs.exe 13 PID 3676 wrote to memory of 2784 3676 Nopqrs.exe 49 PID 3676 wrote to memory of 2856 3676 Nopqrs.exe 50 PID 3676 wrote to memory of 2140 3676 Nopqrs.exe 52 PID 3676 wrote to memory of 3380 3676 Nopqrs.exe 55 PID 3676 wrote to memory of 3604 3676 Nopqrs.exe 57 PID 3676 wrote to memory of 3792 3676 Nopqrs.exe 58 PID 3676 wrote to memory of 3936 3676 Nopqrs.exe 59 PID 3676 wrote to memory of 3996 3676 Nopqrs.exe 60 PID 3676 wrote to memory of 4080 3676 Nopqrs.exe 61 PID 3676 wrote to memory of 3904 3676 Nopqrs.exe 62 PID 3676 wrote to memory of 2144 3676 Nopqrs.exe 64 PID 3676 wrote to memory of 1188 3676 Nopqrs.exe 76 PID 3676 wrote to memory of 2400 3676 Nopqrs.exe 81 PID 3676 wrote to memory of 2764 3676 Nopqrs.exe 82 PID 3676 wrote to memory of 4276 3676 Nopqrs.exe 83 PID 3676 wrote to memory of 4276 3676 Nopqrs.exe 83 PID 4276 wrote to memory of 796 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 9 PID 4276 wrote to memory of 800 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 10 PID 4276 wrote to memory of 384 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 13 PID 4276 wrote to memory of 2784 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 49 PID 4276 wrote to memory of 2856 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 50 PID 4276 wrote to memory of 2140 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 52 PID 4276 wrote to memory of 3380 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 55 PID 4276 wrote to memory of 3604 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 57 PID 4276 wrote to memory of 3792 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 58 PID 4276 wrote to memory of 3936 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 59 PID 4276 wrote to memory of 3996 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 60 PID 4276 wrote to memory of 4080 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 61 PID 4276 wrote to memory of 3904 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 62 PID 4276 wrote to memory of 2144 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 64 PID 4276 wrote to memory of 1188 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 76 PID 4276 wrote to memory of 2400 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 81 PID 4276 wrote to memory of 2764 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 82 PID 4276 wrote to memory of 220 4276 63bf82b7bd6f481c0ca2ba4618f2e800N.exe 85 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 63bf82b7bd6f481c0ca2ba4618f2e800N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Nopqrs.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2856
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2140
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\63bf82b7bd6f481c0ca2ba4618f2e800N.exe"C:\Users\Admin\AppData\Local\Temp\63bf82b7bd6f481c0ca2ba4618f2e800N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4276
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2144
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1188
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2400
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2764
-
C:\Windows\Nopqrs.exeC:\Windows\Nopqrs.exe1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3676 -
C:\Windows\Nopqrs.exeC:\Windows\Nopqrs.exe Win72⤵PID:4404
-
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:220
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD563bf82b7bd6f481c0ca2ba4618f2e800
SHA18c4b139e9bbba1aa4da71e96aa434643e9e9f7df
SHA2562073c59a323a901cf607b310b15125ef457e8c8c7fda2dce33c93f7bdd92aff3
SHA5128acff7ef8a861f28469100357aee9e6677c5544f1d200c64d3f8cbea6cb174b6ce57d810cb6ea01cd6b0326d251f7f843b2d41606bb6f235bf3d404bb5a71b65
-
Filesize
257B
MD589795601a8ed45ba9a6078407684fa12
SHA10b4c85efc3b970674fbf0bf1dc4b47ca0a0abdcc
SHA25619c0742ab29ee3949ff693574ed74881e34b92ae3d164e6ae883c0753d086127
SHA512941b7982fb103b01a39d4d273bcb447ae6595e7c7164c39b44ddf473f7790ad29fb7c07637bf7defba2e596979efd04f159c32647099d54cf71796ac5c6408ea
-
Filesize
100KB
MD5ea71d0e859a87ca4d913985e7a45e71c
SHA13d7023a20acaba4ea24a57c8f1c7214dece5ae59
SHA25648b690d219e72919dc5aef0fe4a39099283fdafef2e6964621a48965b026c135
SHA5128d48bdb2811ce05cbb2612ea3a90a03557c717282432a14fb4bdef4c10e27936f6eab0a31c68ff4dda0b83db8938b4c96b82671cd2765271528fa53ffc23b270