7b9a0fd990959dfd15a879bbffd13d4959b9bdeecf6831b91b8ac02d72e9bba5

Analysis

max time kernel
144s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoof Instructions/Toolz/PrivaZerPortable/PrivaZerPortable.exe
Size

318KB
MD5

bcd6161b343dc8720e162a767f43cef3
SHA1

b9e93c755a04407b14998cc3a3c0daa6b01bb3eb
SHA256

ea0a403721dabdf04450c835667facc68a5434989263bea3701de6c9eb784a4d
SHA512

7cf62ce9eca4405c75f6e8db0b025bc7075fdb52e95e74e27c6910c9ee3c738ae457b0eadfa5f60f3378b651f6a3cf7fe12a8c261fc9822da782606eb4b3e4bb
SSDEEP

6144:wEUX9TD12SFJs/Sqh9gfvVSYi7oVG8mmJdn6:wEQBs/SqhW8YwP

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	PrivaZer.exe
File opened (read-only)	\??\G:	PrivaZer.exe
File opened (read-only)	\??\I:	PrivaZer.exe
File opened (read-only)	\??\J:	PrivaZer.exe
File opened (read-only)	\??\Y:	PrivaZer.exe
File opened (read-only)	\??\Z:	PrivaZer.exe
File opened (read-only)	\??\L:	PrivaZer.exe
File opened (read-only)	\??\M:	PrivaZer.exe
File opened (read-only)	\??\S:	PrivaZer.exe
File opened (read-only)	\??\T:	PrivaZer.exe
File opened (read-only)	\??\W:	PrivaZer.exe
File opened (read-only)	\??\X:	PrivaZer.exe
File opened (read-only)	\??\U:	PrivaZer.exe
File opened (read-only)	\??\B:	PrivaZer.exe
File opened (read-only)	\??\E:	PrivaZer.exe
File opened (read-only)	\??\K:	PrivaZer.exe
File opened (read-only)	\??\N:	PrivaZer.exe
File opened (read-only)	\??\O:	PrivaZer.exe
File opened (read-only)	\??\P:	PrivaZer.exe
File opened (read-only)	\??\R:	PrivaZer.exe
File opened (read-only)	\??\V:	PrivaZer.exe
File opened (read-only)	\??\H:	PrivaZer.exe
File opened (read-only)	\??\Q:	PrivaZer.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{fb0b4b5a-6472-4614-99a3-8c605c7c936d}\snapshot.etl	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-2412658365-3084825385-3340777666-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2412658365-3084825385-3340777666-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{fb0b4b5a-6472-4614-99a3-8c605c7c936d}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
4392	PrivaZerPortable.exe
4392	PrivaZerPortable.exe
4392	PrivaZerPortable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrivaZerPortable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrivaZer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	PrivaZer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9d73a0671e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c86c4c0571e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed4f120671e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039a5850571e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cce6d0571e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7d4780671e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049bd1c0571e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ca6660571e5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2698a0571e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4392	PrivaZerPortable.exe
4392	PrivaZerPortable.exe
3084	PrivaZer.exe
3084	PrivaZer.exe
1348	svchost.exe
1348	svchost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	4868	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4868	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3084	PrivaZer.exe
3084	PrivaZer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3084	PrivaZer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3084	PrivaZer.exe
3084	PrivaZer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 3084	4392	PrivaZerPortable.exe	83
PID 4392 wrote to memory of 3084	4392	PrivaZerPortable.exe	83
PID 4392 wrote to memory of 3084	4392	PrivaZerPortable.exe	83
PID 4868 wrote to memory of 752	4868	SearchIndexer.exe	85
PID 4868 wrote to memory of 752	4868	SearchIndexer.exe	85
PID 4868 wrote to memory of 4048	4868	SearchIndexer.exe	87
PID 4868 wrote to memory of 4048	4868	SearchIndexer.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\PrivaZerPortable.exe
"C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\PrivaZerPortable.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\App\PrivaZer\PrivaZer.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\PrivaZerPortable\App\PrivaZer\PrivaZer.exe"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:752
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PrivaZerPortableTemp\000\PrivaZer.default.ini

Filesize
28KB

MD5
7d3bf243fbd93d4bbee822f666a03283

SHA1
0abab040ef205d84179ac025dca355b595294009

SHA256
98174317a9bfa3f2a16291213cb74f6af25ae71c38cd335f097f665349f0dc5c

SHA512
ca50cea971f94027aa66c508a7afd87bf8aa62a96d765c654b64085f7075444b51fca6d88afcc7aaf573c4b2533b15c80a26ece5f0e186a9c7480ee0f433ba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrivaZerPortableTemp\000\data.ini

Filesize
140B

MD5
4f75a5cb436a9e9ff3a3468176e9a8d4

SHA1
13049d95a1bc0d673b7547a31b186b0017719bcc

SHA256
1499044ea4d53e03e4b82b2b8d7eb836c2f588d4a17f7b99ecefbfb5590dfbb9

SHA512
b28cc2e74d23eb25e56103ed0852845f7dcf60f87057296fe9eca8c765a8e135bfc5970ff062aea744a2e5d518b62e22e6b57501e9324f5f15bc25a6e3d6396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrivaZerPortableTemp\000\data.ini

Filesize
33B

MD5
b2ec006c3e67b6bd9129fe5e5fbe7b27

SHA1
43ad64edcb9e6cb1f2aa597ce5ff44d1b2e178c4

SHA256
2d7bcda4007dc91377a9856cde2afc8dde9431514c46317f9235d2847e9249ab

SHA512
62e8776de89c07f99911f4de5d4b17cf1342d45693311e49d62195bb01b1d1b2731a0c0fc7f50caa9e5379d013d286292eb54e46d0a00a6b1bc16d828d60edc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9FAD.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9FAD.tmp\launcher.ini

Filesize
628B

MD5
e68f2ad31f23af7aa2143d8c3a2b35fa

SHA1
945584d2b702882f18609f709a92256935903684

SHA256
9d707e1933f7bea73456eb24c8b8d1e69a37bfabd5c701667f5f0267a71b2699

SHA512
3f0c4cfe2388a2656df2ff1b5257d87cd7c258dcd3994ec201b5646192adbba3c7890122237a1f4aba40cba95bebe60ec0a99fef53f0fcdec5ebee16bbac024b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9FAD.tmp\newtextreplace.dll

Filesize
11KB

MD5
b5358341df2cb171876a5f201e31a834

SHA1
df34750ea5504274be5ff8ddd306b49e302d04f9

SHA256
156b9b583399faf13c4d46b89339fb0f7f38dc847ac2d7872178d8e3998b9734

SHA512
821dc42e24fa2d44a1d4d16b26c3da2688dac0fa44a266e38da2aff706c91440d83a87abc74131930e6c38a44a0c5e627db2d045375fde147e0edd3276f4b014

Download Submit
memory/3084-60-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/3084-67-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/3084-68-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/3084-66-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/3084-264-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/3084-263-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/3084-65-0x0000000000400000-0x0000000001BE7000-memory.dmp

Filesize
23.9MB

Download
memory/3084-61-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/4048-188-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-178-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-169-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-173-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-174-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-172-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-171-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-170-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-175-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-176-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-177-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-184-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-183-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-182-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-181-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-179-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-180-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-193-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-185-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-186-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-190-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-189-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-197-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-187-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-191-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-192-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-194-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-196-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-195-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4048-198-0x0000017BCB7F0000-0x0000017BCB800000-memory.dmp

Filesize
64KB

Download
memory/4868-115-0x000002B2A22A0000-0x000002B2A22A8000-memory.dmp

Filesize
32KB

Download
memory/4868-167-0x000002B2A3980000-0x000002B2A3988000-memory.dmp

Filesize
32KB

Download
memory/4868-99-0x000002B29DDB0000-0x000002B29DDC0000-memory.dmp

Filesize
64KB

Download
memory/4868-83-0x000002B29DCB0000-0x000002B29DCC0000-memory.dmp

Filesize
64KB

Download