Analysis
-
max time kernel
122s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 18:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
General
-
Target
97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe
-
Size
2.8MB
-
MD5
d0957b8b6e1b88a2a05c03f48b4bfb2d
-
SHA1
64eab9983698039c7a90899db4b7047b81ded7c2
-
SHA256
97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d
-
SHA512
8ee84ca8bcadaaeef801517859bae7a96a74a564a112b1a7dce575ec4cfc1ed722e55bc2fddeb1906b0b3e612c0ec7a3d3ec721962a8caaf3bb5123553f8cd8b
-
SSDEEP
49152:lLPkdVO3K46qKCSoJhMPmuYnH7mSl5cTsp/UJQyKnzZ/Yeco/rZjGxqm:93K46qKDKMPMnHRcQqYZWt
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
resource yara_rule behavioral2/memory/3960-1-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-6-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-5-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-8-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-4-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-3-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-7-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-13-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-12-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-9-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-16-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-17-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-19-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-20-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-21-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-23-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-24-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-26-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-27-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-30-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-31-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-33-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-35-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-38-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-39-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-41-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-42-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-43-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-49-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-51-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-53-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-55-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-56-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-58-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-59-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-60-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-63-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-66-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-67-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-69-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx behavioral2/memory/3960-70-0x0000000003A30000-0x0000000004ABE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\K: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\M: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\Q: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\V: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\Y: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\G: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\H: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\J: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\O: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\P: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\W: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\X: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\Z: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\E: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\N: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\R: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\U: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\L: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\S: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened (read-only) \??\T: 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification F:\autorun.inf 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe Token: SeDebugPrivilege 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3960 wrote to memory of 784 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 8 PID 3960 wrote to memory of 792 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 9 PID 3960 wrote to memory of 376 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 13 PID 3960 wrote to memory of 2672 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 44 PID 3960 wrote to memory of 2688 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 45 PID 3960 wrote to memory of 2804 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 47 PID 3960 wrote to memory of 3552 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 56 PID 3960 wrote to memory of 3688 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 57 PID 3960 wrote to memory of 3872 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 58 PID 3960 wrote to memory of 3964 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 59 PID 3960 wrote to memory of 4028 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 60 PID 3960 wrote to memory of 704 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 61 PID 3960 wrote to memory of 3796 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 62 PID 3960 wrote to memory of 4088 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 71 PID 3960 wrote to memory of 464 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 75 PID 3960 wrote to memory of 3864 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 77 PID 3960 wrote to memory of 784 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 8 PID 3960 wrote to memory of 792 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 9 PID 3960 wrote to memory of 376 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 13 PID 3960 wrote to memory of 2672 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 44 PID 3960 wrote to memory of 2688 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 45 PID 3960 wrote to memory of 2804 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 47 PID 3960 wrote to memory of 3552 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 56 PID 3960 wrote to memory of 3688 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 57 PID 3960 wrote to memory of 3872 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 58 PID 3960 wrote to memory of 3964 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 59 PID 3960 wrote to memory of 4028 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 60 PID 3960 wrote to memory of 704 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 61 PID 3960 wrote to memory of 3796 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 62 PID 3960 wrote to memory of 4088 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 71 PID 3960 wrote to memory of 464 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 75 PID 3960 wrote to memory of 3864 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 77 PID 3960 wrote to memory of 784 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 8 PID 3960 wrote to memory of 792 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 9 PID 3960 wrote to memory of 376 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 13 PID 3960 wrote to memory of 2672 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 44 PID 3960 wrote to memory of 2688 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 45 PID 3960 wrote to memory of 2804 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 47 PID 3960 wrote to memory of 3552 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 56 PID 3960 wrote to memory of 3688 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 57 PID 3960 wrote to memory of 3872 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 58 PID 3960 wrote to memory of 3964 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 59 PID 3960 wrote to memory of 4028 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 60 PID 3960 wrote to memory of 704 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 61 PID 3960 wrote to memory of 3796 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 62 PID 3960 wrote to memory of 4088 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 71 PID 3960 wrote to memory of 464 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 75 PID 3960 wrote to memory of 3864 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 77 PID 3960 wrote to memory of 784 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 8 PID 3960 wrote to memory of 792 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 9 PID 3960 wrote to memory of 376 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 13 PID 3960 wrote to memory of 2672 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 44 PID 3960 wrote to memory of 2688 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 45 PID 3960 wrote to memory of 2804 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 47 PID 3960 wrote to memory of 3552 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 56 PID 3960 wrote to memory of 3688 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 57 PID 3960 wrote to memory of 3872 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 58 PID 3960 wrote to memory of 3964 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 59 PID 3960 wrote to memory of 4028 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 60 PID 3960 wrote to memory of 704 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 61 PID 3960 wrote to memory of 3796 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 62 PID 3960 wrote to memory of 4088 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 71 PID 3960 wrote to memory of 464 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 75 PID 3960 wrote to memory of 3864 3960 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe 77 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2688
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2804
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe"C:\Users\Admin\AppData\Local\Temp\97c5209221ad1294488119f5c37e4263841a8e57d1aa68143d9e4da64d64572d.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3960
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3688
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3872
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3964
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4028
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:704
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4088
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:464
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5a675b4ba050935a8c0c9a58a18bbac97
SHA1e1daa1653504c0aca9d78d2ed87c5a867b02203d
SHA256cb80270b73b97816d02792efe2427f1b0dcb5d71dd7c7d8a13a4ac356c9c85e6
SHA512d88012a6dc80239be6221064204fa46bb296b40c1f99d97f511f277254a5d3c774ef53d11dce795601b31973e2109c8144a6a81b15d945de084de878aee10531