Analysis
-
max time kernel
36s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 03:53
Static task
static1
Behavioral task
behavioral1
Sample
19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe
Resource
win7-20240903-en
General
-
Target
19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe
-
Size
317KB
-
MD5
76e4c67f2f63c5b0cf1c17fb6c43c760
-
SHA1
bcaccce30f728ba7efe489a16c8f14235347967f
-
SHA256
19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f
-
SHA512
78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7
-
SSDEEP
6144:dNyZWJhe+9xwSp0Ksr8/Ddv/9zyKI20IBHqLw:dNbhe+9fp0VYDZ9G0DBK
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Un_A.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Un_A.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Un_A.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe -
Deletes itself 1 IoCs
pid Process 3492 Un_A.exe -
Executes dropped EXE 1 IoCs
pid Process 3492 Un_A.exe -
Loads dropped DLL 9 IoCs
pid Process 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Un_A.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Un_A.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Un_A.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Un_A.exe File opened (read-only) \??\I: Un_A.exe File opened (read-only) \??\J: Un_A.exe File opened (read-only) \??\K: Un_A.exe File opened (read-only) \??\L: Un_A.exe File opened (read-only) \??\M: Un_A.exe File opened (read-only) \??\E: Un_A.exe File opened (read-only) \??\G: Un_A.exe -
resource yara_rule behavioral2/memory/4068-1-0x0000000002270000-0x00000000032FE000-memory.dmp upx behavioral2/memory/4068-4-0x0000000002270000-0x00000000032FE000-memory.dmp upx behavioral2/memory/4068-9-0x0000000002270000-0x00000000032FE000-memory.dmp upx behavioral2/memory/4068-5-0x0000000002270000-0x00000000032FE000-memory.dmp upx behavioral2/memory/4068-6-0x0000000002270000-0x00000000032FE000-memory.dmp upx behavioral2/memory/4068-10-0x0000000002270000-0x00000000032FE000-memory.dmp upx behavioral2/memory/4068-21-0x0000000002270000-0x00000000032FE000-memory.dmp upx behavioral2/memory/4068-3-0x0000000002270000-0x00000000032FE000-memory.dmp upx behavioral2/memory/3492-57-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-62-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-61-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-56-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-54-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-55-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-53-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-51-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-63-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-67-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-66-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-68-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-101-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-100-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-104-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-105-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-107-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-108-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-109-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-111-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-112-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-115-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-118-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-126-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-127-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-129-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-128-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-132-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/3492-133-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Un_A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe 3492 Un_A.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4068 wrote to memory of 780 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 8 PID 4068 wrote to memory of 788 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 9 PID 4068 wrote to memory of 336 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 13 PID 4068 wrote to memory of 2684 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 44 PID 4068 wrote to memory of 2696 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 45 PID 4068 wrote to memory of 2908 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 51 PID 4068 wrote to memory of 3436 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 56 PID 4068 wrote to memory of 3572 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 57 PID 4068 wrote to memory of 3752 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 58 PID 4068 wrote to memory of 3848 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 59 PID 4068 wrote to memory of 3916 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 60 PID 4068 wrote to memory of 4008 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 61 PID 4068 wrote to memory of 4232 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 62 PID 4068 wrote to memory of 2416 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 75 PID 4068 wrote to memory of 1268 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 76 PID 4068 wrote to memory of 1584 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 81 PID 4068 wrote to memory of 2268 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 82 PID 4068 wrote to memory of 3492 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 84 PID 4068 wrote to memory of 3492 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 84 PID 4068 wrote to memory of 3492 4068 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 84 PID 3492 wrote to memory of 780 3492 Un_A.exe 8 PID 3492 wrote to memory of 788 3492 Un_A.exe 9 PID 3492 wrote to memory of 336 3492 Un_A.exe 13 PID 3492 wrote to memory of 2684 3492 Un_A.exe 44 PID 3492 wrote to memory of 2696 3492 Un_A.exe 45 PID 3492 wrote to memory of 2908 3492 Un_A.exe 51 PID 3492 wrote to memory of 3436 3492 Un_A.exe 56 PID 3492 wrote to memory of 3572 3492 Un_A.exe 57 PID 3492 wrote to memory of 3752 3492 Un_A.exe 58 PID 3492 wrote to memory of 3848 3492 Un_A.exe 59 PID 3492 wrote to memory of 3916 3492 Un_A.exe 60 PID 3492 wrote to memory of 4008 3492 Un_A.exe 61 PID 3492 wrote to memory of 4232 3492 Un_A.exe 62 PID 3492 wrote to memory of 2416 3492 Un_A.exe 75 PID 3492 wrote to memory of 1268 3492 Un_A.exe 76 PID 3492 wrote to memory of 1584 3492 Un_A.exe 81 PID 3492 wrote to memory of 2268 3492 Un_A.exe 82 PID 3492 wrote to memory of 780 3492 Un_A.exe 8 PID 3492 wrote to memory of 788 3492 Un_A.exe 9 PID 3492 wrote to memory of 336 3492 Un_A.exe 13 PID 3492 wrote to memory of 2684 3492 Un_A.exe 44 PID 3492 wrote to memory of 2696 3492 Un_A.exe 45 PID 3492 wrote to memory of 2908 3492 Un_A.exe 51 PID 3492 wrote to memory of 3436 3492 Un_A.exe 56 PID 3492 wrote to memory of 3572 3492 Un_A.exe 57 PID 3492 wrote to memory of 3752 3492 Un_A.exe 58 PID 3492 wrote to memory of 3848 3492 Un_A.exe 59 PID 3492 wrote to memory of 3916 3492 Un_A.exe 60 PID 3492 wrote to memory of 4008 3492 Un_A.exe 61 PID 3492 wrote to memory of 4232 3492 Un_A.exe 62 PID 3492 wrote to memory of 2416 3492 Un_A.exe 75 PID 3492 wrote to memory of 1268 3492 Un_A.exe 76 PID 3492 wrote to memory of 1584 3492 Un_A.exe 81 PID 3492 wrote to memory of 2268 3492 Un_A.exe 82 PID 3492 wrote to memory of 4240 3492 Un_A.exe 85 PID 3492 wrote to memory of 1436 3492 Un_A.exe 86 PID 3492 wrote to memory of 2312 3492 Un_A.exe 87 PID 3492 wrote to memory of 780 3492 Un_A.exe 8 PID 3492 wrote to memory of 788 3492 Un_A.exe 9 PID 3492 wrote to memory of 336 3492 Un_A.exe 13 PID 3492 wrote to memory of 2684 3492 Un_A.exe 44 PID 3492 wrote to memory of 2696 3492 Un_A.exe 45 PID 3492 wrote to memory of 2908 3492 Un_A.exe 51 PID 3492 wrote to memory of 3436 3492 Un_A.exe 56 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Un_A.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2696
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2908
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe"C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3492
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4232
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2416
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1268
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1584
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2268
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:4240
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1436
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2312
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
249KB
MD50a5c25e3cd2be05bd66d913daf651928
SHA13077abd0e78b2c8c441944130e98df74b9843693
SHA2567de0b18ce9840e97ec87f948ab0ed8fff2ad4d47b8eb160c6f15bb02fc55fa04
SHA512aef0fd28a641f1b29c7d69e0e9beef08ea4f32d6381cfa18fb75e6a5d4a5b690321c1fb2ec9e05a3dbbfc17f3ec84d648f89105547586ea2d8cfb1b7b179e283
-
Filesize
3KB
MD5b4faf654de4284a89eaf7d073e4e1e63
SHA18efcfd1ca648e942cbffd27af429784b7fcf514b
SHA256c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3
SHA512eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388
-
Filesize
24KB
MD5640bff73a5f8e37b202d911e4749b2e9
SHA19588dd7561ab7de3bca392b084bec91f3521c879
SHA256c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA51239c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
9KB
MD56c3f8c94d0727894d706940a8a980543
SHA10d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA25656b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA5122094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355
-
Filesize
8KB
MD5f5bf81a102de52a4add21b8a367e54e0
SHA1cf1e76ffe4a3ecd4dad453112afd33624f16751c
SHA25653be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2
SHA5126e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256
-
Filesize
317KB
MD576e4c67f2f63c5b0cf1c17fb6c43c760
SHA1bcaccce30f728ba7efe489a16c8f14235347967f
SHA25619178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f
SHA51278a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7
-
Filesize
257B
MD5c49772446d4a57b9a8a7b09847fe5553
SHA14f6217a648478a2f8436c6598f9d1e9ddf6dc916
SHA25616f8bb0efed92c0d44e3bb591cfa2b495b2b42697250195bd5024e85a74c83f7
SHA5126066c717ebe250251e68e5c3034df41ac7a2dd282602163043a7b2b1e6a5e5a147c7c7e93b56927fb965697ab0886eb0102e2abfdab134f0b0dcc4ea4685966a
-
Filesize
100KB
MD5119c4dd6a29bcc6cd20a755d763f3971
SHA16d0e186b29ff0d5cb09da04e852556af5afc4e46
SHA256c2f61814043eb744d2192557e0e543f275731073309c699d6df07632d76a3940
SHA512797782156b7da9eb7a144bdf70c1abb092c21c3d94a2cc8c39be867a9a9e0e1077ecfd879eede4f5e903939c9e4e6f571e36117198746cf069cf21483571a5de