Analysis
-
max time kernel
26s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe
Resource
win7-20240903-en
General
-
Target
19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe
-
Size
317KB
-
MD5
76e4c67f2f63c5b0cf1c17fb6c43c760
-
SHA1
bcaccce30f728ba7efe489a16c8f14235347967f
-
SHA256
19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f
-
SHA512
78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7
-
SSDEEP
6144:dNyZWJhe+9xwSp0Ksr8/Ddv/9zyKI20IBHqLw:dNbhe+9fp0VYDZ9G0DBK
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Un_A.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Un_A.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Un_A.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe -
Deletes itself 1 IoCs
pid Process 1028 Un_A.exe -
Executes dropped EXE 1 IoCs
pid Process 1028 Un_A.exe -
Loads dropped DLL 9 IoCs
pid Process 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Un_A.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Un_A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Un_A.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Un_A.exe File opened (read-only) \??\G: Un_A.exe File opened (read-only) \??\K: Un_A.exe File opened (read-only) \??\O: Un_A.exe File opened (read-only) \??\N: Un_A.exe File opened (read-only) \??\H: Un_A.exe File opened (read-only) \??\I: Un_A.exe File opened (read-only) \??\J: Un_A.exe File opened (read-only) \??\L: Un_A.exe File opened (read-only) \??\M: Un_A.exe -
resource yara_rule behavioral2/memory/556-1-0x0000000002370000-0x00000000033FE000-memory.dmp upx behavioral2/memory/556-3-0x0000000002370000-0x00000000033FE000-memory.dmp upx behavioral2/memory/556-6-0x0000000002370000-0x00000000033FE000-memory.dmp upx behavioral2/memory/556-10-0x0000000002370000-0x00000000033FE000-memory.dmp upx behavioral2/memory/556-9-0x0000000002370000-0x00000000033FE000-memory.dmp upx behavioral2/memory/556-4-0x0000000002370000-0x00000000033FE000-memory.dmp upx behavioral2/memory/556-5-0x0000000002370000-0x00000000033FE000-memory.dmp upx behavioral2/memory/1028-50-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-56-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-60-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-62-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-61-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-54-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-52-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-55-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-53-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-65-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-66-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-67-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-99-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-100-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-103-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-104-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-105-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-107-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-108-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-110-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-112-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-115-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-117-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-119-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-120-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-122-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-125-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-127-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx behavioral2/memory/1028-129-0x0000000004BD0000-0x0000000005C5E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe Un_A.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe Un_A.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe Un_A.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Un_A.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe 1028 Un_A.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Token: SeDebugPrivilege 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 556 wrote to memory of 796 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 9 PID 556 wrote to memory of 804 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 10 PID 556 wrote to memory of 332 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 13 PID 556 wrote to memory of 2552 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 44 PID 556 wrote to memory of 2564 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 45 PID 556 wrote to memory of 2700 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 47 PID 556 wrote to memory of 3484 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 56 PID 556 wrote to memory of 3588 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 57 PID 556 wrote to memory of 3800 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 58 PID 556 wrote to memory of 3920 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 59 PID 556 wrote to memory of 4028 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 60 PID 556 wrote to memory of 3364 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 61 PID 556 wrote to memory of 3964 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 62 PID 556 wrote to memory of 3896 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 74 PID 556 wrote to memory of 772 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 76 PID 556 wrote to memory of 4964 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 81 PID 556 wrote to memory of 3016 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 82 PID 556 wrote to memory of 1028 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 84 PID 556 wrote to memory of 1028 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 84 PID 556 wrote to memory of 1028 556 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe 84 PID 1028 wrote to memory of 796 1028 Un_A.exe 9 PID 1028 wrote to memory of 804 1028 Un_A.exe 10 PID 1028 wrote to memory of 332 1028 Un_A.exe 13 PID 1028 wrote to memory of 2552 1028 Un_A.exe 44 PID 1028 wrote to memory of 2564 1028 Un_A.exe 45 PID 1028 wrote to memory of 2700 1028 Un_A.exe 47 PID 1028 wrote to memory of 3484 1028 Un_A.exe 56 PID 1028 wrote to memory of 3588 1028 Un_A.exe 57 PID 1028 wrote to memory of 3800 1028 Un_A.exe 58 PID 1028 wrote to memory of 3920 1028 Un_A.exe 59 PID 1028 wrote to memory of 4028 1028 Un_A.exe 60 PID 1028 wrote to memory of 3364 1028 Un_A.exe 61 PID 1028 wrote to memory of 3964 1028 Un_A.exe 62 PID 1028 wrote to memory of 3896 1028 Un_A.exe 74 PID 1028 wrote to memory of 772 1028 Un_A.exe 76 PID 1028 wrote to memory of 4964 1028 Un_A.exe 81 PID 1028 wrote to memory of 1896 1028 Un_A.exe 86 PID 1028 wrote to memory of 2236 1028 Un_A.exe 87 PID 1028 wrote to memory of 796 1028 Un_A.exe 9 PID 1028 wrote to memory of 804 1028 Un_A.exe 10 PID 1028 wrote to memory of 332 1028 Un_A.exe 13 PID 1028 wrote to memory of 2552 1028 Un_A.exe 44 PID 1028 wrote to memory of 2564 1028 Un_A.exe 45 PID 1028 wrote to memory of 2700 1028 Un_A.exe 47 PID 1028 wrote to memory of 3484 1028 Un_A.exe 56 PID 1028 wrote to memory of 3588 1028 Un_A.exe 57 PID 1028 wrote to memory of 3800 1028 Un_A.exe 58 PID 1028 wrote to memory of 3920 1028 Un_A.exe 59 PID 1028 wrote to memory of 4028 1028 Un_A.exe 60 PID 1028 wrote to memory of 3364 1028 Un_A.exe 61 PID 1028 wrote to memory of 3964 1028 Un_A.exe 62 PID 1028 wrote to memory of 3896 1028 Un_A.exe 74 PID 1028 wrote to memory of 772 1028 Un_A.exe 76 PID 1028 wrote to memory of 4964 1028 Un_A.exe 81 PID 1028 wrote to memory of 1896 1028 Un_A.exe 86 PID 1028 wrote to memory of 2236 1028 Un_A.exe 87 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Un_A.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2564
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2700
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe"C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:556 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1028
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3800
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4028
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:772
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4964
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2236
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
249KB
MD50a5c25e3cd2be05bd66d913daf651928
SHA13077abd0e78b2c8c441944130e98df74b9843693
SHA2567de0b18ce9840e97ec87f948ab0ed8fff2ad4d47b8eb160c6f15bb02fc55fa04
SHA512aef0fd28a641f1b29c7d69e0e9beef08ea4f32d6381cfa18fb75e6a5d4a5b690321c1fb2ec9e05a3dbbfc17f3ec84d648f89105547586ea2d8cfb1b7b179e283
-
Filesize
3KB
MD5b4faf654de4284a89eaf7d073e4e1e63
SHA18efcfd1ca648e942cbffd27af429784b7fcf514b
SHA256c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3
SHA512eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388
-
Filesize
24KB
MD5640bff73a5f8e37b202d911e4749b2e9
SHA19588dd7561ab7de3bca392b084bec91f3521c879
SHA256c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA51239c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
9KB
MD56c3f8c94d0727894d706940a8a980543
SHA10d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA25656b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA5122094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355
-
Filesize
8KB
MD5f5bf81a102de52a4add21b8a367e54e0
SHA1cf1e76ffe4a3ecd4dad453112afd33624f16751c
SHA25653be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2
SHA5126e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256
-
Filesize
317KB
MD576e4c67f2f63c5b0cf1c17fb6c43c760
SHA1bcaccce30f728ba7efe489a16c8f14235347967f
SHA25619178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f
SHA51278a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7
-
Filesize
257B
MD5ca46aec8d35d2f81e99a8b884f5f4753
SHA1163678984c584316472325fadda93ea04795bb42
SHA2560ce1a0ed79b9be8bbd23fea2133e22783785e5710b2e417b30167583fa7460f8
SHA512ec0c77a11fdd63ffd5b6d03cea78453bf5c14aa1d2f6fdf4c85f6b0215e91426c8728e4c4a01a5046238bd2bf39ce40f3f5e9884181376b253fbf8aee9988228
-
Filesize
100KB
MD58574317c4c3979a8bd19af59d922ea60
SHA123b488f9483aedf19adfe577f1a210a59de4f682
SHA2564c71f0ff226e1a0e7dfd03f48954bf03ce101b8eee795f67f0792815941b1c6b
SHA5125eb665295031acf10d6ea8fa087c9c54ccec76f64b15f4db005c01fefbf61aea4ebabf7e6c89b1463b730a0cf1c8db09f025b3f1783d7d308a9501aa92ae54c6