Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe
Resource
win7-20240903-en
General
-
Target
b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe
-
Size
169KB
-
MD5
d07164118c47eb4f0a26edbb70894ee0
-
SHA1
4f7d43a41509cf185941c8057e33941dd3dbaa4d
-
SHA256
b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1
-
SHA512
3cfb80e478d36bd0be5bef949d115daa722b91ff2d0f07653890deef9e1c40b1f7cbc128315878233cad17b8895f1267deed106ea8f0326ab78a019c7ef58a88
-
SSDEEP
3072:0vgmJAIlSPxX/ZWOFr4JxRRd8KEiPkrMLgGk0Yg1iAQbFJB0sLb:rvIAPxBWOFU/RRdIgXLgGkE/UJBVLb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Disables Task Manager via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\U: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\X: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\E: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\J: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\M: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\S: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\V: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\G: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\L: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\Q: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\P: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\R: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\W: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\Y: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\I: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\N: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\O: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\H: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\K: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened (read-only) \??\Z: b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened for modification F:\autorun.inf b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
resource yara_rule behavioral1/memory/2736-1-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-3-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-8-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-10-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-9-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-6-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-5-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-4-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-7-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-29-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-28-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-30-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-32-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-34-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-35-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-31-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-37-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-36-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-39-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-50-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-51-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-55-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-56-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-59-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-60-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-62-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-64-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-65-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/2736-73-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe Token: SeDebugPrivilege 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 1484 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 22 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 PID 2736 wrote to memory of 1060 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 18 PID 2736 wrote to memory of 1116 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 19 PID 2736 wrote to memory of 1148 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 20 PID 2736 wrote to memory of 2040 2736 b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1060
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1116
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1148
-
C:\Windows\System32\dzuhbf.exe"C:\Windows\System32\dzuhbf.exe"2⤵PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe"C:\Users\Admin\AppData\Local\Temp\b748c37f4e969aef69a2e4efff322dcd47d15ffba51b12e8e68800709d3ad9b1N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2040
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD53e9cc69a59f7299a04e8d8a577f02563
SHA1e0910d4106a9a852f5a33cfa0dd68b3c8e94584a
SHA25694833a02e690670b3804a2bcb579e7c4b25c0ec79d901bd37e336255b33044f9
SHA5123b87d739f74eee31a11b0fbdcb1320cbdbbfd7305a60a49b612f3ee7d15e4044c3cc3c92dfadae9f7759ad4521c4d7767be427dacab2c587da3383096a2443f7