Analysis
-
max time kernel
29s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 08:49
Static task
static1
Behavioral task
behavioral1
Sample
9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe
Resource
win7-20241023-en
General
-
Target
9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe
-
Size
206KB
-
MD5
02237c6d524c38f2f276fab42b140850
-
SHA1
7fefb2d9b51b64ef8b65c44fc8949cd3983c3348
-
SHA256
9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056
-
SHA512
418a7c2af28fbc5843423194c902bab912adf8c4e8cd61e49dce8d4341921a8b20409f20bc3bf6838eab847f48ec7a8e66b5a24a1ccc8431714f00253ac18ee0
-
SSDEEP
3072:rkqoCl/YgjxEufVU0TbTyDDalbyCH99X5tpX2vz4eAILUH:rjLqdufVUNDar9JHX2vEIS
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 5024 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 5024 explorer.exe 756 spoolsv.exe 2408 svchost.exe 5036 spoolsv.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
resource yara_rule behavioral2/memory/3280-1-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-4-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-5-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-7-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-13-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-17-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-16-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-6-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-3-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-33-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-34-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-44-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/3280-58-0x00000000029B0000-0x0000000003A3D000-memory.dmp upx behavioral2/memory/5024-69-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-75-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-76-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-74-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-71-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-72-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-77-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-78-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-73-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-85-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-86-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-87-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-88-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-89-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-90-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-93-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-94-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-95-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-98-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-99-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-103-0x0000000003270000-0x00000000042FD000-memory.dmp upx behavioral2/memory/5024-104-0x0000000003270000-0x00000000042FD000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe explorer.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe explorer.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\SYSTEM.INI 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe 5024 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5024 explorer.exe 2408 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Token: SeDebugPrivilege 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 5024 explorer.exe 5024 explorer.exe 756 spoolsv.exe 756 spoolsv.exe 2408 svchost.exe 2408 svchost.exe 5036 spoolsv.exe 5036 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3280 wrote to memory of 780 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 8 PID 3280 wrote to memory of 784 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 9 PID 3280 wrote to memory of 336 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 13 PID 3280 wrote to memory of 2556 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 42 PID 3280 wrote to memory of 2584 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 43 PID 3280 wrote to memory of 2672 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 45 PID 3280 wrote to memory of 3540 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 56 PID 3280 wrote to memory of 3668 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 57 PID 3280 wrote to memory of 3848 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 58 PID 3280 wrote to memory of 3948 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 59 PID 3280 wrote to memory of 4012 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 60 PID 3280 wrote to memory of 868 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 61 PID 3280 wrote to memory of 3116 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 62 PID 3280 wrote to memory of 1900 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 75 PID 3280 wrote to memory of 4592 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 76 PID 3280 wrote to memory of 808 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 81 PID 3280 wrote to memory of 5024 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 83 PID 3280 wrote to memory of 5024 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 83 PID 3280 wrote to memory of 5024 3280 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe 83 PID 5024 wrote to memory of 756 5024 explorer.exe 84 PID 5024 wrote to memory of 756 5024 explorer.exe 84 PID 5024 wrote to memory of 756 5024 explorer.exe 84 PID 756 wrote to memory of 2408 756 spoolsv.exe 85 PID 756 wrote to memory of 2408 756 spoolsv.exe 85 PID 756 wrote to memory of 2408 756 spoolsv.exe 85 PID 2408 wrote to memory of 5036 2408 svchost.exe 88 PID 2408 wrote to memory of 5036 2408 svchost.exe 88 PID 2408 wrote to memory of 5036 2408 svchost.exe 88 PID 5024 wrote to memory of 780 5024 explorer.exe 8 PID 5024 wrote to memory of 784 5024 explorer.exe 9 PID 5024 wrote to memory of 336 5024 explorer.exe 13 PID 5024 wrote to memory of 2556 5024 explorer.exe 42 PID 5024 wrote to memory of 2584 5024 explorer.exe 43 PID 5024 wrote to memory of 2672 5024 explorer.exe 45 PID 5024 wrote to memory of 3540 5024 explorer.exe 56 PID 5024 wrote to memory of 3668 5024 explorer.exe 57 PID 5024 wrote to memory of 3848 5024 explorer.exe 58 PID 5024 wrote to memory of 3948 5024 explorer.exe 59 PID 5024 wrote to memory of 4012 5024 explorer.exe 60 PID 5024 wrote to memory of 868 5024 explorer.exe 61 PID 5024 wrote to memory of 3116 5024 explorer.exe 62 PID 5024 wrote to memory of 1900 5024 explorer.exe 75 PID 5024 wrote to memory of 4592 5024 explorer.exe 76 PID 5024 wrote to memory of 808 5024 explorer.exe 81 PID 5024 wrote to memory of 2408 5024 explorer.exe 85 PID 5024 wrote to memory of 2408 5024 explorer.exe 85 PID 5024 wrote to memory of 5008 5024 explorer.exe 87 PID 5024 wrote to memory of 4632 5024 explorer.exe 89 PID 5024 wrote to memory of 780 5024 explorer.exe 8 PID 5024 wrote to memory of 784 5024 explorer.exe 9 PID 5024 wrote to memory of 336 5024 explorer.exe 13 PID 5024 wrote to memory of 2556 5024 explorer.exe 42 PID 5024 wrote to memory of 2584 5024 explorer.exe 43 PID 5024 wrote to memory of 2672 5024 explorer.exe 45 PID 5024 wrote to memory of 3540 5024 explorer.exe 56 PID 5024 wrote to memory of 3668 5024 explorer.exe 57 PID 5024 wrote to memory of 3848 5024 explorer.exe 58 PID 5024 wrote to memory of 3948 5024 explorer.exe 59 PID 5024 wrote to memory of 4012 5024 explorer.exe 60 PID 5024 wrote to memory of 868 5024 explorer.exe 61 PID 5024 wrote to memory of 3116 5024 explorer.exe 62 PID 5024 wrote to memory of 1900 5024 explorer.exe 75 PID 5024 wrote to memory of 4592 5024 explorer.exe 76 PID 5024 wrote to memory of 808 5024 explorer.exe 81 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2584
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2672
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe"C:\Users\Admin\AppData\Local\Temp\9864e0144d7061c604b67c61a604efabd1560847185982afb3be6abb6b85a056N.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3280 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5024 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4012
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3116
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1900
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4592
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:808
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4928
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD59411f4769c5b5fa3286b8cc32403ddeb
SHA1d20b748d470d1fa842cc0f8f8b26dbad600ba65b
SHA256d80be1d96adc11f84daa275887e81a7a6f64c26db5e7378bc3254a474ef011d3
SHA512631365799addedd6995367eaab05a25d07c6d4b3be014925729cbf214bcfd9be6b271702f37d126a618228acddd640fbd6f2adad4abd364e4fcfd0bf9813055b
-
Filesize
206KB
MD5bc54cdc7ee68f0d0e6a1b297315f6474
SHA1e97108399287cc89b87f95e9da088fa0a3a11825
SHA256ca210d82bdfc64e8a6fb1c4060bc412953ca12910f2257da9c747747a38a9e8d
SHA512554ed0f8bc777b45e8df8344e7112bd8986387be172e1de6a580e9ce05ac48602e2af9cefb72d5577ba1a5381a6a647330071707d764062cbed6b41464eb808b
-
Filesize
257B
MD56481b23403c3b5c39abf6d59d04f3772
SHA15381e5a6c339820627611a7d5db1e17022c97b68
SHA25681e44c251edc81ad4be0d16acc335f3b89a96495b099d682f410a01d50071b26
SHA5125231fb7292a3fe8574645fabc68be58c5c197bc8a90f87a9907b04b817e42a709862c2ca8ec541eb065934d0e6df25b98060ca0d732b10fb4bfe2cd2345593a4
-
Filesize
206KB
MD5ccb067853b90cfbb3418ae76a41fc439
SHA19d6006fd743d95fcca8bf1e6cf16baeaba01616e
SHA256b8b8210b8dc5354fbc1bed43b5bd1806e6c500a1342a0f8ea2e11413a969eb81
SHA512e11c83da648289c32bf854b3458cedf11d8abe006d490e92b7aa432b2d539ab76f2e0e04ee621f0247bba92837c610c6c8da52867f1eb277c516fa8454c35585