Analysis
-
max time kernel
122s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 10:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
General
-
Target
144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe
-
Size
96KB
-
MD5
32486fb6fc161fd4fb75771465ad3e23
-
SHA1
94c61ac9a4a7e24414b4292cc6b77934eb934ce2
-
SHA256
144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9
-
SHA512
deedf6d51855cc4e63eb7efc9c1d3a5180921a1c955cb3baf786631e4245ac3b4d1eccef134d6eab92f7c33a8f968286931b2c1b743171c54f77403d460e1731
-
SSDEEP
1536:/u63rK0QDIy6CjIYo4xU3G/mBBTsBKyKIq0379Wrv1TxWnl3erzNLzPf/Hf9tszh:p3yxU3G/mBBsBn9qa7EKnkHNLb/bsRJl
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\P: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\R: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\I: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\L: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\N: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\O: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\U: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\Y: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\G: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\H: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\J: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\M: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\S: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\W: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\E: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\Q: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\T: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\V: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\X: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened (read-only) \??\Z: 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification F:\autorun.inf 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
resource yara_rule behavioral2/memory/1732-1-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-4-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-5-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-15-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-16-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-10-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-12-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-6-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-9-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-3-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-18-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-19-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-20-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-21-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-22-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-24-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-25-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-27-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-28-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-30-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-31-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-35-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-36-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-38-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-46-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-47-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-48-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-49-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-51-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-52-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-53-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-54-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-57-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-58-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-61-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-62-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-64-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-66-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-68-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-70-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/1732-72-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe Token: SeDebugPrivilege 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 768 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 8 PID 1732 wrote to memory of 772 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 9 PID 1732 wrote to memory of 384 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 13 PID 1732 wrote to memory of 2992 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 51 PID 1732 wrote to memory of 3040 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 52 PID 1732 wrote to memory of 684 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 53 PID 1732 wrote to memory of 3424 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 56 PID 1732 wrote to memory of 3532 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 57 PID 1732 wrote to memory of 3720 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 58 PID 1732 wrote to memory of 3808 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 59 PID 1732 wrote to memory of 3872 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 60 PID 1732 wrote to memory of 3948 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 61 PID 1732 wrote to memory of 3444 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 62 PID 1732 wrote to memory of 2604 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 75 PID 1732 wrote to memory of 1580 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 76 PID 1732 wrote to memory of 768 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 8 PID 1732 wrote to memory of 772 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 9 PID 1732 wrote to memory of 384 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 13 PID 1732 wrote to memory of 2992 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 51 PID 1732 wrote to memory of 3040 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 52 PID 1732 wrote to memory of 684 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 53 PID 1732 wrote to memory of 3424 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 56 PID 1732 wrote to memory of 3532 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 57 PID 1732 wrote to memory of 3720 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 58 PID 1732 wrote to memory of 3808 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 59 PID 1732 wrote to memory of 3872 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 60 PID 1732 wrote to memory of 3948 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 61 PID 1732 wrote to memory of 3444 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 62 PID 1732 wrote to memory of 2604 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 75 PID 1732 wrote to memory of 1580 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 76 PID 1732 wrote to memory of 768 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 8 PID 1732 wrote to memory of 772 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 9 PID 1732 wrote to memory of 384 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 13 PID 1732 wrote to memory of 2992 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 51 PID 1732 wrote to memory of 3040 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 52 PID 1732 wrote to memory of 684 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 53 PID 1732 wrote to memory of 3424 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 56 PID 1732 wrote to memory of 3532 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 57 PID 1732 wrote to memory of 3720 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 58 PID 1732 wrote to memory of 3808 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 59 PID 1732 wrote to memory of 3872 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 60 PID 1732 wrote to memory of 3948 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 61 PID 1732 wrote to memory of 3444 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 62 PID 1732 wrote to memory of 2604 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 75 PID 1732 wrote to memory of 1580 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 76 PID 1732 wrote to memory of 768 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 8 PID 1732 wrote to memory of 772 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 9 PID 1732 wrote to memory of 384 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 13 PID 1732 wrote to memory of 2992 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 51 PID 1732 wrote to memory of 3040 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 52 PID 1732 wrote to memory of 684 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 53 PID 1732 wrote to memory of 3424 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 56 PID 1732 wrote to memory of 3532 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 57 PID 1732 wrote to memory of 3720 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 58 PID 1732 wrote to memory of 3808 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 59 PID 1732 wrote to memory of 3872 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 60 PID 1732 wrote to memory of 3948 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 61 PID 1732 wrote to memory of 3444 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 62 PID 1732 wrote to memory of 2604 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 75 PID 1732 wrote to memory of 1580 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 76 PID 1732 wrote to memory of 768 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 8 PID 1732 wrote to memory of 772 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 9 PID 1732 wrote to memory of 384 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 13 PID 1732 wrote to memory of 2992 1732 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe 51 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3040
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe"C:\Users\Admin\AppData\Local\Temp\144c18b4acc5cb968b8ac7f974a89f30f941e534159228c7bfbd45bbd838d2f9.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3532
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3808
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3872
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3444
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1580
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD55f6968b8234b2f5af690c02f04b730a1
SHA167eab2a76bb7ca6ff4bbe9dd0d50ad35ac10cac7
SHA2564b8e6f7f004c1301b1926f0e1c556ecd0423ed6cea0c3ceae1fc4de003957536
SHA512b2ff18967bca1c59d22e58108f0f0c11a0778ca4cee46bcd37f8ab25c4e8fb0834afaa4e832f92e1cca47308cc1e9d235fddd9accf816eb75185e05c11b86a25