178ad69c097b6020ffde876881fe38499ca82be6781e7d47988d3422872a1440

Resubmissions

23-11-2024 00:44

241123-a3xw2stkhy 7

23-11-2024 00:40

241123-a1nwcstkd1 10

23-11-2024 00:39

241123-azsg6ayrhq 3

Analysis

max time kernel
200s
max time network
206s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 00:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

download.jpg
Size

8KB
MD5

fd59c3cd5e5088281635eced5c20ccaa
SHA1

9ef4149257a4d39e6624cddc320f59f5eee3798d
SHA256

178ad69c097b6020ffde876881fe38499ca82be6781e7d47988d3422872a1440
SHA512

7ed57054b81b5749fded7622510978c82d2bc50602ca845f20234292130a48bed31afcc4da1da6265d7435d1f46826330a22f33b71e242ab59d77046e6761628
SSDEEP

192:N+wAO7JR1SJBL+n+tiNWVxpzS7CYwPW7NDaMMQOOtk3/aHOSqQcC692pXu:N+wR7JR4JBL++xdQCd+JMSohrCHp+

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2DB3B1922BD24F61869CE09A283FD8EB.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2DB3B1922BD24F61869CE09A283FD8EB.dat	utilman.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AppLexicons	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{791dc06c-cc7f-4a6e-a92a-db4e879b5399}	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\HoverPeriod = "1000"	osk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\UseKB = "1"	osk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\MS-Anna-1033-20-DSK"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{791dc06c-cc7f-4a6e-a92a-db4e879b5399}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{791dc06c-cc7f-4a6e-a92a-db4e879b5399}\Attributes\Technology = "MMSys"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\System	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowHeight = "236"	osk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\InsertSpace = "1"	osk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{791dc06c-cc7f-4a6e-a92a-db4e879b5399}\DeviceId = "{0.0.0.00000000}.{791dc06c-cc7f-4a6e-a92a-db4e879b5399}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{791dc06c-cc7f-4a6e-a92a-db4e879b5399}\Attributes	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowWidth = "828"	osk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\UseMouse = "0"	osk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{791dc06c-cc7f-4a6e-a92a-db4e879b5399}\ = "Speakers (High Definition Audio Device)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{791dc06c-cc7f-4a6e-a92a-db4e879b5399}\DeviceName = "Speakers (High Definition Audio Device)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MS Switch	osk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{791dc06c-cc7f-4a6e-a92a-db4e879b5399}\Attributes\Vendor = "Microsoft"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Osk	osk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "100"	osk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	osk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	osk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_2DB3B1922BD24F61869CE09A283FD8EB.dat"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowTop = "100"	osk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\ClickSound = "1"	osk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\UseTextPrediction = "1"	osk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\AudioOutput\\TokenEnums\\MMAudioOut\\"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\UseDevice = "1"	osk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\ScanKey = "32"	osk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\ShowNumPad = "0"	osk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\ScanInterval = "1000"	osk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
624	utilman.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: 33	2232	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2232	AUDIODG.EXE
Token: 33	2232	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2232	AUDIODG.EXE
Token: SeShutdownPrivilege	2968	LogonUI.exe
Token: SeShutdownPrivilege	2968	LogonUI.exe
Token: SeSecurityPrivilege	2368	winlogon.exe
Token: SeBackupPrivilege	2368	winlogon.exe
Token: SeSecurityPrivilege	2368	winlogon.exe
Token: SeTcbPrivilege	2368	winlogon.exe
Token: SeShutdownPrivilege	2968	LogonUI.exe
Token: SeShutdownPrivilege	2968	LogonUI.exe
Token: SeSecurityPrivilege	2368	winlogon.exe
Token: SeBackupPrivilege	2368	winlogon.exe
Token: SeSecurityPrivilege	2368	winlogon.exe
Token: SeShutdownPrivilege	2968	LogonUI.exe
Token: SeShutdownPrivilege	2968	LogonUI.exe
Token: SeShutdownPrivilege	2368	winlogon.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2236	rundll32.exe
2236	rundll32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2236	rundll32.exe
2236	rundll32.exe
1760	osk.exe
1760	osk.exe
1760	osk.exe
1760	osk.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 2368 wrote to memory of 2968	2368	winlogon.exe	35
PID 2368 wrote to memory of 2968	2368	winlogon.exe	35
PID 2368 wrote to memory of 2968	2368	winlogon.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 2968	1816	csrss.exe	35
PID 1816 wrote to memory of 624	1816	csrss.exe	36
PID 1816 wrote to memory of 624	1816	csrss.exe	36
PID 2368 wrote to memory of 624	2368	winlogon.exe	36
PID 2368 wrote to memory of 624	2368	winlogon.exe	36
PID 2368 wrote to memory of 624	2368	winlogon.exe	36
PID 1816 wrote to memory of 624	1816	csrss.exe	36
PID 1816 wrote to memory of 624	1816	csrss.exe	36
PID 1816 wrote to memory of 624	1816	csrss.exe	36
PID 1816 wrote to memory of 1760	1816	csrss.exe	38
PID 1816 wrote to memory of 1760	1816	csrss.exe	38
PID 624 wrote to memory of 1760	624	utilman.exe	38
PID 624 wrote to memory of 1760	624	utilman.exe	38
PID 624 wrote to memory of 1760	624	utilman.exe	38
PID 1816 wrote to memory of 1864	1816	csrss.exe	39
PID 1816 wrote to memory of 1864	1816	csrss.exe	39
PID 624 wrote to memory of 1864	624	utilman.exe	39
PID 624 wrote to memory of 1864	624	utilman.exe	39
PID 624 wrote to memory of 1864	624	utilman.exe	39
PID 1816 wrote to memory of 1644	1816	csrss.exe	40
PID 1816 wrote to memory of 1644	1816	csrss.exe	40
PID 624 wrote to memory of 1644	624	utilman.exe	40
PID 624 wrote to memory of 1644	624	utilman.exe	40
PID 624 wrote to memory of 1644	624	utilman.exe	40
PID 1816 wrote to memory of 1864	1816	csrss.exe	39
PID 1816 wrote to memory of 1644	1816	csrss.exe	40
PID 1816 wrote to memory of 1760	1816	csrss.exe	38
PID 1816 wrote to memory of 1760	1816	csrss.exe	38

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\download.jpg
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\system32\utilman.exe
  utilman.exe /debug
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\System32\osk.exe
    "C:\Windows\System32\osk.exe"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:1760
- - C:\Windows\System32\Sethc.exe
    "C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
    3⤵
    PID:1864
- - C:\Windows\System32\Sethc.exe
    "C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
    3⤵
    PID:1644

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2608-2-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download