Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 06:23
Behavioral task
behavioral1
Sample
89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
General
-
Target
89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe
-
Size
9.8MB
-
MD5
4ef424374bc658488d6e85b9286ec189
-
SHA1
31f86317920d033e6a2fc23c6995f896a6167105
-
SHA256
89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291
-
SHA512
9c4b20e760743d2f88bd8130cb2823e3faf7cdaea3ddfd68af8bcb27ec04fbd52d1db5117aa7a58212c114f27d5a6d5ed136c7e7e7fda555efa3c8e6dc9c2400
-
SSDEEP
196608:zuOYT73A/PCDoWzN87yZqLcbUm4CzknrnbELh19M8pjx6gO0EMT/h:il7SqDhqyZqLwqqk3E39npjZO0Emp
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" GPU-Z.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe -
Executes dropped EXE 3 IoCs
pid Process 2856 gpuz_installer.exe 1788 gpuz_installer.tmp 3048 GPU-Z.exe -
Loads dropped DLL 10 IoCs
pid Process 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 2856 gpuz_installer.exe 1788 gpuz_installer.tmp 1788 gpuz_installer.tmp 1788 gpuz_installer.tmp 1788 gpuz_installer.tmp 1788 gpuz_installer.tmp 1788 gpuz_installer.tmp 1788 gpuz_installer.tmp 1788 gpuz_installer.tmp -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" GPU-Z.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc GPU-Z.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" GPU-Z.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\M: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\O: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\P: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\Z: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\Y: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\E: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\G: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\K: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\S: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\U: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\V: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\Q: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\W: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\X: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\H: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\J: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\L: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\N: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\R: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened (read-only) \??\T: 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe -
resource yara_rule behavioral1/memory/2792-3-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-4-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-8-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-0-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-2-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-6-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-5-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-10-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-9-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-31-0x0000000000400000-0x00000000030F8000-memory.dmp upx behavioral1/memory/2792-7-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-33-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-35-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-36-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-37-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-39-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-38-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-41-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-42-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/files/0x0009000000012101-59.dat upx behavioral1/memory/2792-62-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-64-0x0000000000400000-0x00000000030F8000-memory.dmp upx behavioral1/memory/2792-65-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-68-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx behavioral1/memory/2792-214-0x0000000000400000-0x00000000030F8000-memory.dmp upx behavioral1/memory/2792-215-0x0000000004F30000-0x0000000005FEA000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\GPU-Z\GPU-Z.exe gpuz_installer.tmp File created C:\Program Files (x86)\GPU-Z\unins000.dat gpuz_installer.tmp File created C:\Program Files (x86)\GPU-Z\is-IEPKJ.tmp gpuz_installer.tmp File created C:\Program Files (x86)\GPU-Z\is-3VF2V.tmp gpuz_installer.tmp File opened for modification C:\Program Files (x86)\GPU-Z\unins000.dat gpuz_installer.tmp -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f77a15e GPU-Z.exe File created C:\Windows\f76fdee 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe File opened for modification C:\Windows\SYSTEM.INI 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpuz_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpuz_installer.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GPU-Z.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 1788 gpuz_installer.tmp 1788 gpuz_installer.tmp 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 3048 GPU-Z.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe Token: SeDebugPrivilege 3048 GPU-Z.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1788 gpuz_installer.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 3048 GPU-Z.exe 3048 GPU-Z.exe 3048 GPU-Z.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2792 wrote to memory of 1060 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 17 PID 2792 wrote to memory of 1116 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 19 PID 2792 wrote to memory of 1180 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 21 PID 2792 wrote to memory of 1248 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 23 PID 2792 wrote to memory of 2856 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 30 PID 2792 wrote to memory of 2856 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 30 PID 2792 wrote to memory of 2856 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 30 PID 2792 wrote to memory of 2856 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 30 PID 2792 wrote to memory of 2856 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 30 PID 2792 wrote to memory of 2856 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 30 PID 2792 wrote to memory of 2856 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 30 PID 2856 wrote to memory of 1788 2856 gpuz_installer.exe 31 PID 2856 wrote to memory of 1788 2856 gpuz_installer.exe 31 PID 2856 wrote to memory of 1788 2856 gpuz_installer.exe 31 PID 2856 wrote to memory of 1788 2856 gpuz_installer.exe 31 PID 2856 wrote to memory of 1788 2856 gpuz_installer.exe 31 PID 2856 wrote to memory of 1788 2856 gpuz_installer.exe 31 PID 2856 wrote to memory of 1788 2856 gpuz_installer.exe 31 PID 2792 wrote to memory of 1060 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 17 PID 2792 wrote to memory of 1116 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 19 PID 2792 wrote to memory of 1180 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 21 PID 2792 wrote to memory of 1248 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 23 PID 2792 wrote to memory of 2856 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 30 PID 2792 wrote to memory of 2856 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 30 PID 2792 wrote to memory of 1788 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 31 PID 2792 wrote to memory of 1788 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 31 PID 2792 wrote to memory of 1060 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 17 PID 2792 wrote to memory of 1116 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 19 PID 2792 wrote to memory of 1180 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 21 PID 2792 wrote to memory of 1248 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 23 PID 2792 wrote to memory of 1060 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 17 PID 2792 wrote to memory of 1116 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 19 PID 2792 wrote to memory of 1180 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 21 PID 2792 wrote to memory of 1248 2792 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe 23 PID 1788 wrote to memory of 3048 1788 gpuz_installer.tmp 33 PID 1788 wrote to memory of 3048 1788 gpuz_installer.tmp 33 PID 1788 wrote to memory of 3048 1788 gpuz_installer.tmp 33 PID 1788 wrote to memory of 3048 1788 gpuz_installer.tmp 33 PID 3048 wrote to memory of 1060 3048 GPU-Z.exe 17 PID 3048 wrote to memory of 1116 3048 GPU-Z.exe 19 PID 3048 wrote to memory of 1180 3048 GPU-Z.exe 21 PID 3048 wrote to memory of 1248 3048 GPU-Z.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" GPU-Z.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1060
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1116
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe"C:\Users\Admin\AppData\Local\Temp\89120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe"C:\Users\Admin\AppData\Local\Temp\\gpuz_installer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\is-R6AGG.tmp\gpuz_installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-R6AGG.tmp\gpuz_installer.tmp" /SL5="$500F4,832512,832512,C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Program Files (x86)\GPU-Z\GPU-Z.exe"C:\Program Files (x86)\GPU-Z\GPU-Z.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3048
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1248
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5079edc2a318b7f36fed13f1c57b067ec
SHA1d62265d9b955b5b12e8ab1dcecde0f257fae9ece
SHA256beb24158f3c09443c70109380c4cffebfe446b9c462a0de949dc6f93345b0f63
SHA5127aed3acf50106b0d0dd7405b8bb205768d1bbfcc6bb7ca7d828c05269809dea7f8e190709856a489963fdedea13922fe44002a1f190eff5440f67a402432ad46
-
Filesize
9.8MB
MD54ef424374bc658488d6e85b9286ec189
SHA131f86317920d033e6a2fc23c6995f896a6167105
SHA25689120cbb79384250b87f873331533368af9b7b3248bb25b3f4c9621318eaf291
SHA5129c4b20e760743d2f88bd8130cb2823e3faf7cdaea3ddfd68af8bcb27ec04fbd52d1db5117aa7a58212c114f27d5a6d5ed136c7e7e7fda555efa3c8e6dc9c2400
-
Filesize
1.6MB
MD5adb15bf5d30c7139d1a4c4f161ad80d0
SHA157b97530e668d75e1b0451822ae36897f889dc65
SHA256ffe80b378485e6ba258911f5dedf292640ee378221f62eec9d60e84914bd0798
SHA512014f4318c40009127671dac7d5826ca81bab813a3cdf4e998ea96861aa6c57e3366e47c8961b75834d877bc4cdeff5476d85993b67d4e00e99d511045f0c7638
-
Filesize
3.1MB
MD54c9111b5058cb0a71da1c566e6b15de5
SHA1cdf0963572c509ecc8651a7081dd5aca44886007
SHA256ff02cd92b07585423ef7bdd0a873374922767fe21f93fcebc24181a5ee2111fa
SHA5123dc28a3f0a1404b67dd5374e2c5e13f1c1b0250c1e07666dbbd4bf31b400ee549c3beb7b872dd7d10dd54ce401b01a362a59bca54b2c7209cbedd97caa7cea46
-
Filesize
257B
MD5d4b025cef98eeea1624aabfb7573dde6
SHA174a12c2ea40cd5b8398dd4ec7f790e89221dc8a0
SHA25689f3d67f9b2a5031793d7e018babd29ee426f7a45f315a889d0c785f31ca9e40
SHA51230007f57f26d31604cf9ff7f006a469d3a94cb8981e3bc80b319376e9e5d7f344b45a09a7f13cc2db26e532904de7739508e842d04402896f95900744f69b04f