Analysis
-
max time kernel
27s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 23:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
120 seconds
General
-
Target
2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe
-
Size
196KB
-
MD5
62b5937707da77bf7dbc68deeed97990
-
SHA1
6baea8d207826005e2c7dcf4101258c1f36b535c
-
SHA256
2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523c
-
SHA512
122c3bc0969b4ac7766603790bca08ad126cbcd245bc65a119bfc4820ca322dad4ed149712021f126188a27bffd5eb2ccf691acde9307546592953378868f1e7
-
SSDEEP
3072:jBya4oIqlA+SYMcF3cenP2PCtTjSe0i6sCc381UA5cmbfC9hX:jBxLU9c6enP26bXC+8AqA
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Deletes itself 1 IoCs
pid Process 4948 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4948 svchost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\(Default) = "C:\\Windows\\svchost.exe" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\(Default) = "C:\\Windows\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CPQEASYBTTN = "C:\\Windows\\System32\\BttnServ.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\BttnServ.exe 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe File opened for modification C:\Windows\SysWOW64\BttnServ.exe 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe File opened for modification C:\Windows\SysWOW64\BttnServ.exe svchost.exe -
resource yara_rule behavioral2/memory/4776-4-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4776-5-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4776-10-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4776-6-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4776-9-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4776-3-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4776-11-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4776-36-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4776-16-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4776-23-0x0000000002AC0000-0x0000000003B4E000-memory.dmp upx behavioral2/memory/4948-49-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-50-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-48-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-47-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-45-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-56-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-55-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-54-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-53-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-59-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-60-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-61-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-62-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-63-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-65-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-66-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-67-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-68-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-72-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-73-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-75-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-78-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-79-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-81-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-82-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-84-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-91-0x0000000004FC0000-0x000000000604E000-memory.dmp upx behavioral2/memory/4948-93-0x0000000004FC0000-0x000000000604E000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe File created C:\Windows\svchost.exe 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe File opened for modification C:\Windows\svchost.exe 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 4948 svchost.exe 4948 svchost.exe 4948 svchost.exe 4948 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Token: SeDebugPrivilege 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 4948 svchost.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 4776 wrote to memory of 776 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 8 PID 4776 wrote to memory of 784 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 9 PID 4776 wrote to memory of 376 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 13 PID 4776 wrote to memory of 3028 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 50 PID 4776 wrote to memory of 2856 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 51 PID 4776 wrote to memory of 2836 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 53 PID 4776 wrote to memory of 3444 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 56 PID 4776 wrote to memory of 3556 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 57 PID 4776 wrote to memory of 3760 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 58 PID 4776 wrote to memory of 3848 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 59 PID 4776 wrote to memory of 3960 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 60 PID 4776 wrote to memory of 4068 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 61 PID 4776 wrote to memory of 4124 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 62 PID 4776 wrote to memory of 4660 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 64 PID 4776 wrote to memory of 4556 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 74 PID 4776 wrote to memory of 3872 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 77 PID 4776 wrote to memory of 388 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 82 PID 4776 wrote to memory of 4948 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 84 PID 4776 wrote to memory of 4948 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 84 PID 4776 wrote to memory of 4948 4776 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe 84 PID 4948 wrote to memory of 776 4948 svchost.exe 8 PID 4948 wrote to memory of 784 4948 svchost.exe 9 PID 4948 wrote to memory of 376 4948 svchost.exe 13 PID 4948 wrote to memory of 3028 4948 svchost.exe 50 PID 4948 wrote to memory of 2856 4948 svchost.exe 51 PID 4948 wrote to memory of 2836 4948 svchost.exe 53 PID 4948 wrote to memory of 3444 4948 svchost.exe 56 PID 4948 wrote to memory of 3556 4948 svchost.exe 57 PID 4948 wrote to memory of 3760 4948 svchost.exe 58 PID 4948 wrote to memory of 3848 4948 svchost.exe 59 PID 4948 wrote to memory of 3960 4948 svchost.exe 60 PID 4948 wrote to memory of 4068 4948 svchost.exe 61 PID 4948 wrote to memory of 4124 4948 svchost.exe 62 PID 4948 wrote to memory of 4660 4948 svchost.exe 64 PID 4948 wrote to memory of 4556 4948 svchost.exe 74 PID 4948 wrote to memory of 3872 4948 svchost.exe 77 PID 4948 wrote to memory of 776 4948 svchost.exe 8 PID 4948 wrote to memory of 784 4948 svchost.exe 9 PID 4948 wrote to memory of 376 4948 svchost.exe 13 PID 4948 wrote to memory of 3028 4948 svchost.exe 50 PID 4948 wrote to memory of 2856 4948 svchost.exe 51 PID 4948 wrote to memory of 2836 4948 svchost.exe 53 PID 4948 wrote to memory of 3444 4948 svchost.exe 56 PID 4948 wrote to memory of 3556 4948 svchost.exe 57 PID 4948 wrote to memory of 3760 4948 svchost.exe 58 PID 4948 wrote to memory of 3848 4948 svchost.exe 59 PID 4948 wrote to memory of 3960 4948 svchost.exe 60 PID 4948 wrote to memory of 4068 4948 svchost.exe 61 PID 4948 wrote to memory of 4124 4948 svchost.exe 62 PID 4948 wrote to memory of 4660 4948 svchost.exe 64 PID 4948 wrote to memory of 4556 4948 svchost.exe 74 PID 4948 wrote to memory of 3872 4948 svchost.exe 77 PID 4948 wrote to memory of 1280 4948 svchost.exe 89 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2856
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2836
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe"C:\Users\Admin\AppData\Local\Temp\2767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523cN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4776 -
C:\Windows\svchost.exeC:\Windows\svchost.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4948
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3960
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4556
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3872
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:388
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1280
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD581827b4fcd6c5be5a7978ab42dc1062a
SHA14cfb129e58ce6794d6d35beb9e59adcd3d744125
SHA25653d1233070613de1339d2b518cf9e4408af60d7ae3c13b7d5b3af38ef52fa38b
SHA5127e373d22e5280dd135aa94410f8cd558d9849be597e6f55f92c07d55cebc086c21964f70515b18dbb5a1a72fd16469af1421ea506353b930f9f2d126da0fdffa
-
Filesize
196KB
MD562b5937707da77bf7dbc68deeed97990
SHA16baea8d207826005e2c7dcf4101258c1f36b535c
SHA2562767c6a251dc6a671b030b69ea1116a7189a54a3f93509bc1f81f669e47b523c
SHA512122c3bc0969b4ac7766603790bca08ad126cbcd245bc65a119bfc4820ca322dad4ed149712021f126188a27bffd5eb2ccf691acde9307546592953378868f1e7
-
Filesize
100KB
MD5aecb1566152555f6c5a720e83e701849
SHA19f4c53e7140f65a9b7bf23c8c328a3b2fa6d7641
SHA256d20656bc4770113daefaa15fac025c2e3350a10bef697012d36843e198c1a7d8
SHA5126481cb546d7d7c6cf0945ee69d563549deb7cee66dd008f8ba37a94cc9bb6d09580ebf013309e7d0bfc672394cdad2f8b7f1e1dbf3cc93ae2448ddcd98173453