Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe
Resource
win7-20240708-en
windows7-x64
18 signatures
120 seconds
General
-
Target
5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe
-
Size
100KB
-
MD5
824a487ce55ab33c469dec77677b4489
-
SHA1
a5ea51f308731d6931bd5960716e1e87f3c9e377
-
SHA256
5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263
-
SHA512
73e6bbc559c771b1cc8c607645c8ef9f7106adb7870a994f05dc8e5ccbd76e32265db19467b73ade9f44f9cb51df85ec45c028da76da2cae261f49e2611641ef
-
SSDEEP
3072:ClmPJNSSJhZHN9mN0DuoWjr0Tv7ubsSKlc:/PJNNzmJVro79HC
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\V: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\W: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\X: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\Z: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\E: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\I: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\J: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\P: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\R: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\S: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\T: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\Y: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\G: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\H: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\N: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\K: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\L: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\M: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\O: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened (read-only) \??\Q: 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened for modification F:\autorun.inf 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
resource yara_rule behavioral1/memory/2328-1-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-6-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-3-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-5-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-9-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-8-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-7-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-4-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-10-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-25-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-26-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-27-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-28-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-29-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-31-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-44-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-48-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-49-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-52-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-54-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-56-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-58-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-60-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-62-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2328-64-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe Token: SeDebugPrivilege 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 PID 2328 wrote to memory of 1108 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 19 PID 2328 wrote to memory of 1172 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 20 PID 2328 wrote to memory of 1228 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 21 PID 2328 wrote to memory of 1080 2328 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe"C:\Users\Admin\AppData\Local\Temp\5904e14815600b23c36de9fc5f53b3e3a0a6c228f65593b508caed5b99ab4263.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2328
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1080
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5ee42bcff0fa7b0d1ab64e1e055dd4b4f
SHA13772bc0276e29901757e7566d3949f7155b6ee4d
SHA256849f844cba2d40ff701edb710b9363184d6980a4e6da5279722d552b653a6c53
SHA512b4a73b937aba754d7a3e636ef47e8f110d61501e02fced5751ae9111c2c75415f4b4ae0382eecc0a4584968bc515da9d49cf3587ff0b0c3a6aa17db4f9cdd2cc