Analysis
-
max time kernel
124s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 11:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe
Resource
win7-20241010-en
windows7-x64
19 signatures
150 seconds
General
-
Target
ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe
-
Size
1.6MB
-
MD5
0fbfa5635f9b8bcc33cc31182aaa5c9e
-
SHA1
7dd25d034ff543bf4b43ed911b3bd31417411a55
-
SHA256
ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b
-
SHA512
9f41cee02a30828a41e7ee5d6c8620cca607dc532598063ed27456e71fa73fde8e20d6a671d17b2b222eda78db93bae0cad6e79ece8880cdc3087af8a76b2b49
-
SSDEEP
24576:bIILMXWXZB/vbXAKXp4p6jjR9dIPLbCdM8fG4:ecBHbt57R9dokBG4
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\T: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\V: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\X: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\I: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\K: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\P: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\O: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\R: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\Y: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\Z: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\G: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\L: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\M: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\N: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\U: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\W: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\E: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\J: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\Q: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened (read-only) \??\S: ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened for modification F:\autorun.inf ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
resource yara_rule behavioral1/memory/2092-14-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-1-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-8-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-11-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-7-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-5-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-9-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-12-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-6-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-13-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-10-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-35-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-36-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-37-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-38-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-39-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-41-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-42-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-43-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-51-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-53-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-55-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-57-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-60-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-63-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-68-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-69-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx behavioral1/memory/2092-72-0x0000000001F00000-0x0000000002FBA000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened for modification C:\Program Files\7-Zip\7z.exe ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe File created C:\Windows\f775300 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe = "11001" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe Token: SeDebugPrivilege 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 PID 2092 wrote to memory of 1096 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 19 PID 2092 wrote to memory of 1164 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 20 PID 2092 wrote to memory of 1204 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 21 PID 2092 wrote to memory of 1508 2092 ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1096
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe"C:\Users\Admin\AppData\Local\Temp\ebd0773f343d64b0feb2778b7ff4a443185ceda639fff6482baf72737e39b82b.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2092
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1508
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5bf9f563004107436777b5329199e2f65
SHA11e934184e1dc9a8f7746b2040b3d222613463ef8
SHA2565616d0d058c85d0515533ee0a56bf5c7804defba3ca183eb04b6c00c42c6ef50
SHA512dfb3ec365286ae39e242b0ea618da06dba2e9ad4372567c660f052c7128cac5ce4dd70e608f6800d6b10f9e5da1de8bde4f15901d91c7e219381bfd0b6e50e66