Analysis
-
max time kernel
123s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/12/2024, 06:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe
-
Size
1.2MB
-
MD5
911276092cc0ac0b5fae2c4ce4382b0d
-
SHA1
424189fe13b8168989e9a6553394ad4720411acc
-
SHA256
3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80
-
SHA512
b785af74041b72f3cbd316a4ff8ff284ef68fb79fb372c81ddc9345aecbc77a4975f94ae122217030806b89d32f64b2f4bcdfbc7c6735327ed5a2a1906b8b1b4
-
SSDEEP
24576:iagIvCEBXufFWij4EBbjQjcKIzs2JhoYQwORdYJK4kBkhX:DXwHpcszs2LQ3RCI4OkhX
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\W: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\X: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\E: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\L: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\M: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\P: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\Z: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\K: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\N: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\S: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\T: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\G: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\J: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\O: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\R: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\Y: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\H: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\I: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\Q: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened (read-only) \??\U: 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened for modification F:\autorun.inf 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
resource yara_rule behavioral1/memory/2372-7-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-1-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-12-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-11-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-9-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-8-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-6-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-5-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-4-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-3-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-10-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-36-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-35-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-37-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-39-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-38-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-41-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-42-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-43-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-45-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-48-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-64-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-65-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-67-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-69-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-71-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-74-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-75-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-78-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/2372-79-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe File created C:\Windows\f7646ff 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe Token: SeDebugPrivilege 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 PID 2372 wrote to memory of 1068 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 18 PID 2372 wrote to memory of 1156 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 20 PID 2372 wrote to memory of 1196 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 21 PID 2372 wrote to memory of 1192 2372 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1068
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe"C:\Users\Admin\AppData\Local\Temp\3af3f58525555cc4e5656d30c5df2d292bb0ee512e1af95243a6d33d54d54c80.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2372
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1192
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5605087a8f2c37fdd7a6171c26c388d70
SHA1481adb761e1d4a99a86d539ed68baa1e81f5ea71
SHA256da361556db3b571998ee5bbd3a780a12a22c3334d3fb83b532f439a403e5a366
SHA5128130d2c5303b1b40b7efd41dfa178290743d2b0504bd9c366dc1ad650dd65b071f6cf8f2b69c76a387d4a7dfbddffc90ce7d2f5904dd21b361b1b555f6f1ddd8