Analysis
-
max time kernel
124s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 07:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe
-
Size
1.6MB
-
MD5
2b331806fcbd1b53fbe3c1806dea2727
-
SHA1
6d4dd5d66d74a1be03ea3fca77ff5202dd7013f5
-
SHA256
5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc
-
SHA512
88d8fd52829caf7e425f61e95f34359c18073840d7d8cab9f588c11c0dbed015b6baa843209763b5a1955ad0781557b3c8655617ece1fba04e4699ac40aa0bf0
-
SSDEEP
24576:V1ptDiqXtwc3MiSuA9FpacpViJHh5ZoCGxBmg/8B:V1w5oA9vacY5ZoCAv8
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\P: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\U: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\Y: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\Z: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\G: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\I: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\M: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\N: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\X: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\T: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\V: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\W: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\H: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\L: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\O: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\Q: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\R: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\E: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\J: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened (read-only) \??\S: 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification F:\autorun.inf 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
resource yara_rule behavioral2/memory/2040-1-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-4-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-3-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-8-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-9-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-16-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-18-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-19-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-5-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-20-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-21-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-22-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-23-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-24-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-25-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-28-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-30-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-32-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-33-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-36-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-38-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-39-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-42-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-44-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-51-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-53-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-55-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-57-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-60-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-61-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-63-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-65-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-67-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-69-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-71-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-73-0x0000000002560000-0x000000000361A000-memory.dmp upx behavioral2/memory/2040-77-0x0000000002560000-0x000000000361A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\7-Zip\7z.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57cd72 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe File opened for modification C:\Windows\SYSTEM.INI 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe Token: SeDebugPrivilege 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 780 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 8 PID 2040 wrote to memory of 784 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 9 PID 2040 wrote to memory of 384 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 13 PID 2040 wrote to memory of 2928 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 49 PID 2040 wrote to memory of 3032 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 51 PID 2040 wrote to memory of 2172 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 53 PID 2040 wrote to memory of 3464 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 56 PID 2040 wrote to memory of 3604 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 57 PID 2040 wrote to memory of 3780 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 58 PID 2040 wrote to memory of 3876 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 59 PID 2040 wrote to memory of 3944 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 60 PID 2040 wrote to memory of 4036 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 61 PID 2040 wrote to memory of 4104 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 62 PID 2040 wrote to memory of 2540 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 75 PID 2040 wrote to memory of 5020 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 76 PID 2040 wrote to memory of 2696 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 81 PID 2040 wrote to memory of 780 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 8 PID 2040 wrote to memory of 784 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 9 PID 2040 wrote to memory of 384 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 13 PID 2040 wrote to memory of 2928 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 49 PID 2040 wrote to memory of 3032 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 51 PID 2040 wrote to memory of 2172 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 53 PID 2040 wrote to memory of 3464 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 56 PID 2040 wrote to memory of 3604 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 57 PID 2040 wrote to memory of 3780 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 58 PID 2040 wrote to memory of 3876 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 59 PID 2040 wrote to memory of 3944 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 60 PID 2040 wrote to memory of 4036 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 61 PID 2040 wrote to memory of 4104 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 62 PID 2040 wrote to memory of 2540 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 75 PID 2040 wrote to memory of 5020 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 76 PID 2040 wrote to memory of 2696 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 81 PID 2040 wrote to memory of 780 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 8 PID 2040 wrote to memory of 784 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 9 PID 2040 wrote to memory of 384 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 13 PID 2040 wrote to memory of 2928 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 49 PID 2040 wrote to memory of 3032 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 51 PID 2040 wrote to memory of 2172 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 53 PID 2040 wrote to memory of 3464 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 56 PID 2040 wrote to memory of 3604 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 57 PID 2040 wrote to memory of 3780 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 58 PID 2040 wrote to memory of 3876 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 59 PID 2040 wrote to memory of 3944 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 60 PID 2040 wrote to memory of 4036 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 61 PID 2040 wrote to memory of 4104 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 62 PID 2040 wrote to memory of 2540 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 75 PID 2040 wrote to memory of 5020 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 76 PID 2040 wrote to memory of 780 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 8 PID 2040 wrote to memory of 784 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 9 PID 2040 wrote to memory of 384 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 13 PID 2040 wrote to memory of 2928 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 49 PID 2040 wrote to memory of 3032 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 51 PID 2040 wrote to memory of 2172 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 53 PID 2040 wrote to memory of 3464 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 56 PID 2040 wrote to memory of 3604 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 57 PID 2040 wrote to memory of 3780 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 58 PID 2040 wrote to memory of 3876 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 59 PID 2040 wrote to memory of 3944 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 60 PID 2040 wrote to memory of 4036 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 61 PID 2040 wrote to memory of 4104 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 62 PID 2040 wrote to memory of 2540 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 75 PID 2040 wrote to memory of 5020 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 76 PID 2040 wrote to memory of 780 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 8 PID 2040 wrote to memory of 784 2040 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe 9 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3032
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe"C:\Users\Admin\AppData\Local\Temp\5dbd448bee9e15aa69d49632df9cc7c8101dde9251ffe6415fb688fc35772ebc.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2040
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2540
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5020
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD584d024df9dcc7afc15f2c90cc0f4779c
SHA1a93b5e333e05ebfb0eb85e30b904b3a2d1d7e0b0
SHA2560087eca2d18fe0d848493373d9c4eb5cefcc4f2c68426c152b7eae79e33fe64d
SHA5125d0ac843314b878be055aa0e6c86a38132b4db196705e06164b484850629bd6edf19e07c2788d2632eb940c20e22d7e6c92c43149712abd4361dc3c3e8855a9f