Analysis
-
max time kernel
118s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 09:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe
Resource
win7-20241010-en
windows7-x64
18 signatures
120 seconds
General
-
Target
b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe
-
Size
65KB
-
MD5
91d8c890347da4086c59879e7d7fc2e0
-
SHA1
fcc725a1339f6608b45d56be57ca507458c7f932
-
SHA256
b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5
-
SHA512
cbb433802c7420111e2392bed251b0293d612152509cf7361804304d81b4d8699108c3f6ad22f265fb078fa6d66508a146410d091ef29a4fa935c921d103bf49
-
SSDEEP
1536:ST8GSRPk76N1qSXKOZX68GlgPRK7GGgvd8Y+yI+8kmxQ5zd/XGk4B:4SRPkk17XKOZX68GOK7GGgv2yI+8Fxk4
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\L: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\M: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\R: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\U: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\V: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\G: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\Y: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\Z: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\Q: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\J: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\N: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\T: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\X: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\E: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\K: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\O: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\P: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\S: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\W: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened (read-only) \??\I: b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification F:\autorun.inf b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
resource yara_rule behavioral2/memory/5032-1-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-5-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-3-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-6-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-4-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-7-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-16-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-8-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-17-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-23-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-22-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-24-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-25-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-26-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-28-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-29-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-30-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-32-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-34-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-41-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-42-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-46-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-48-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-49-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-50-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-51-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-58-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-59-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-62-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-63-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-66-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-69-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-70-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-73-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-72-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/5032-78-0x0000000000760000-0x000000000181A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\7-Zip\7z.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57bdc2 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe File opened for modification C:\Windows\SYSTEM.INI b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe Token: SeDebugPrivilege 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 760 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 8 PID 5032 wrote to memory of 764 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 9 PID 5032 wrote to memory of 60 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 13 PID 5032 wrote to memory of 2552 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 44 PID 5032 wrote to memory of 2632 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 45 PID 5032 wrote to memory of 2844 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 49 PID 5032 wrote to memory of 3488 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 56 PID 5032 wrote to memory of 3676 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 57 PID 5032 wrote to memory of 3876 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 58 PID 5032 wrote to memory of 3972 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 59 PID 5032 wrote to memory of 4040 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 60 PID 5032 wrote to memory of 2832 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 61 PID 5032 wrote to memory of 4112 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 62 PID 5032 wrote to memory of 456 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 74 PID 5032 wrote to memory of 3344 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 76 PID 5032 wrote to memory of 760 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 8 PID 5032 wrote to memory of 764 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 9 PID 5032 wrote to memory of 60 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 13 PID 5032 wrote to memory of 2552 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 44 PID 5032 wrote to memory of 2632 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 45 PID 5032 wrote to memory of 2844 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 49 PID 5032 wrote to memory of 3488 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 56 PID 5032 wrote to memory of 3676 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 57 PID 5032 wrote to memory of 3876 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 58 PID 5032 wrote to memory of 3972 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 59 PID 5032 wrote to memory of 4040 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 60 PID 5032 wrote to memory of 2832 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 61 PID 5032 wrote to memory of 4112 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 62 PID 5032 wrote to memory of 456 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 74 PID 5032 wrote to memory of 3344 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 76 PID 5032 wrote to memory of 760 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 8 PID 5032 wrote to memory of 764 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 9 PID 5032 wrote to memory of 60 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 13 PID 5032 wrote to memory of 2552 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 44 PID 5032 wrote to memory of 2632 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 45 PID 5032 wrote to memory of 2844 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 49 PID 5032 wrote to memory of 3488 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 56 PID 5032 wrote to memory of 3676 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 57 PID 5032 wrote to memory of 3876 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 58 PID 5032 wrote to memory of 3972 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 59 PID 5032 wrote to memory of 4040 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 60 PID 5032 wrote to memory of 2832 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 61 PID 5032 wrote to memory of 4112 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 62 PID 5032 wrote to memory of 456 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 74 PID 5032 wrote to memory of 3344 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 76 PID 5032 wrote to memory of 760 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 8 PID 5032 wrote to memory of 764 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 9 PID 5032 wrote to memory of 60 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 13 PID 5032 wrote to memory of 2552 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 44 PID 5032 wrote to memory of 2632 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 45 PID 5032 wrote to memory of 2844 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 49 PID 5032 wrote to memory of 3488 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 56 PID 5032 wrote to memory of 3676 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 57 PID 5032 wrote to memory of 3876 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 58 PID 5032 wrote to memory of 3972 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 59 PID 5032 wrote to memory of 4040 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 60 PID 5032 wrote to memory of 2832 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 61 PID 5032 wrote to memory of 4112 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 62 PID 5032 wrote to memory of 456 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 74 PID 5032 wrote to memory of 3344 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 76 PID 5032 wrote to memory of 760 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 8 PID 5032 wrote to memory of 764 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 9 PID 5032 wrote to memory of 60 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 13 PID 5032 wrote to memory of 2552 5032 b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe 44 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2632
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2844
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe"C:\Users\Admin\AppData\Local\Temp\b7789c4d07556e019c15acffa2e404ec3ab245921a5cd2c8975ed0f6c1aa66e5N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5032
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3676
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4040
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:456
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3344
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5105f55b61731c07bd9d3ab78dabb5640
SHA1b8176acb26716eae5dcbcfdd791e1556f845873a
SHA2565631f1cbd80678f5f750984d0e370b389dd8334675a6cb2e74ac1aa08e9ba338
SHA512fa2f5afce144eb4ad0c44f8bd4e86998fcb5a03ba29ed9f6ad90134e563115fd9ac04670a8387f1ad72bc5c36df75d15f584192170b29a7b3dbb841b2aa49913