Analysis
-
max time kernel
42s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 01:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
120 seconds
General
-
Target
836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe
-
Size
728KB
-
MD5
a12515737c5a5104aeae4770e438edb0
-
SHA1
3db635b3078f8f49d621a83e433e013fc7517734
-
SHA256
836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419a
-
SHA512
182be481d9b10e8b6eef9f5d7240420fadb36e08a394a84acb5845de434c41ce7a6683a22fd8bb6ae380c0ae99373530730be99ab9d1103ec2d3ba21c461a30d
-
SSDEEP
12288:VTyjXW+48qWywrU4kGFezOAVuJ5PIQww7F5DO3HYffmZ8HHWY4:ZIXW/8yw1ez54lImF5SXYHmy2Y4
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rundll32.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe -
Executes dropped EXE 1 IoCs
pid Process 3640 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Y: rundll32.exe -
resource yara_rule behavioral2/memory/1844-5-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-12-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-16-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-19-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-13-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-18-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-6-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-4-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-3-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-26-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-22-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-25-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-31-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-29-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/1844-34-0x00000000032A0000-0x000000000435A000-memory.dmp upx behavioral2/memory/3640-55-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-64-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-63-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-59-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-57-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-65-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-62-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-60-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-58-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-61-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-75-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-76-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-77-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-78-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-79-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-81-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-82-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-83-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-84-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-86-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-87-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-95-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx behavioral2/memory/3640-98-0x0000000004EF0000-0x0000000005FAA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57d3da 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe File opened for modification C:\Windows\SYSTEM.INI 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe File created C:\Windows\e5822c5 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 3640 rundll32.exe 3640 rundll32.exe 3640 rundll32.exe 3640 rundll32.exe 3640 rundll32.exe 3640 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Token: SeDebugPrivilege 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 3640 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1844 wrote to memory of 764 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 8 PID 1844 wrote to memory of 772 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 9 PID 1844 wrote to memory of 1020 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 13 PID 1844 wrote to memory of 2796 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 49 PID 1844 wrote to memory of 2908 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 50 PID 1844 wrote to memory of 3028 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 52 PID 1844 wrote to memory of 3520 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 56 PID 1844 wrote to memory of 3616 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 57 PID 1844 wrote to memory of 3812 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 58 PID 1844 wrote to memory of 3920 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 59 PID 1844 wrote to memory of 4020 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 60 PID 1844 wrote to memory of 1088 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 61 PID 1844 wrote to memory of 3952 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 62 PID 1844 wrote to memory of 2528 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 74 PID 1844 wrote to memory of 2516 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 76 PID 1844 wrote to memory of 4936 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 83 PID 1844 wrote to memory of 3640 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 85 PID 1844 wrote to memory of 3640 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 85 PID 1844 wrote to memory of 3640 1844 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe 85 PID 3640 wrote to memory of 764 3640 rundll32.exe 8 PID 3640 wrote to memory of 772 3640 rundll32.exe 9 PID 3640 wrote to memory of 1020 3640 rundll32.exe 13 PID 3640 wrote to memory of 2796 3640 rundll32.exe 49 PID 3640 wrote to memory of 2908 3640 rundll32.exe 50 PID 3640 wrote to memory of 3028 3640 rundll32.exe 52 PID 3640 wrote to memory of 3520 3640 rundll32.exe 56 PID 3640 wrote to memory of 3616 3640 rundll32.exe 57 PID 3640 wrote to memory of 3812 3640 rundll32.exe 58 PID 3640 wrote to memory of 3920 3640 rundll32.exe 59 PID 3640 wrote to memory of 4020 3640 rundll32.exe 60 PID 3640 wrote to memory of 1088 3640 rundll32.exe 61 PID 3640 wrote to memory of 3952 3640 rundll32.exe 62 PID 3640 wrote to memory of 2528 3640 rundll32.exe 74 PID 3640 wrote to memory of 2516 3640 rundll32.exe 76 PID 3640 wrote to memory of 764 3640 rundll32.exe 8 PID 3640 wrote to memory of 772 3640 rundll32.exe 9 PID 3640 wrote to memory of 1020 3640 rundll32.exe 13 PID 3640 wrote to memory of 2796 3640 rundll32.exe 49 PID 3640 wrote to memory of 2908 3640 rundll32.exe 50 PID 3640 wrote to memory of 3028 3640 rundll32.exe 52 PID 3640 wrote to memory of 3520 3640 rundll32.exe 56 PID 3640 wrote to memory of 3616 3640 rundll32.exe 57 PID 3640 wrote to memory of 3812 3640 rundll32.exe 58 PID 3640 wrote to memory of 3920 3640 rundll32.exe 59 PID 3640 wrote to memory of 4020 3640 rundll32.exe 60 PID 3640 wrote to memory of 1088 3640 rundll32.exe 61 PID 3640 wrote to memory of 3952 3640 rundll32.exe 62 PID 3640 wrote to memory of 2528 3640 rundll32.exe 74 PID 3640 wrote to memory of 2516 3640 rundll32.exe 76 PID 3640 wrote to memory of 764 3640 rundll32.exe 8 PID 3640 wrote to memory of 772 3640 rundll32.exe 9 PID 3640 wrote to memory of 1020 3640 rundll32.exe 13 PID 3640 wrote to memory of 2796 3640 rundll32.exe 49 PID 3640 wrote to memory of 2908 3640 rundll32.exe 50 PID 3640 wrote to memory of 3028 3640 rundll32.exe 52 PID 3640 wrote to memory of 3520 3640 rundll32.exe 56 PID 3640 wrote to memory of 3616 3640 rundll32.exe 57 PID 3640 wrote to memory of 3812 3640 rundll32.exe 58 PID 3640 wrote to memory of 3920 3640 rundll32.exe 59 PID 3640 wrote to memory of 4020 3640 rundll32.exe 60 PID 3640 wrote to memory of 1088 3640 rundll32.exe 61 PID 3640 wrote to memory of 3952 3640 rundll32.exe 62 PID 3640 wrote to memory of 2528 3640 rundll32.exe 74 PID 3640 wrote to memory of 2516 3640 rundll32.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2908
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3028
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe"C:\Users\Admin\AppData\Local\Temp\836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419aN.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1844 -
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3640
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3812
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3952
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2528
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2516
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
664KB
MD52eb5d76180ce7b3241b281fa79ab3483
SHA106293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA51235f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b
-
Filesize
728KB
MD5a12515737c5a5104aeae4770e438edb0
SHA13db635b3078f8f49d621a83e433e013fc7517734
SHA256836669173d279f786c284114689d3b20085fea86f2ccbdda4736e542a5b3419a
SHA512182be481d9b10e8b6eef9f5d7240420fadb36e08a394a84acb5845de434c41ce7a6683a22fd8bb6ae380c0ae99373530730be99ab9d1103ec2d3ba21c461a30d
-
Filesize
257B
MD5081b9f31075abab0cf62ff854301094d
SHA1d5f2611b14d5d004159eea487fbfe9f8d4aae7a3
SHA2564fc5cca6ef110c68b50fd73f96a2f3a5e4c72b81ed54afeccb429331ee0e0a98
SHA512862c49fe7a6bb2c36c9d3376ad82434d5826f3d53fe680102a0166d6b1bad52d717c24d1edd6786f0f96f413ab6052a4f27bf443df641aeedba39a67a12adc8f
-
Filesize
97KB
MD55525d042a30709efc0ee8c0815a64d88
SHA1061b88a895347f37b4c32bcbd578dfd44110f459
SHA256b3781752f873991893be4f6ab6f8063d16fc8dc63e6276b498b69c247021eb87
SHA5128685fdc1811073fb0fd3070e1351296cf296c1090864799ef7a6a2910126a105d9165f44823af4b47ddc5cb10805977bfa64cd79bc5afc08f3cd9cadd95faae1