Analysis
-
max time kernel
117s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 01:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe
Resource
win7-20241010-en
windows7-x64
18 signatures
120 seconds
General
-
Target
114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe
-
Size
100KB
-
MD5
81c45fbdb0de953b797406dcd2557a79
-
SHA1
8f9c9f945d8c756fa709df07487c7e31099ce952
-
SHA256
114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979
-
SHA512
07b7f661f781194659e637d0eb483611f830e9d241e2cf1efb1c9619a7b5afff2d63978d11ce583c12d3e99784e02cd6d80864cd70d255be0196a2fcb8758aad
-
SSDEEP
3072:JLAHkc9g8tbaJieBtpj47KqEw1OhilwvT:JLckcutJiYD47KqEwWywvT
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\Z: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\G: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\I: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\N: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\P: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\T: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\J: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\O: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\W: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\H: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\L: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\Q: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\S: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\X: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\Y: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\E: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\K: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\M: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\R: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened (read-only) \??\V: 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification F:\autorun.inf 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
resource yara_rule behavioral2/memory/5032-5-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-3-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-6-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-10-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-12-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-4-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-7-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-11-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-15-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-16-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-17-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-18-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-19-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-20-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-22-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-23-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-24-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-26-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-27-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-29-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-30-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-34-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-36-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-39-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-40-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-43-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-45-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-47-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-49-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-51-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-57-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-59-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-62-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-64-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-66-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-68-0x00000000022C0000-0x000000000334E000-memory.dmp upx behavioral2/memory/5032-70-0x00000000022C0000-0x000000000334E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe Token: SeDebugPrivilege 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 796 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 8 PID 5032 wrote to memory of 804 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 9 PID 5032 wrote to memory of 376 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 13 PID 5032 wrote to memory of 2552 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 42 PID 5032 wrote to memory of 2580 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 43 PID 5032 wrote to memory of 2660 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 45 PID 5032 wrote to memory of 3452 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 56 PID 5032 wrote to memory of 3620 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 57 PID 5032 wrote to memory of 3836 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 58 PID 5032 wrote to memory of 3928 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 59 PID 5032 wrote to memory of 3992 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 60 PID 5032 wrote to memory of 4088 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 61 PID 5032 wrote to memory of 3676 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 62 PID 5032 wrote to memory of 1744 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 75 PID 5032 wrote to memory of 212 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 76 PID 5032 wrote to memory of 796 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 8 PID 5032 wrote to memory of 804 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 9 PID 5032 wrote to memory of 376 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 13 PID 5032 wrote to memory of 2552 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 42 PID 5032 wrote to memory of 2580 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 43 PID 5032 wrote to memory of 2660 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 45 PID 5032 wrote to memory of 3452 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 56 PID 5032 wrote to memory of 3620 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 57 PID 5032 wrote to memory of 3836 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 58 PID 5032 wrote to memory of 3928 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 59 PID 5032 wrote to memory of 3992 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 60 PID 5032 wrote to memory of 4088 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 61 PID 5032 wrote to memory of 3676 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 62 PID 5032 wrote to memory of 1744 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 75 PID 5032 wrote to memory of 212 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 76 PID 5032 wrote to memory of 796 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 8 PID 5032 wrote to memory of 804 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 9 PID 5032 wrote to memory of 376 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 13 PID 5032 wrote to memory of 2552 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 42 PID 5032 wrote to memory of 2580 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 43 PID 5032 wrote to memory of 2660 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 45 PID 5032 wrote to memory of 3452 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 56 PID 5032 wrote to memory of 3620 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 57 PID 5032 wrote to memory of 3836 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 58 PID 5032 wrote to memory of 3928 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 59 PID 5032 wrote to memory of 3992 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 60 PID 5032 wrote to memory of 4088 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 61 PID 5032 wrote to memory of 3676 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 62 PID 5032 wrote to memory of 1744 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 75 PID 5032 wrote to memory of 212 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 76 PID 5032 wrote to memory of 796 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 8 PID 5032 wrote to memory of 804 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 9 PID 5032 wrote to memory of 376 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 13 PID 5032 wrote to memory of 2552 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 42 PID 5032 wrote to memory of 2580 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 43 PID 5032 wrote to memory of 2660 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 45 PID 5032 wrote to memory of 3452 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 56 PID 5032 wrote to memory of 3620 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 57 PID 5032 wrote to memory of 3836 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 58 PID 5032 wrote to memory of 3928 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 59 PID 5032 wrote to memory of 3992 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 60 PID 5032 wrote to memory of 4088 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 61 PID 5032 wrote to memory of 3676 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 62 PID 5032 wrote to memory of 1744 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 75 PID 5032 wrote to memory of 212 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 76 PID 5032 wrote to memory of 796 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 8 PID 5032 wrote to memory of 804 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 9 PID 5032 wrote to memory of 376 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 13 PID 5032 wrote to memory of 2552 5032 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe 42 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2580
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2660
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe"C:\Users\Admin\AppData\Local\Temp\114d05df803774871e6df992e58736e0cd46284bf9de92ed2dcd958fc7720979.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5032
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3620
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3836
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3928
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3676
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1744
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:212
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5515770e6307a719f313a2791e1715b32
SHA150ea1676ec734bd6e1f0adf33d5441a5f887345d
SHA256e0b6454a0f78886259255608d57a4057966004248804fda9456e148c403bca93
SHA512fe9be26cfc5c6e497d59b9528997d6ab0d8ed16f751fe869e64b953bd469d170dbd3d46295c37cfe0206cc2bd0ed4d99d914f5972483bdc4335e3f6bed558654