Analysis
-
max time kernel
91s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
General
-
Target
e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe
-
Size
1.8MB
-
MD5
591e9d013cda19046f07b1fbc888dd6a
-
SHA1
c60e3f3e98fc588dfc724215e12617e62f7364fb
-
SHA256
e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42
-
SHA512
537773f933c7fa9346fa4d4465a6bd251c5ec7d7e45a259b493353ba0eccd4557d816f7e81f8bc5149b04caaa9b42b17e76eb30f27c544b5b631f5cac6753544
-
SSDEEP
49152:sffZMOlq1y3vPhIkNqNoNI/y21vtJndjh7CdxE26:IZTwxd/FtJdjh7Az6
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
resource yara_rule behavioral2/memory/4440-1-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-10-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-4-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-3-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-11-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-13-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-12-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-5-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-16-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-21-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-22-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-23-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-24-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-25-0x0000000002200000-0x000000000328E000-memory.dmp upx behavioral2/memory/4440-28-0x0000000002200000-0x000000000328E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe Token: SeDebugPrivilege 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4440 wrote to memory of 796 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 8 PID 4440 wrote to memory of 800 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 9 PID 4440 wrote to memory of 388 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 13 PID 4440 wrote to memory of 2420 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 42 PID 4440 wrote to memory of 2436 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 43 PID 4440 wrote to memory of 2684 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 47 PID 4440 wrote to memory of 3412 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 56 PID 4440 wrote to memory of 3536 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 57 PID 4440 wrote to memory of 3724 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 58 PID 4440 wrote to memory of 3812 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 59 PID 4440 wrote to memory of 3880 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 60 PID 4440 wrote to memory of 3972 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 61 PID 4440 wrote to memory of 4100 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 62 PID 4440 wrote to memory of 3732 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 74 PID 4440 wrote to memory of 4452 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 76 PID 4440 wrote to memory of 1236 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 81 PID 4440 wrote to memory of 796 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 8 PID 4440 wrote to memory of 800 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 9 PID 4440 wrote to memory of 388 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 13 PID 4440 wrote to memory of 2420 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 42 PID 4440 wrote to memory of 2436 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 43 PID 4440 wrote to memory of 2684 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 47 PID 4440 wrote to memory of 3412 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 56 PID 4440 wrote to memory of 3536 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 57 PID 4440 wrote to memory of 3724 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 58 PID 4440 wrote to memory of 3812 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 59 PID 4440 wrote to memory of 3880 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 60 PID 4440 wrote to memory of 3972 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 61 PID 4440 wrote to memory of 4100 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 62 PID 4440 wrote to memory of 3732 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 74 PID 4440 wrote to memory of 4452 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 76 PID 4440 wrote to memory of 1236 4440 e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe 81 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2436
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe"C:\Users\Admin\AppData\Local\Temp\e98c4b558cb8ba13d205e75f1536448f6f8e2084c41fed17c46e7a89534b8b42.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4440
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3880
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4100
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3732
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4452
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1236
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5