Analysis
-
max time kernel
31s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:05
Static task
static1
Behavioral task
behavioral1
Sample
9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe
Resource
win7-20240903-en
General
-
Target
9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe
-
Size
1.1MB
-
MD5
dccfa9d28ed1ae89bd574d60aef59970
-
SHA1
3da6e8cf97bb4801dc38fb88afed711d954f7d89
-
SHA256
9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1b
-
SHA512
69fde639caa70aa18cb3a026f60b0e5c499ae66c22af8b4191ae35b522370c52677d472766373afc73552cbb640ced7766691f43ba9a4cd4ff8d83ab59f48ce2
-
SSDEEP
24576:W1/aGLDCM4D8ayGMCPnXo8/ql8ahCKn+xnjbmf8NRUoNvo2OKVlnFr4sIZjUHt99:FD8ayGM0Xonl84UHmf8NRUoNvo2OKVlJ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" tqhull.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" tqhull.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tqhull.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tqhull.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" tqhull.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 4044 tqhull.exe -
Executes dropped EXE 1 IoCs
pid Process 4044 tqhull.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" tqhull.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tqhull.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tqhull.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\tqhull.exe" tqhull.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tqhull.exe -
resource yara_rule behavioral2/memory/1620-1-0x0000000002750000-0x00000000037DE000-memory.dmp upx behavioral2/memory/1620-4-0x0000000002750000-0x00000000037DE000-memory.dmp upx behavioral2/memory/1620-3-0x0000000002750000-0x00000000037DE000-memory.dmp upx behavioral2/memory/1620-5-0x0000000002750000-0x00000000037DE000-memory.dmp upx behavioral2/memory/1620-8-0x0000000002750000-0x00000000037DE000-memory.dmp upx behavioral2/memory/1620-14-0x0000000002750000-0x00000000037DE000-memory.dmp upx behavioral2/memory/1620-10-0x0000000002750000-0x00000000037DE000-memory.dmp upx behavioral2/memory/4044-93-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-95-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-98-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-102-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-101-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-100-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-97-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-96-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-99-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-107-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-108-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-139-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-140-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-144-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-145-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-181-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-179-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-182-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-216-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-220-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-226-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-225-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-261-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-264-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-268-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-269-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-302-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-306-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-338-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-339-0x00000000025F0000-0x000000000367E000-memory.dmp upx behavioral2/memory/4044-340-0x00000000025F0000-0x000000000367E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqhull.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 4044 tqhull.exe 4044 tqhull.exe 4044 tqhull.exe 4044 tqhull.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1620 wrote to memory of 776 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 8 PID 1620 wrote to memory of 784 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 9 PID 1620 wrote to memory of 336 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 13 PID 1620 wrote to memory of 2664 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 45 PID 1620 wrote to memory of 2680 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 46 PID 1620 wrote to memory of 3056 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 52 PID 1620 wrote to memory of 3376 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 56 PID 1620 wrote to memory of 3580 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 57 PID 1620 wrote to memory of 3772 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 58 PID 1620 wrote to memory of 3872 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 59 PID 1620 wrote to memory of 3932 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 60 PID 1620 wrote to memory of 4024 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 61 PID 1620 wrote to memory of 2988 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 62 PID 1620 wrote to memory of 4108 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 75 PID 1620 wrote to memory of 3888 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 76 PID 1620 wrote to memory of 116 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 81 PID 1620 wrote to memory of 4044 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 83 PID 1620 wrote to memory of 4044 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 83 PID 1620 wrote to memory of 4044 1620 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 83 PID 4044 wrote to memory of 776 4044 tqhull.exe 8 PID 4044 wrote to memory of 784 4044 tqhull.exe 9 PID 4044 wrote to memory of 336 4044 tqhull.exe 13 PID 4044 wrote to memory of 2664 4044 tqhull.exe 45 PID 4044 wrote to memory of 2680 4044 tqhull.exe 46 PID 4044 wrote to memory of 3056 4044 tqhull.exe 52 PID 4044 wrote to memory of 3376 4044 tqhull.exe 56 PID 4044 wrote to memory of 3580 4044 tqhull.exe 57 PID 4044 wrote to memory of 3772 4044 tqhull.exe 58 PID 4044 wrote to memory of 3872 4044 tqhull.exe 59 PID 4044 wrote to memory of 3932 4044 tqhull.exe 60 PID 4044 wrote to memory of 4024 4044 tqhull.exe 61 PID 4044 wrote to memory of 2988 4044 tqhull.exe 62 PID 4044 wrote to memory of 4108 4044 tqhull.exe 75 PID 4044 wrote to memory of 3888 4044 tqhull.exe 76 PID 4044 wrote to memory of 776 4044 tqhull.exe 8 PID 4044 wrote to memory of 784 4044 tqhull.exe 9 PID 4044 wrote to memory of 336 4044 tqhull.exe 13 PID 4044 wrote to memory of 2664 4044 tqhull.exe 45 PID 4044 wrote to memory of 2680 4044 tqhull.exe 46 PID 4044 wrote to memory of 3056 4044 tqhull.exe 52 PID 4044 wrote to memory of 3376 4044 tqhull.exe 56 PID 4044 wrote to memory of 3580 4044 tqhull.exe 57 PID 4044 wrote to memory of 3772 4044 tqhull.exe 58 PID 4044 wrote to memory of 3872 4044 tqhull.exe 59 PID 4044 wrote to memory of 3932 4044 tqhull.exe 60 PID 4044 wrote to memory of 4024 4044 tqhull.exe 61 PID 4044 wrote to memory of 2988 4044 tqhull.exe 62 PID 4044 wrote to memory of 4108 4044 tqhull.exe 75 PID 4044 wrote to memory of 3888 4044 tqhull.exe 76 PID 4044 wrote to memory of 2756 4044 tqhull.exe 88 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tqhull.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3056
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe"C:\Users\Admin\AppData\Local\Temp\9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620 -
C:\ProgramData\tqhull.exe"C:\ProgramData\tqhull.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4044
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3580
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3932
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2988
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4108
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:116
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD532dba20006846ae6309f8806b4e617c3
SHA116b300f16579ae918eafc3fef9f2caac6fff3fc7
SHA256609e9cdf98536c66800f139e49885f8a1e2103b39b5f079d297ce293d455a96d
SHA512b844db4b6f44c05ab2c9ff92d1823c2570551d6d979be9cdc67cf9996d463654c44b59c22935f05ad44bb7d3cbb3423267110e6455c3958b9e8cc7e5f54d618c
-
Filesize
557KB
MD56f1656028d98fceaa83d9b6f8cc5459d
SHA17f2e990ad5347f6613683e7efa86f08ebfa9f4a6
SHA2562121af2516f030cebfd88efb6b6c195ecc4573cdbc79595253af54970a0a8a9a
SHA512cc0ede5bd411363d4f6a81e20521af15865decedbfb539702744f8cafc2087533a513f4a7541cb0eb3447411397cd042d00232e9d091a97e09043711379ce71e
-
Filesize
522KB
MD56446bbe2addac3f982b578c153b4052e
SHA1d8959dad9432a64837ce1055e1f7027bae652c6a
SHA256772d512687c47d87af5db585360fd029c54696ada86c144b2ebcfc2017a9a67c
SHA5128f1ee09ee5b9e79b266483510b2411f1b2fca43131ac06e82c6413eb23a138ad60df0bcb35fda1d2b3eacd5ea66ef907204998ba056aebe3c97f4d15fd1b28d8
-
Filesize
257B
MD55e20aaeef027cdeb11e3de212291200e
SHA11b368e0d760463aa66f226df1338a1a875d3311d
SHA256d2d4c3ffc887c84596fe4581b53baaade7ef84f5c48a006f0fac725d0dc13224
SHA512268b4a3fcbc081464a9d5ed86c344b9f682eafed222c6620ceb88b3dfabdf54cbccc8c33367fa4cf1fb60ee112edf97319e85bc0d9f551a5863cf88a8bb230e8