Analysis
-
max time kernel
115s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe
Resource
win7-20241010-en
windows7-x64
3 signatures
120 seconds
General
-
Target
864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe
-
Size
780KB
-
MD5
0c8eccdbefc96776c9d8e219f9832340
-
SHA1
3db01ae1da1854a8ff8513eb4f342a72d274214f
-
SHA256
864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955
-
SHA512
df0c99851c48dd205f0f896e0735ba4564afc0f99eec2d38951f13f689c597fff211e315cf9dc2b19625aab547b3b8df47edc5b8ff2fc2568d3eeaadc6044a7d
-
SSDEEP
24576:F0ZhDa7BatUBFM8su0ZjpXZN0FmEOGpYmh:FwWNFBFM8s9FpXHunh
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 4056 uncrunch.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
resource yara_rule behavioral2/memory/3656-5-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-1-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-6-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-8-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-9-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-10-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-7-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-15-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-17-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-16-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-18-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-19-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-20-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-21-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-22-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-24-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-26-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-27-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-30-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-35-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-37-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-41-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-44-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-51-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-87-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-88-0x00000000023C0000-0x000000000344D000-memory.dmp upx behavioral2/memory/3656-93-0x00000000023C0000-0x000000000344D000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Java Web Start\resources\messages_fr.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages_fr.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\messages_ja.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\uncrunch.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\javaws.out 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\Readme_de.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\Readme_ja.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\helper.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\javaws.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\javaws.cfg 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\copyright.jpg 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\splash.jpg 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages_it.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\javaws.out 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\Readme_sv.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\Readme_zh_CN.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\sunlogo64x30.gif 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\messages_es.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\messages_zh_CN.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\javaws-l10n.jar 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\javawspl.dll 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\messages_ko.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages_zh_CN.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\javaws.cfg 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\Readme_fr.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\Readme_ja.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\javaws-l10n.jar 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\Readme_zh_CN.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\messages_sv.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\messages_zh_TW.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages_sv.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\cacerts 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\Readme.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\Readme_it.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\javalogo52x88.gif 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages_ja.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\miniSplash.jpg 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\javaws.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\Readme_fr.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\Readme_ko.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\copyright.jpg 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages_ko.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\cacerts 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\messages.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\javaws.policy 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\javawspl.dll 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\javawebstart.dll 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\icon.ico 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages_de.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages_es.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\resources\splash.jpg 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\uncrunch.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\Readme.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\Readme_es.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\Readme_zh_TW.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\helper.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\resources\messages_zh_TW.properties 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\splash.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\splash.exe 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File created C:\Program Files (x86)\Java Web Start\Readme_sv.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe File opened for modification C:\Program Files (x86)\Java Web Start\Readme_zh_TW.html 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uncrunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
Modifies registry class 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\ = "&Launch" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file\Extension = ".jnlp" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\Content Type = "application/x-java-jnlp-file" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\ = "JNLP File" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\EditFlags = 00000100 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Java Web Start\\javaws.exe\" \"%1\"" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\ = "JNLPFile" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe Token: SeDebugPrivilege 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 3656 wrote to memory of 792 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 9 PID 3656 wrote to memory of 800 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 10 PID 3656 wrote to memory of 64 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 13 PID 3656 wrote to memory of 3084 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 51 PID 3656 wrote to memory of 3100 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 52 PID 3656 wrote to memory of 3156 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 53 PID 3656 wrote to memory of 3396 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 56 PID 3656 wrote to memory of 3556 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 57 PID 3656 wrote to memory of 3736 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 58 PID 3656 wrote to memory of 3836 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 59 PID 3656 wrote to memory of 3900 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 60 PID 3656 wrote to memory of 4000 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 61 PID 3656 wrote to memory of 4188 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 62 PID 3656 wrote to memory of 3176 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 74 PID 3656 wrote to memory of 3860 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 76 PID 3656 wrote to memory of 4316 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 77 PID 3656 wrote to memory of 1828 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 78 PID 3656 wrote to memory of 4500 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 83 PID 3656 wrote to memory of 792 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 9 PID 3656 wrote to memory of 800 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 10 PID 3656 wrote to memory of 64 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 13 PID 3656 wrote to memory of 3084 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 51 PID 3656 wrote to memory of 3100 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 52 PID 3656 wrote to memory of 3156 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 53 PID 3656 wrote to memory of 3396 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 56 PID 3656 wrote to memory of 3556 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 57 PID 3656 wrote to memory of 3736 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 58 PID 3656 wrote to memory of 3836 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 59 PID 3656 wrote to memory of 3900 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 60 PID 3656 wrote to memory of 4000 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 61 PID 3656 wrote to memory of 4188 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 62 PID 3656 wrote to memory of 3176 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 74 PID 3656 wrote to memory of 3860 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 76 PID 3656 wrote to memory of 4500 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 83 PID 3656 wrote to memory of 4056 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 86 PID 3656 wrote to memory of 4056 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 86 PID 3656 wrote to memory of 4056 3656 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe 86 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3100
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe"C:\Users\Admin\AppData\Local\Temp\864002315e536661b854caf916935ded11148990dc160834b0a306c73485c955N.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3656 -
C:\Program Files (x86)\Java Web Start\uncrunch.exe"C:\Program Files (x86)\Java Web Start\uncrunch.exe" "C:\Program Files (x86)\Java Web Start\javaws.out" "C:\Program Files (x86)\Java Web Start\javaws.jar"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3176
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4316
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1828
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4500
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD5b44586e06b73e3c9aa4e03d0517225fd
SHA157038f438966a2889c87e136a3fa8bf1e1cbee64
SHA25680c4215dad1a411237f4e6ec53a51f7bda07d744beccb7c490e9702ea44b787e
SHA5125bec71e59e5cbfef912425c1b5ba32da97f603bc6c1a084d6c5820baabc1334abc3c04051921dca06e01734ec34839dc1f1a3de999237d4884aa2511618bbc9f
-
Filesize
52KB
MD5bb488dd0f9e0d4a6bc1e8cddecb31227
SHA12f71db39cc0d6857f52a18c3029d2a4b081cecf4
SHA256d6a78dc91cf90f67ef1f17704a7a22bb2312ee52c4b14bd6e3fae3c7af9a9b82
SHA512481b0f97fa17ca3aac8f9518e6210985f2215d992ebf34e8047c0fa82f74b87adcc9c46799d4270a851380d4b77570d23661d63f89b5f99b2cf25a7ba6b082b5