Analysis
-
max time kernel
118s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 04:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe
Resource
win7-20241023-en
windows7-x64
18 signatures
120 seconds
General
-
Target
0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe
-
Size
65KB
-
MD5
bec6a5b8ea8f723e7797ea14dd52a9e1
-
SHA1
0bf16f03a2579afb32ee74a80ca920127f02c006
-
SHA256
0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51
-
SHA512
7dac5d34de532191b6bf3f0de62ec9270ebf94d327ba49f203ccd4b18e62bad43c57f9befd8c0e1aec4b156496a87f18e25116b4558dde6418d62b750db3262a
-
SSDEEP
1536:gtxU/x4aiGRNEUmB6RfG5GxsB7/caVX9SjBGs1vLT10cUmuO2fG8r:gto4aV/mBi+MGS+S9DxuPmuBG8r
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\L: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\T: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\W: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\X: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\I: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\N: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\U: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\J: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\M: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\Q: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\Y: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\Z: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\S: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\V: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\E: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\G: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\H: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\O: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\P: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened (read-only) \??\R: 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification F:\autorun.inf 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
resource yara_rule behavioral2/memory/2492-4-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-1-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-5-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-11-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-6-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-19-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-17-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-20-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-21-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-15-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-3-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-22-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-23-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-24-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-25-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-26-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-28-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-29-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-30-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-32-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-34-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-36-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-37-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-40-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-42-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-45-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-47-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-54-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-56-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-58-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-60-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-62-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-64-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-67-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-68-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-69-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-71-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-74-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/2492-78-0x0000000000870000-0x000000000192A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\7-Zip\7z.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57b371 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe File opened for modification C:\Windows\SYSTEM.INI 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe Token: SeDebugPrivilege 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 764 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 8 PID 2492 wrote to memory of 768 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 9 PID 2492 wrote to memory of 384 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 13 PID 2492 wrote to memory of 2572 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 44 PID 2492 wrote to memory of 2588 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 45 PID 2492 wrote to memory of 2736 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 47 PID 2492 wrote to memory of 3352 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 55 PID 2492 wrote to memory of 3644 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 57 PID 2492 wrote to memory of 3844 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 58 PID 2492 wrote to memory of 3940 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 59 PID 2492 wrote to memory of 4004 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 60 PID 2492 wrote to memory of 2940 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 61 PID 2492 wrote to memory of 4276 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 62 PID 2492 wrote to memory of 4576 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 64 PID 2492 wrote to memory of 2448 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 76 PID 2492 wrote to memory of 764 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 8 PID 2492 wrote to memory of 768 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 9 PID 2492 wrote to memory of 384 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 13 PID 2492 wrote to memory of 2572 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 44 PID 2492 wrote to memory of 2588 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 45 PID 2492 wrote to memory of 2736 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 47 PID 2492 wrote to memory of 3352 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 55 PID 2492 wrote to memory of 3644 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 57 PID 2492 wrote to memory of 3844 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 58 PID 2492 wrote to memory of 3940 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 59 PID 2492 wrote to memory of 4004 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 60 PID 2492 wrote to memory of 2940 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 61 PID 2492 wrote to memory of 4276 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 62 PID 2492 wrote to memory of 4576 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 64 PID 2492 wrote to memory of 2448 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 76 PID 2492 wrote to memory of 764 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 8 PID 2492 wrote to memory of 768 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 9 PID 2492 wrote to memory of 384 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 13 PID 2492 wrote to memory of 2572 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 44 PID 2492 wrote to memory of 2588 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 45 PID 2492 wrote to memory of 2736 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 47 PID 2492 wrote to memory of 3352 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 55 PID 2492 wrote to memory of 3644 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 57 PID 2492 wrote to memory of 3844 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 58 PID 2492 wrote to memory of 3940 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 59 PID 2492 wrote to memory of 4004 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 60 PID 2492 wrote to memory of 2940 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 61 PID 2492 wrote to memory of 4276 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 62 PID 2492 wrote to memory of 4576 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 64 PID 2492 wrote to memory of 2448 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 76 PID 2492 wrote to memory of 764 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 8 PID 2492 wrote to memory of 768 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 9 PID 2492 wrote to memory of 384 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 13 PID 2492 wrote to memory of 2572 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 44 PID 2492 wrote to memory of 2588 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 45 PID 2492 wrote to memory of 2736 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 47 PID 2492 wrote to memory of 3352 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 55 PID 2492 wrote to memory of 3644 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 57 PID 2492 wrote to memory of 3844 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 58 PID 2492 wrote to memory of 3940 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 59 PID 2492 wrote to memory of 4004 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 60 PID 2492 wrote to memory of 2940 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 61 PID 2492 wrote to memory of 4276 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 62 PID 2492 wrote to memory of 4576 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 64 PID 2492 wrote to memory of 2448 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 76 PID 2492 wrote to memory of 764 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 8 PID 2492 wrote to memory of 768 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 9 PID 2492 wrote to memory of 384 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 13 PID 2492 wrote to memory of 2572 2492 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe 44 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2588
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2736
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe"C:\Users\Admin\AppData\Local\Temp\0504a0ac58263ef77ee466d7d787d3fe225cbe2f362e29aacefa961b7a431b51.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4276
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4576
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2448
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5fbc7f36324c44288c9655048abbaaa0e
SHA17deb30dc992a677bb737a1789fab94d5ef7f476b
SHA2569d369c825c82eb3b554cc9b665575617d16786d0e6aa3c36a7e867161f65a5f5
SHA512db8ac21529099d970b82d0fd3214acc87c2a267c4453904298e456c9bcbc6b5f93f704026ab7d017e7870efb75cfb0999078637ab0b42d38638d78115fb796a9